From 8332cb35bea19241a54c6d74f54c136a7dc07369 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 20:57:31 +0000
Subject: [PATCH 01/36] configure pwm

---
 .../delius-core/locals_development.tf         |  2 +-
 .../{password_reset_service.tf => pwm.tf}     | 10 +++---
 .../templates/PwmConfiguration.xml.tpl        | 34 +++++++++++++------
 3 files changed, 30 insertions(+), 16 deletions(-)
 rename terraform/environments/delius-core/modules/delius_environment/{password_reset_service.tf => pwm.tf} (90%)

diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf
index 105ddb2ebd1..2ca67ffca65 100644
--- a/terraform/environments/delius-core/locals_development.tf
+++ b/terraform/environments/delius-core/locals_development.tf
@@ -122,7 +122,7 @@ locals {
     }
 
     pwm = {
-      image_tag      = "5.7.6"
+      image_tag      = "8178533157-1"
       container_port = 8080
     }
 
diff --git a/terraform/environments/delius-core/modules/delius_environment/password_reset_service.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
similarity index 90%
rename from terraform/environments/delius-core/modules/delius_environment/password_reset_service.tf
rename to terraform/environments/delius-core/modules/delius_environment/pwm.tf
index e667be2c1f8..0ea8e07b493 100644
--- a/terraform/environments/delius-core/modules/delius_environment/password_reset_service.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -1,7 +1,7 @@
-module "password_reset_service" {
+module "pwm" {
   source = "../helpers/delius_microservice"
 
-  name                  = "password-reset"
+  name                  = "password-manager"
   certificate_arn       = local.certificate_arn
   alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
   env_name              = var.env_name
@@ -40,10 +40,12 @@ module "password_reset_service" {
   microservice_lb                    = aws_lb.delius_core_ancillary
   microservice_lb_https_listener_arn = aws_lb_listener.ancillary_https.arn
 
-  #TODO - check the path based routing based on shared ALB or dedicated
+
   alb_listener_rule_host_header = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+  
   platform_vars                 = var.platform_vars
-  container_image               = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management-ecr-repo:${var.delius_microservice_configs.pwm.image_tag}"
+
+  container_image               = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-manager:${var.delius_microservice_configs.pwm.image_tag}"
   account_config                = var.account_config
   #TODO check the health end-point
   health_check_path = "/pwm/actuator/health"
diff --git a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
index d423e955ab8..f132c4d268b 100644
--- a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
+++ b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<PwmConfiguration pwmVersion="1.9.1" xmlVersion="4" createTime="1970-01-01T00:00:00Z">
+<PwmConfiguration pwmVersion="2.0.6" xmlVersion="4" createTime="1970-01-01T00:00:00Z">
   <localeBundle bundle="password.pwm.i18n.Display" key="Title_Application">
     <value><![CDATA[National Delius - Account Self Service]]></value>
   </localeBundle>
@@ -18,9 +18,13 @@
       <label>Security Key</label>
       <value plaintext="true">$${SECURITY_KEY}</value>
     </setting>
+     <setting key="pwm.appProperty.overrides" modifyTime="2023-10-24T00:19:49Z" syntax="STRING_ARRAY" syntaxVersion="0">
+    <label>Settings ⇨ Application ⇨ Application ⇨ App Property Overrides</label>
+    <value>security.http.permittedUrlPathCharacters=^[a-zA-Z0-9-_=\\s]*$</value>
+  </setting>
     <setting key="template.ldap" syntax="SELECT">
       <label>LDAP Vendor Default Settings</label>
-      <value><![CDATA[DEFAULT]]></value>
+      <value><![CDATA[OPEN_LDAP]]></value>
     </setting>
     <setting key="template.storage" syntax="SELECT">
       <label>Storage Default Settings</label>
@@ -32,19 +36,19 @@
     </setting>
     <setting key="ldap.serverUrls" syntax="STRING_ARRAY" profile="default">
       <label>LDAP URLs</label>
-      <value><![CDATA[${ldap_url}]]></value>
+      <value><![CDATA[${ldap_host_url}]]></value>
     </setting>
     <setting key="ldap.proxy.username" syntax="STRING" profile="default">
       <label>LDAP Proxy User</label>
-      <value><![CDATA[${ldap_user}]]></value>
+      <value><![CDATA[cn=admin,dc=moj,dc=com]]></value>
     </setting>
     <setting key="ldap.proxy.password" syntax="PASSWORD" profile="default">
       <label>LDAP Proxy Password</label>
-      <value plaintext="true">$${LDAP_PASSWORD}</value>
+      <value plaintext="true">${ldap_password}</value>
     </setting>
     <setting key="ldap.rootContexts" syntax="STRING_ARRAY" profile="default">
       <label>LDAP Contextless Login Roots</label>
-      <value><![CDATA[${user_base}]]></value>
+      <value><![CDATA[ou=Users,dc=moj,dc=com]]></value>
     </setting>
     <setting key="ldap.guidAttribute" syntax="STRING" profile="default">
       <label>LDAP GUID Attribute</label>
@@ -52,11 +56,11 @@
     </setting>
     <setting key="ldap.testuser.username" syntax="STRING" profile="default">
       <label>LDAP Test User</label>
-      <value><![CDATA[cn=pwm-test,${user_base}]]></value>
+      <value><![CDATA[cn=pwm-test,ou=Users,dc=moj,dc=com]]></value>
     </setting>
     <setting key="pwmAdmin.queryMatch" syntax="USER_PERMISSION" syntaxVersion="2">
       <label>Administrator Permission</label>
-      <value>{"ldapBase":"${user_base}","ldapQuery":"(pwmAdmin=TRUE)","type":"ldapQuery"}</value>
+      <value>{"ldapBase":"ou=Users,dc=moj,dc=com","ldapQuery":"(pwmAdmin=TRUE)","type":"ldapQuery"}</value>
     </setting>
     <setting key="pwm.publishStats.enable" syntax="BOOLEAN">
       <label>Enable Anonymous Statistics Publishing</label>
@@ -68,7 +72,7 @@
     </setting>
     <setting key="pwm.selfURL" syntax="STRING">
       <label>Site URL</label>
-      <value><![CDATA[${site_url}]]></value>
+      <value><![CDATA[${pwm_url}]]></value>
     </setting>
     <setting key="pwm.introURL" syntax="SELECT">
       <label>Intro URL</label>
@@ -141,11 +145,11 @@
     </setting>
     <setting key="email.smtp.address" syntax="STRING" profile="default">
       <label>SMTP Server Address</label>
-      <value><![CDATA[${email_smtp_address}]]></value>
+      <value><![CDATA[{pwm_ses_endpoint}]]></value>
     </setting>
     <setting key="email.default.fromAddress" syntax="STRING">
       <label>Default From Address</label>
-      <value><![CDATA[${email_from_address}]]></value>
+      <value><![CDATA[{pwm_ses_from_address}]]></value>
     </setting>
     <setting key="network.allowMultiIPSession" syntax="BOOLEAN">
       <label>Allow Roaming Source Network Address</label>
@@ -163,5 +167,13 @@
       <label>Sticky Session Verification</label>
       <value><![CDATA[OFF]]></value>
     </setting>
+    <setting key="token.storageMethod" syntax="SELECT">
+      <label>Token Storage Method</label>
+      <value><![CDATA[STORE_LOCALDB]]></value>
+    </setting>
+    <setting key="token.length" syntax="SELECT">
+      <label>Token Length</label>
+      <value><![CDATA[64]]></value>
+    </setting>
   </settings>
 </PwmConfiguration>

