Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nit 1150 delius core pwm vs hmpps auth usecase #5256

Merged
merged 37 commits into from
Mar 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
8332cb3
configure pwm
georgepstaylor Mar 6, 2024
b7796ba
setup ses
georgepstaylor Mar 6, 2024
f9d1b31
image + config
georgepstaylor Mar 6, 2024
fb312a4
Update pwm.tf
georgepstaylor Mar 6, 2024
4cafce1
add dkim records
georgepstaylor Mar 6, 2024
8dbe607
Update pwm.tf
georgepstaylor Mar 6, 2024
8322561
Update pwm.tf
georgepstaylor Mar 6, 2024
09afdcb
Update pwm.tf
georgepstaylor Mar 6, 2024
e58367b
Update pwm.tf
georgepstaylor Mar 6, 2024
4542448
Update pwm.tf
georgepstaylor Mar 6, 2024
5578929
task def
georgepstaylor Mar 6, 2024
0ef1491
Update pwm.tf
georgepstaylor Mar 6, 2024
d2a2d74
sg
georgepstaylor Mar 7, 2024
a215a12
Update PwmConfiguration.xml.tpl
georgepstaylor Mar 7, 2024
8e6db66
create smtp creds user
georgepstaylor Mar 7, 2024
44fc66e
justice relay
georgepstaylor Mar 7, 2024
4675edb
Update pwm.tf
georgepstaylor Mar 7, 2024
e7fd2d3
Update pwm.tf
georgepstaylor Mar 7, 2024
3e61f4f
Merge branch 'main' into NIT-1150-delius-core-pwm-vs-hmpps-auth-usecase
georgepstaylor Mar 7, 2024
8995a1a
Update load_balancing.tf
georgepstaylor Mar 7, 2024
a931ebd
Update pwm.tf
georgepstaylor Mar 7, 2024
1cea24a
Update pwm.tf
georgepstaylor Mar 7, 2024
23d30c8
Update pwm.tf
georgepstaylor Mar 7, 2024
4be55b6
Update PwmConfiguration.xml.tpl
georgepstaylor Mar 7, 2024
811bee0
security groups
georgepstaylor Mar 7, 2024
60f0f19
url schema
georgepstaylor Mar 7, 2024
f6d64d5
Update pwm.tf
georgepstaylor Mar 7, 2024
af71328
Update pwm.tf
georgepstaylor Mar 7, 2024
54172cf
Update pwm.tf
georgepstaylor Mar 7, 2024
60bb557
fix
georgepstaylor Mar 7, 2024
ee642f2
ingress
georgepstaylor Mar 8, 2024
f722e9e
Update locals.tf
georgepstaylor Mar 8, 2024
5b5c880
Update pwm.tf
georgepstaylor Mar 8, 2024
cc2377d
Update locals_test.tf
georgepstaylor Mar 8, 2024
b24cb3f
Update pwm.tf
georgepstaylor Mar 8, 2024
36e28f3
Update pwm.tf
georgepstaylor Mar 8, 2024
8297df3
Update pwm.tf
georgepstaylor Mar 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion terraform/environments/delius-core/locals_development.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ locals {
}

pwm = {
image_tag = "5.7.6"
image_tag = "8179630699-1"
container_port = 8080
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/delius-core/locals_test.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ locals {
}

pwm = {
image_tag = "5.7.6"
image_tag = "8179630699-1"
container_port = 8080
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,8 @@ output "delius_core_ldap_principal_arn" {

output "delius_core_ldap_bind_password_arn" {
value = aws_ssm_parameter.delius_core_ldap_bind_password.arn
}

output "security_group_id" {
value = aws_security_group.ldap.id
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ resource "aws_security_group" "ancillary_alb_security_group" {
}

resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_global_protect_allowlist" {
for_each = toset(local.globalprotect_ips)
for_each = toset(local.all_ingress_ips)
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over https"
from_port = "443"
Expand All @@ -19,7 +19,7 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_glob
}

resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" {
for_each = toset(local.globalprotect_ips)
for_each = toset(local.all_ingress_ips)
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over http (will redirect)"
from_port = "80"
Expand All @@ -28,6 +28,13 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_globa
cidr_ipv4 = each.key # Global Protect VPN
}

resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" {
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over http (will redirect)"
ip_protocol = "-1"
cidr_ipv4 = var.account_config.shared_vpc_cidr
}

# tfsec:ignore:aws-elb-alb-not-public
resource "aws_lb" "delius_core_ancillary" {
# checkov:skip=CKV_AWS_91
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,19 @@ locals {
certificate_arn = aws_acm_certificate.external.arn

globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
unilink_ips = [
"194.75.210.216/29", # Unilink AOVPN
"83.98.63.176/29", # Unilink AOVPN
"78.33.10.50/31", # Unilink AOVPN
"78.33.10.52/30", # Unilink AOVPN
"78.33.10.56/30", # Unilink AOVPN
"78.33.10.60/32", # Unilink AOVPN
"78.33.32.99/32", # Unilink AOVPN
"78.33.32.100/30", # Unilink AOVPN
"78.33.32.104/30", # Unilink AOVPN
"78.33.32.108/32", # Unilink AOVPN
"217.138.45.109/32", # Unilink AOVPN
"217.138.45.110/32", # Unilink AOVPN
]
all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
}

This file was deleted.

181 changes: 181 additions & 0 deletions terraform/environments/delius-core/modules/delius_environment/pwm.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
module "pwm" {
source = "../helpers/delius_microservice"

name = "pwd-manager"
certificate_arn = local.certificate_arn
alb_security_group_id = aws_security