From b7796ba39f20d792da9aa4bcbcf915c1688f958f Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:11:02 +0000
Subject: [PATCH 02/36] setup ses

---
 .../modules/delius_environment/pwm.tf         | 42 +++++++++++++++----
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 0ea8e07b493..8c4bc85a858 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -42,11 +42,11 @@ module "pwm" {
 
 
   alb_listener_rule_host_header = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
-  
-  platform_vars                 = var.platform_vars
 
-  container_image               = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-manager:${var.delius_microservice_configs.pwm.image_tag}"
-  account_config                = var.account_config
+  platform_vars = var.platform_vars
+
+  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-manager:${var.delius_microservice_configs.pwm.image_tag}"
+  account_config  = var.account_config
   #TODO check the health end-point
   health_check_path = "/pwm/actuator/health"
   account_info      = var.account_info
@@ -55,12 +55,10 @@ module "pwm" {
     {
       name = "CONFIG_XML_BASE64"
       value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
-        region    = var.account_info["region"]
-        ldap_url  = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
-        ldap_user = module.ldap.delius_core_ldap_principal_arn
-        user_base = "REPLACE"
+        ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
+        ldap_user     = module.ldap.delius_core_ldap_principal_arn
         # site_url  = "https://${aws_route53_record.public_dns.fqdn}"
-        site_url = "REPLACE"
+        site_url = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
         # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
         email_smtp_address = "REPLACE"
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
@@ -74,3 +72,29 @@ module "pwm" {
     aws.core-vpc = aws.core-vpc
   }
 }
+
+
+#############
+# SES
+#############"
+
+resource "aws_ses_domain_identity" "pwm" {
+  domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+}
+
+resource "aws_ses_domain_identity_verification" "pwm" {
+  domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+}
+
+resource "aws_route53_record" "pwm_ses_verification_record" {
+  zone_id = var.account_config.route53_external_zone.zone_id
+  name    = "_amazonses.${aws_ses_domain_identity.example.id}"
+  type    = "TXT"
+  ttl     = "600"
+  records = [aws_ses_domain_identity.pwm.verification_token]
+}
+
+resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {
+  domain     = aws_ses_domain_identity.pwm.id
+  depends_on = [aws_route53_record.pwm_ses_verification_record]
+}
\ No newline at end of file

From f9d1b31c7b56b1b7ff2107f20266454550de2078 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:30:11 +0000
Subject: [PATCH 03/36] image + config

---
 .../environments/delius-core/locals_development.tf     |  2 +-
 .../delius-core/modules/delius_environment/pwm.tf      | 10 +++-------
 .../templates/PwmConfiguration.xml.tpl                 |  2 +-
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf
index 2ca67ffca65..fb06134fd69 100644
--- a/terraform/environments/delius-core/locals_development.tf
+++ b/terraform/environments/delius-core/locals_development.tf
@@ -122,7 +122,7 @@ locals {
     }
 
     pwm = {
-      image_tag      = "8178533157-1"
+      image_tag      = "8179630699-1"
       container_port = 8080
     }
 
diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 8c4bc85a858..72c45890d88 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -17,17 +17,14 @@ module "pwm" {
     {
       name      = "SECURITY_KEY"
       valueFrom = "REPLACE"
-      #   "/${var.environment_name}/${var.project_name}/pwm/pwm/security_key"
     },
     {
       name      = "CONFIG_PASSWORD"
       valueFrom = aws_ssm_parameter.delius_core_pwm_config_password.arn
-      #value = "/${var.environment_name}/${var.project_name}/pwm/pwm/config_password"
     },
     {
       name      = "LDAP_PASSWORD"
-      valueFrom = module.ldap.delius_core_ldap_bind_password_arn
-      #value = "/${var.environment_name}/${var.project_name}/apacheds/apacheds/ldap_admin_password"
+      valueFrom = aws_ssm_parameter.ldap_admin_password.arn
     }
   ]
   db_ingress_security_groups = []
@@ -57,8 +54,7 @@ module "pwm" {
       value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
         ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
         ldap_user     = module.ldap.delius_core_ldap_principal_arn
-        # site_url  = "https://${aws_route53_record.public_dns.fqdn}"
-        site_url = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+        pwm_url       = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
         # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
         email_smtp_address = "REPLACE"
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
@@ -88,7 +84,7 @@ resource "aws_ses_domain_identity_verification" "pwm" {
 
 resource "aws_route53_record" "pwm_ses_verification_record" {
   zone_id = var.account_config.route53_external_zone.zone_id
-  name    = "_amazonses.${aws_ses_domain_identity.example.id}"
+  name    = "_amazonses.${aws_ses_domain_identity.pwm.id}"
   type    = "TXT"
   ttl     = "600"
   records = [aws_ses_domain_identity.pwm.verification_token]
diff --git a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
index f132c4d268b..02908a29979 100644
--- a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
+++ b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
@@ -44,7 +44,7 @@
     </setting>
     <setting key="ldap.proxy.password" syntax="PASSWORD" profile="default">
       <label>LDAP Proxy Password</label>
-      <value plaintext="true">${ldap_password}</value>
+      <value plaintext="true">$${LDAP_PASSWORD}</value>
     </setting>
     <setting key="ldap.rootContexts" syntax="STRING_ARRAY" profile="default">
       <label>LDAP Contextless Login Roots</label>

From fb312a48027ab44786dda20f20c1b44c3bdc9775 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:34:59 +0000
Subject: [PATCH 04/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf     | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 72c45890d88..830ad06016c 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -83,11 +83,12 @@ resource "aws_ses_domain_identity_verification" "pwm" {
 }
 
 resource "aws_route53_record" "pwm_ses_verification_record" {
-  zone_id = var.account_config.route53_external_zone.zone_id
-  name    = "_amazonses.${aws_ses_domain_identity.pwm.id}"
-  type    = "TXT"
-  ttl     = "600"
-  records = [aws_ses_domain_identity.pwm.verification_token]
+  provider = aws.core-vpc
+  zone_id  = var.account_config.route53_external_zone.zone_id
+  name     = "_amazonses.${aws_ses_domain_identity.pwm.id}"
+  type     = "TXT"
+  ttl      = "600"
+  records  = [aws_ses_domain_identity.pwm.verification_token]
 }
 
 resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {

From 4cafce17b06f8e83d96446c09d7d4b4beaebfd00 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:47:54 +0000
Subject: [PATCH 05/36] add dkim records

---
 .../delius-core/modules/delius_environment/pwm.tf  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 830ad06016c..4b5a1b5fc35 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -94,4 +94,18 @@ resource "aws_route53_record" "pwm_ses_verification_record" {
 resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {
   domain     = aws_ses_domain_identity.pwm.id
   depends_on = [aws_route53_record.pwm_ses_verification_record]
+}
+
+
+resource "aws_ses_domain_dkim" "pwm" {
+  domain = aws_ses_domain_identity.pwm.domain
+}
+
+resource "aws_route53_record" "pwm_amazonses_dkim_record" {
+  count   = 3
+  zone_id = var.account_config.route53_external_zone.zone_id
+  name    = "${aws_ses_domain_dkim.example.pwm[count.index]}._domainkey"
+  type    = "CNAME"
+  ttl     = "600"
+  records = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
 }
\ No newline at end of file

From 8dbe607c2f88f8e5293096796254d12151b9c56a Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:49:51 +0000
Subject: [PATCH 06/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf   | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 4b5a1b5fc35..e6c16fee0b9 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -102,10 +102,11 @@ resource "aws_ses_domain_dkim" "pwm" {
 }
 
 resource "aws_route53_record" "pwm_amazonses_dkim_record" {
-  count   = 3
-  zone_id = var.account_config.route53_external_zone.zone_id
-  name    = "${aws_ses_domain_dkim.example.pwm[count.index]}._domainkey"
-  type    = "CNAME"
-  ttl     = "600"
-  records = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
+  provider = aws.core-vpc
+  count    = 3
+  zone_id  = var.account_config.route53_external_zone.zone_id
+  name     = "${aws_ses_domain_dkim.example.pwm[count.index]}._domainkey"
+  type     = "CNAME"
+  ttl      = "600"
+  records  = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
 }
\ No newline at end of file

From 8322561f0779f3c94c2c979bc86979dd3f3e79a1 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 22:51:28 +0000
Subject: [PATCH 07/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index e6c16fee0b9..9160dd7de24 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -105,7 +105,7 @@ resource "aws_route53_record" "pwm_amazonses_dkim_record" {
   provider = aws.core-vpc
   count    = 3
   zone_id  = var.account_config.route53_external_zone.zone_id
-  name     = "${aws_ses_domain_dkim.example.pwm[count.index]}._domainkey"
+  name     = "${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}._domainkey"
   type     = "CNAME"
   ttl      = "600"
   records  = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]

From 09afdcbbbf029120251f40d73628ae886f3347e9 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 23:05:58 +0000
Subject: [PATCH 08/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 9160dd7de24..5afcd25a91b 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -14,10 +14,6 @@ module "pwm" {
 
   ecs_cluster_arn = module.ecs.ecs_cluster_arn
   container_secrets = [
-    {
-      name      = "SECURITY_KEY"
-      valueFrom = "REPLACE"
-    },
     {
       name      = "CONFIG_PASSWORD"
       valueFrom = aws_ssm_parameter.delius_core_pwm_config_password.arn
@@ -60,6 +56,10 @@ module "pwm" {
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
         email_from_address = "REPLACE"
       }))
+    },
+    {
+      name  = "SECURITY_KEY"
+      value = "REPLACE"
     }
   ]
 

From e58367b360d47fccaf3c0c7ec6861a98f01f5098 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 23:15:58 +0000
Subject: [PATCH 09/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 5afcd25a91b..6e010fd3e3f 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -1,7 +1,7 @@
 module "pwm" {
   source = "../helpers/delius_microservice"
 
-  name                  = "password-manager"
+  name                  = "password-management"
   certificate_arn       = local.certificate_arn
   alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
   env_name              = var.env_name
@@ -38,7 +38,7 @@ module "pwm" {
 
   platform_vars = var.platform_vars
 
-  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-manager:${var.delius_microservice_configs.pwm.image_tag}"
+  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
   account_config  = var.account_config
   #TODO check the health end-point
   health_check_path = "/pwm/actuator/health"

From 454244847a872044795d822ee9a140f8a8b33dab Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 23:18:09 +0000
Subject: [PATCH 10/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 6e010fd3e3f..e7c2e8c2a94 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -1,7 +1,7 @@
 module "pwm" {
   source = "../helpers/delius_microservice"
 
-  name                  = "password-management"
+  name                  = "pwm"
   certificate_arn       = local.certificate_arn
   alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
   env_name              = var.env_name

From 55789290daaa507f553a5eb4184a80d69d8e17ba Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 23:28:12 +0000
Subject: [PATCH 11/36] task def

---
 .../modules/delius_environment/pwm.tf          |  3 +++
 .../modules/helpers/delius_microservice/ecs.tf |  6 +++---
 .../helpers/delius_microservice/variables.tf   | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index e7c2e8c2a94..691d957f577 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -63,6 +63,9 @@ module "pwm" {
     }
   ]
 
+  ignore_changes_task_definition = false
+  redeploy_on_apply              = true
+
   providers = {
     aws          = aws
     aws.core-vpc = aws.core-vpc
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf
index 728d1db5916..a08ae3eec8d 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf
@@ -70,7 +70,7 @@ module "ecs_service" {
 
   exec_enabled = true
 
-  ignore_changes_task_definition = true # task definition managed by Delius App team
-  redeploy_on_apply              = false
-  force_new_deployment           = false
+  ignore_changes_task_definition = var.ignore_changes_task_definition # task definition managed by Delius App team
+  redeploy_on_apply              = var.redeploy_on_apply
+  force_new_deployment           = var.force_new_deployment
 }
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
index aedeb198c40..d3c68676af1 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
@@ -442,4 +442,22 @@ variable "deployment_maximum_percent" {
   type        = number
   description = "The upper limit of the number of tasks (as a percentage of `desired_count`) that can be running in a service during a deployment"
   default     = 100
+}
+
+variable "ignore_changes_task_definition" {
+  description = "Ignore changes to the task definition"
+  type        = bool
+  default     = true
+}
+
+variable "redeploy_on_apply" {
+  description = "Redeploy the ecs service on apply"
+  type        = bool
+  default     = false
+}
+
+variable "force_new_deployment" {
+  description = "Force a new deployment"
+  type        = bool
+  default     = false
 }
\ No newline at end of file

From 0ef14915b4afe817f3154e325e1d3b98b4412dbf Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Wed, 6 Mar 2024 23:43:53 +0000
Subject: [PATCH 12/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 691d957f577..7526994068d 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -64,7 +64,6 @@ module "pwm" {
   ]
 
   ignore_changes_task_definition = false
-  redeploy_on_apply              = true
 
   providers = {
     aws          = aws

From d2a2d74bd317dced18e44cb4398dd871fa29da4c Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 00:16:14 +0000
Subject: [PATCH 13/36] sg

---
 .../modules/delius_environment/alb_ancillary.tf   |  7 +++++++
 .../delius-core/modules/delius_environment/pwm.tf | 15 +++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
index c07e914b34c..91fef521c00 100644
--- a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
@@ -28,6 +28,13 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_globa
   cidr_ipv4         = each.key # Global Protect VPN
 }
 
+resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" {
+  security_group_id = aws_security_group.ancillary_alb_security_group.id
+  description       = "Access into alb over http (will redirect)"
+  ip_protocol       = "-1"
+  cidr_ipv4         = var.account_config.shared_vpc_cidr
+}
+
 # tfsec:ignore:aws-elb-alb-not-public
 resource "aws_lb" "delius_core_ancillary" {
   # checkov:skip=CKV_AWS_91
diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 7526994068d..3b2777b4b0e 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -3,7 +3,7 @@ module "pwm" {
 
   name                  = "pwm"
   certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
+  alb_security_group_id = aws_security_group.ancillary_alb_security_group.id
   env_name              = var.env_name
   container_port_config = [
     {
@@ -38,11 +38,14 @@ module "pwm" {
 
   platform_vars = var.platform_vars
 
-  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
-  account_config  = var.account_config
-  #TODO check the health end-point
-  health_check_path = "/pwm/actuator/health"
-  account_info      = var.account_info
+  container_image       = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
+  account_config        = var.account_config
+  health_check_path     = "/"
+  health_check_interval = "30"
+  account_info          = var.account_info
+
+  deployment_maximum_percent         = 200
+  deployment_minimum_healthy_percent = 100
 
   container_environment_vars = [
     {

From a215a1253293150d79ea14123e386cf71b510cad Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 00:34:16 +0000
Subject: [PATCH 14/36] Update PwmConfiguration.xml.tpl

---
 .../delius_environment/templates/PwmConfiguration.xml.tpl     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
index 02908a29979..0f308fcb3f6 100644
--- a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
+++ b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
@@ -145,11 +145,11 @@
     </setting>
     <setting key="email.smtp.address" syntax="STRING" profile="default">
       <label>SMTP Server Address</label>
-      <value><![CDATA[{pwm_ses_endpoint}]]></value>
+      <value><![CDATA[$${pwm_ses_endpoint}]]></value>
     </setting>
     <setting key="email.default.fromAddress" syntax="STRING">
       <label>Default From Address</label>
-      <value><![CDATA[{pwm_ses_from_address}]]></value>
+      <value><![CDATA[$${pwm_ses_from_address}]]></value>
     </setting>
     <setting key="network.allowMultiIPSession" syntax="BOOLEAN">
       <label>Allow Roaming Source Network Address</label>

From 8e6db6619aee2c1d6a4b75145855fc2bee6925d5 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 01:10:38 +0000
Subject: [PATCH 15/36] create smtp creds user

---
 .../modules/delius_environment/pwm.tf         | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 3b2777b4b0e..93fb243b129 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -114,4 +114,46 @@ resource "aws_route53_record" "pwm_amazonses_dkim_record" {
   type     = "CNAME"
   ttl      = "600"
   records  = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
+}
+
+######################
+# SES SMTP User
+######################
+
+resource "aws_iam_user" "pwm_ses_smtp_user" {
+  name = "pwm-smtp-user"
+}
+
+resource "aws_iam_access_key" "pwm_ses_smtp_user" {
+  user = aws_iam_user.pwm_ses_smtp_user.name
+}
+
+resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
+  name = "pwm-ses-smtp-user-policy"
+  user = aws_iam_user.pwm_ses_smtp_user.name
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ses:SendRawEmail",
+          "ses:SendEmail"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
+  name = "/pwm/ses_smtp"
+  type = "SecureString"
+  value = jsonencode({
+    user              = aws_iam_user.pwm_ses_smtp_user.name,
+    key               = aws_iam_access_key.pwm_ses_smtp_user.id,
+    secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
+    ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
+  })
 }
\ No newline at end of file

From 44fc66e1ed04aadab5694ecf8001c5f543ad601b Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 14:27:11 +0000
Subject: [PATCH 16/36] justice relay

---
 .../modules/delius_environment/pwm.tf         | 78 +++++++++----------
 1 file changed, 39 insertions(+), 39 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 93fb243b129..9f93c53df9a 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -55,9 +55,9 @@ module "pwm" {
         ldap_user     = module.ldap.delius_core_ldap_principal_arn
         pwm_url       = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
         # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
-        email_smtp_address = "REPLACE"
+        email_smtp_address = "production-smtp-relay-70e032e2738d0a27.elb.eu-west-2.amazonaws.com"
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
-        email_from_address = "REPLACE"
+        email_from_address = "no-reply@pwm.${var.env_name}.${var.account_config.dns_suffix}"
       }))
     },
     {
@@ -120,40 +120,40 @@ resource "aws_route53_record" "pwm_amazonses_dkim_record" {
 # SES SMTP User
 ######################
 
-resource "aws_iam_user" "pwm_ses_smtp_user" {
-  name = "pwm-smtp-user"
-}
-
-resource "aws_iam_access_key" "pwm_ses_smtp_user" {
-  user = aws_iam_user.pwm_ses_smtp_user.name
-}
-
-resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
-  name = "pwm-ses-smtp-user-policy"
-  user = aws_iam_user.pwm_ses_smtp_user.name
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ses:SendRawEmail",
-          "ses:SendEmail"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
-  name = "/pwm/ses_smtp"
-  type = "SecureString"
-  value = jsonencode({
-    user              = aws_iam_user.pwm_ses_smtp_user.name,
-    key               = aws_iam_access_key.pwm_ses_smtp_user.id,
-    secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
-    ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
-  })
-}
\ No newline at end of file
+# resource "aws_iam_user" "pwm_ses_smtp_user" {
+#   name = "pwm-smtp-user"
+# }
+#
+# resource "aws_iam_access_key" "pwm_ses_smtp_user" {
+#   user = aws_iam_user.pwm_ses_smtp_user.name
+# }
+#
+# resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
+#   name = "pwm-ses-smtp-user-policy"
+#   user = aws_iam_user.pwm_ses_smtp_user.name
+#
+#   policy = jsonencode({
+#     Version = "2012-10-17",
+#     Statement = [
+#       {
+#         Effect = "Allow",
+#         Action = [
+#           "ses:SendRawEmail",
+#           "ses:SendEmail"
+#         ],
+#         Resource = "*"
+#       }
+#     ]
+#   })
+# }
+
+# resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
+#   name = "/pwm/ses_smtp"
+#   type = "SecureString"
+#   value = jsonencode({
+#     user              = aws_iam_user.pwm_ses_smtp_user.name,
+#     key               = aws_iam_access_key.pwm_ses_smtp_user.id,
+#     secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
+#     ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
+#   })
+# }
\ No newline at end of file

From 4675edb869b5489df5d34f664aedb294c9ce07bb Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 14:33:32 +0000
Subject: [PATCH 17/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 9f93c53df9a..0c5d74a80aa 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -67,6 +67,7 @@ module "pwm" {
   ]
 
   ignore_changes_task_definition = false
+  force_new_deployment           = true
 
   providers = {
     aws          = aws

From e7fd2d355ad060593ebbf52e99e61be83548286d Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 14:43:38 +0000
Subject: [PATCH 18/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 0c5d74a80aa..9f93c53df9a 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -67,7 +67,6 @@ module "pwm" {
   ]
 
   ignore_changes_task_definition = false
-  force_new_deployment           = true
 
   providers = {
     aws          = aws

From 8995a1aadcdde17f9bc4fe693319bce532b4a2c0 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 14:46:55 +0000
Subject: [PATCH 19/36] Update load_balancing.tf

---
 .../modules/helpers/delius_microservice/load_balancing.tf       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf
index bf3a511d1a6..6a746b191c1 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf
@@ -149,7 +149,7 @@ resource "aws_route53_record" "services_nlb_r53_record" {
   provider = aws.core-vpc
   zone_id  = var.account_config.route53_inner_zone_info.zone_id
   name     = "${var.name}.service.${var.env_name}.${var.account_config.dns_suffix}"
-  type     = "CNAME"
+  type     = "A"
   alias {
     evaluate_target_health = false
     name                   = aws_lb.delius_microservices.dns_name

From a931ebd0f546f5606ad642ee82dfb10bd866e8cf Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 15:19:27 +0000
Subject: [PATCH 20/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 --
 1 file changed, 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 9f93c53df9a..96e061cb865 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -66,8 +66,6 @@ module "pwm" {
     }
   ]
 
-  ignore_changes_task_definition = false
-
   providers = {
     aws          = aws
     aws.core-vpc = aws.core-vpc

From 1cea24a151f6eb151b33f28fd85ff8489915bf9b Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 15:47:41 +0000
Subject: [PATCH 21/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 96e061cb865..e243001a902 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -57,7 +57,7 @@ module "pwm" {
         # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
         email_smtp_address = "production-smtp-relay-70e032e2738d0a27.elb.eu-west-2.amazonaws.com"
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
-        email_from_address = "no-reply@pwm.${var.env_name}.${var.account_config.dns_suffix}"
+        email_from_address = "noreply-ndelius-pwm-${var.env_name}@digital.justice.gov.uk"
       }))
     },
     {

From 23d30c8edc8be8fdd3e9eb888589c679bd105974 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 15:48:31 +0000
Subject: [PATCH 22/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index e243001a902..3bd9fe521e6 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -1,7 +1,7 @@
 module "pwm" {
   source = "../helpers/delius_microservice"
 
-  name                  = "pwm"
+  name                  = "pwd-manager"
   certificate_arn       = local.certificate_arn
   alb_security_group_id = aws_security_group.ancillary_alb_security_group.id
   env_name              = var.env_name

From 4be55b60dabb92403a70e6bf4b3148c0bd267acb Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 16:22:19 +0000
Subject: [PATCH 23/36] Update PwmConfiguration.xml.tpl

---
 .../delius_environment/templates/PwmConfiguration.xml.tpl     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
index 0f308fcb3f6..7854f1a87ae 100644
--- a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
+++ b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
@@ -145,11 +145,11 @@
     </setting>
     <setting key="email.smtp.address" syntax="STRING" profile="default">
       <label>SMTP Server Address</label>
-      <value><![CDATA[$${pwm_ses_endpoint}]]></value>
+      <value><![CDATA[${email_smtp_address}]]></value>
     </setting>
     <setting key="email.default.fromAddress" syntax="STRING">
       <label>Default From Address</label>
-      <value><![CDATA[$${pwm_ses_from_address}]]></value>
+      <value><![CDATA[${email_from_address}]]></value>
     </setting>
     <setting key="network.allowMultiIPSession" syntax="BOOLEAN">
       <label>Allow Roaming Source Network Address</label>

From 811bee029e17aefbc3cf8aab0ebb2fdf536495f0 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 17:17:09 +0000
Subject: [PATCH 24/36] security groups

---
 .../modules/components/ldap/outputs.tf        |  4 +++
 .../modules/delius_environment/pwm.tf         | 11 +++++++
 .../modules/helpers/delius_microservice/sg.tf | 30 +++++++++++++++++++
 .../helpers/delius_microservice/variables.tf  | 22 ++++++++++++++
 4 files changed, 67 insertions(+)

diff --git a/terraform/environments/delius-core/modules/components/ldap/outputs.tf b/terraform/environments/delius-core/modules/components/ldap/outputs.tf
index ffd34a25468..e9cc7b70686 100644
--- a/terraform/environments/delius-core/modules/components/ldap/outputs.tf
+++ b/terraform/environments/delius-core/modules/components/ldap/outputs.tf
@@ -8,4 +8,8 @@ output "delius_core_ldap_principal_arn" {
 
 output "delius_core_ldap_bind_password_arn" {
   value = aws_ssm_parameter.delius_core_ldap_bind_password.arn
+}
+
+output "security_group_id" {
+  value = aws_security_group.ldap.id
 }
\ No newline at end of file
diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 3bd9fe521e6..1b27a31a909 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -23,12 +23,21 @@ module "pwm" {
       valueFrom = aws_ssm_parameter.ldap_admin_password.arn
     }
   ]
+
   db_ingress_security_groups = []
 
   cluster_security_group_id = aws_security_group.cluster.id
 
   bastion_sg_id = module.bastion_linux.bastion_security_group
 
+  ecs_service_ingress_security_group_ids = []
+  ecs_service_egress_security_group_ids = [{
+    security_group_id            = aws_security_group.cluster.id
+    ip_protocol                  = "tcp"
+    port                         = 389
+    referenced_security_group_id = module.ldap.security_group_id
+  }]
+
   tags                               = var.tags
   microservice_lb                    = aws_lb.delius_core_ancillary
   microservice_lb_https_listener_arn = aws_lb_listener.ancillary_https.arn
@@ -73,6 +82,8 @@ module "pwm" {
 }
 
 
+
+
 #############
 # SES
 #############"
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/sg.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/sg.tf
index 8278e47d592..f4377e63a3e 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/sg.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/sg.tf
@@ -56,4 +56,34 @@ resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
   to_port                  = each.value
   protocol                 = "tcp"
   source_security_group_id = var.bastion_sg_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "nlb_to_ecs_service" {
+  security_group_id            = aws_security_group.ecs_service.id
+  description                  = "network load balancer to ecs service"
+  from_port                    = var.container_port_config[0].containerPort
+  to_port                      = var.container_port_config[0].containerPort
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.delius_microservices_service_nlb.id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "custom_rules" {
+  for_each          = { for index, rule in var.ecs_service_ingress_security_group_ids : index => rule }
+  security_group_id = aws_security_group.ecs_service.id
+  description       = "custom rule"
+  from_port         = each.value.port
+  to_port           = each.value.port
+  ip_protocol       = each.value.ip_protocol
+  cidr_ipv4         = each.value.cidr_ipv4
+}
+
+resource "aws_vpc_security_group_egress_rule" "custom_rules" {
+  for_each                     = { for index, rule in var.ecs_service_egress_security_group_ids : index => rule }
+  security_group_id            = aws_security_group.ecs_service.id
+  description                  = "custom rule"
+  from_port                    = each.value.port
+  to_port                      = each.value.port
+  ip_protocol                  = each.value.ip_protocol
+  cidr_ipv4                    = each.value.cidr_ipv4
+  referenced_security_group_id = each.value.referenced_security_group_id
 }
\ No newline at end of file
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
index d3c68676af1..c22b94e3050 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
@@ -460,4 +460,26 @@ variable "force_new_deployment" {
   description = "Force a new deployment"
   type        = bool
   default     = false
+}
+
+variable "ecs_service_ingress_security_group_ids" {
+  description = "Security group ids to allow ingress to the ECS service"
+  type = list(object({
+    referenced_security_group_id = optional(string, null)
+    cidr_ipv4                    = optional(string, null)
+    port                         = number
+    ip_protocol                  = string
+  }))
+  default = []
+}
+
+variable "ecs_service_egress_security_group_ids" {
+  description = "Security group ids to allow egress from the ECS service"
+  type = list(object({
+    referenced_security_group_id = optional(string, null)
+    cidr_ipv4                    = optional(string, null)
+    port                         = optional(number, null)
+    ip_protocol                  = string
+  }))
+  default = []
 }
\ No newline at end of file

From 60f0f194e949f9545fb33b139036b5e83d1b1a4a Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 17:30:02 +0000
Subject: [PATCH 25/36] url schema

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 1b27a31a909..6b7c70c37dd 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -62,7 +62,7 @@ module "pwm" {
       value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
         ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
         ldap_user     = module.ldap.delius_core_ldap_principal_arn
-        pwm_url       = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+        pwm_url       = "https://pwm.${var.env_name}.${var.account_config.dns_suffix}"
         # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
         email_smtp_address = "production-smtp-relay-70e032e2738d0a27.elb.eu-west-2.amazonaws.com"
         # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"

From f6d64d5e259a76d7f0f23c6dabafa6559176cb8d Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 17:37:46 +0000
Subject: [PATCH 26/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 6b7c70c37dd..6ea56d8a545 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -53,6 +53,8 @@ module "pwm" {
   health_check_interval = "30"
   account_info          = var.account_info
 
+  task_cpu                           = 1024
+  task_memory                        = 2048
   deployment_maximum_percent         = 200
   deployment_minimum_healthy_percent = 100
 

From af713284abad2e9c4bf42abf0251c9f10fff37a2 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 17:39:42 +0000
Subject: [PATCH 27/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 6ea56d8a545..5906d2e62e9 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -53,8 +53,8 @@ module "pwm" {
   health_check_interval = "30"
   account_info          = var.account_info
 
-  task_cpu                           = 1024
-  task_memory                        = 2048
+  container_cpu                      = 1024
+  container_memory                   = 2048
   deployment_maximum_percent         = 200
   deployment_minimum_healthy_percent = 100
 

From 54172cf9f3e935ab9362e6b3fd15a219e0a3d72d Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 18:15:18 +0000
Subject: [PATCH 28/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf            | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 5906d2e62e9..f7a4bfa8cb0 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -50,9 +50,12 @@ module "pwm" {
   container_image       = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
   account_config        = var.account_config
   health_check_path     = "/"
-  health_check_interval = "30"
+  health_check_interval = "15"
   account_info          = var.account_info
 
+  target_group_protocol_version     = "HTTP1"
+  health_check_grace_period_seconds = 10
+
   container_cpu                      = 1024
   container_memory                   = 2048
   deployment_maximum_percent         = 200

From 60bb55740d9988c5c2bf694855125425c12a159a Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Thu, 7 Mar 2024 18:57:04 +0000
Subject: [PATCH 29/36] fix

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 .../delius_environment/templates/PwmConfiguration.xml.tpl       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index f7a4bfa8cb0..9f93226ab62 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -76,7 +76,7 @@ module "pwm" {
     },
     {
       name  = "SECURITY_KEY"
-      value = "REPLACE"
+      value = "${uuid()}"
     }
   ]
 
diff --git a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
index 7854f1a87ae..6f0c3254a0d 100644
--- a/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
+++ b/terraform/environments/delius-core/modules/delius_environment/templates/PwmConfiguration.xml.tpl
@@ -9,7 +9,7 @@
   <properties type="config">
     <!-- Set saveConfigOnStart=true to encrypt plaintext passwords on startup -->
     <property key="saveConfigOnStart">true</property>
-    <property key="configPasswordHash">$${PWM_CONFIG_PASSWORD_HASH}</property>
+    <property key="configPasswordHash">$${CONFIG_PASSWORD_HASH}</property>
     <property key="configIsEditable">false</property>
     <property key="configEpoch">1</property>
   </properties>

From ee642f289a6dbd88a50df0ba57282032c1250df7 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 12:39:36 +0000
Subject: [PATCH 30/36] ingress

---
 .../modules/delius_environment/alb_ancillary.tf   |  4 ++--
 .../modules/delius_environment/locals.tf          | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
index 91fef521c00..66deec7d241 100644
--- a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf
@@ -9,7 +9,7 @@ resource "aws_security_group" "ancillary_alb_security_group" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_global_protect_allowlist" {
-  for_each          = toset(local.globalprotect_ips)
+  for_each          = toset(local.all_ingress_ips)
   security_group_id = aws_security_group.ancillary_alb_security_group.id
   description       = "Access into alb over https"
   from_port         = "443"
@@ -19,7 +19,7 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_glob
 }
 
 resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" {
-  for_each          = toset(local.globalprotect_ips)
+  for_each          = toset(local.all_ingress_ips)
   security_group_id = aws_security_group.ancillary_alb_security_group.id
   description       = "Access into alb over http (will redirect)"
   from_port         = "80"
diff --git a/terraform/environments/delius-core/modules/delius_environment/locals.tf b/terraform/environments/delius-core/modules/delius_environment/locals.tf
index ba5b5785e29..f5f13742744 100644
--- a/terraform/environments/delius-core/modules/delius_environment/locals.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/locals.tf
@@ -22,4 +22,19 @@ locals {
   certificate_arn = aws_acm_certificate.external.arn
 
   globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
+  unilink_ips = [
+    "194.75.210.216/29", # Unilink AOVPN
+    "83.98.63.176/29",   # Unilink AOVPN
+    "78.33.10.50/31",    # Unilink AOVPN
+    "78.33.10.52/30",    # Unilink AOVPN
+    "78.33.10.56/30",    # Unilink AOVPN
+    "78.33.10.60/32",    # Unilink AOVPN
+    "78.33.32.99/32",    # Unilink AOVPN
+    "78.33.32.100/30",   # Unilink AOVPN
+    "78.33.32.104/30",   # Unilink AOVPN
+    "78.33.32.108/32",   # Unilink AOVPN
+    "217.138.45.109/32", # Unilink AOVPN
+    "217.138.45.110/32", # Unilink AOVPN
+  ]
+  all_ingress_ips = merge(local.globalprotect_ips, local.unilink_ips)
 }

From f722e9e77c2ad300693554f07d85edb08a5c9ab9 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 12:42:27 +0000
Subject: [PATCH 31/36] Update locals.tf

---
 .../delius-core/modules/delius_environment/locals.tf            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/locals.tf b/terraform/environments/delius-core/modules/delius_environment/locals.tf
index f5f13742744..c02f03d49e5 100644
--- a/terraform/environments/delius-core/modules/delius_environment/locals.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/locals.tf
@@ -36,5 +36,5 @@ locals {
     "217.138.45.109/32", # Unilink AOVPN
     "217.138.45.110/32", # Unilink AOVPN
   ]
-  all_ingress_ips = merge(local.globalprotect_ips, local.unilink_ips)
+  all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
 }

From 5b5c880ea619813b41cc77371c3b0bfa82e9fa2d Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 13:08:24 +0000
Subject: [PATCH 32/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 9f93226ab62..485e4e1a37c 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -80,6 +80,9 @@ module "pwm" {
     }
   ]
 
+  ignore_changes_task_definition = false
+  force_new_deployment           = true
+
   providers = {
     aws          = aws
     aws.core-vpc = aws.core-vpc

From cc2377d03c877ad552f3e326a1bbc77c7c9537ca Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 13:22:35 +0000
Subject: [PATCH 33/36] Update locals_test.tf

---
 terraform/environments/delius-core/locals_test.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/locals_test.tf b/terraform/environments/delius-core/locals_test.tf
index 6130084be2a..49405d15f25 100644
--- a/terraform/environments/delius-core/locals_test.tf
+++ b/terraform/environments/delius-core/locals_test.tf
@@ -130,7 +130,7 @@ locals {
     }
 
     pwm = {
-      image_tag      = "5.7.6"
+      image_tag      = "8179630699-1"
       container_port = 8080
     }
 

From b24cb3fc93bb9048cc9d35ba8df77af7b0d6a707 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 13:50:58 +0000
Subject: [PATCH 34/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 485e4e1a37c..4504d1b26b1 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -32,10 +32,10 @@ module "pwm" {
 
   ecs_service_ingress_security_group_ids = []
   ecs_service_egress_security_group_ids = [{
-    security_group_id            = aws_security_group.cluster.id
-    ip_protocol                  = "tcp"
-    port                         = 389
-    referenced_security_group_id = module.ldap.security_group_id
+    security_group_id = aws_security_group.cluster.id
+    ip_protocol       = "tcp"
+    port              = 389
+    cidr_ipv4         = var.account_config.shared_vpc_cidr
   }]
 
   tags                               = var.tags

From 36e28f38c3be008562d6f853d709e7c62e381c88 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 14:04:34 +0000
Subject: [PATCH 35/36] Update pwm.tf

---
 .../delius-core/modules/delius_environment/pwm.tf   | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 4504d1b26b1..85349b53583 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -32,10 +32,15 @@ module "pwm" {
 
   ecs_service_ingress_security_group_ids = []
   ecs_service_egress_security_group_ids = [{
-    security_group_id = aws_security_group.cluster.id
-    ip_protocol       = "tcp"
-    port              = 389
-    cidr_ipv4         = var.account_config.shared_vpc_cidr
+    ip_protocol = "tcp"
+    port        = 389
+    cidr_ipv4   = var.account_config.shared_vpc_cidr
+    },
+    {
+      ip_protocol = "tcp"
+      port        = 25
+      cidr_ipv4   = "10.180.104/22" # https://github.com/ministryofjustice/staff-infrastructure-network-services/blob/main/README.md#smtp-relay-service
+
   }]
 
   tags                               = var.tags

From 8297df3d3c509b56a031640c016ce20ac55b2467 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 8 Mar 2024 14:07:32 +0000
Subject: [PATCH 36/36] Update pwm.tf

---
 .../environments/delius-core/modules/delius_environment/pwm.tf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
index 85349b53583..4f2c483d5b4 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf
@@ -39,7 +39,7 @@ module "pwm" {
     {
       ip_protocol = "tcp"
       port        = 25
-      cidr_ipv4   = "10.180.104/22" # https://github.com/ministryofjustice/staff-infrastructure-network-services/blob/main/README.md#smtp-relay-service
+      cidr_ipv4   = "10.180.104.0/22" # https://github.com/ministryofjustice/staff-infrastructure-network-services/blob/main/README.md#smtp-relay-service
 
   }]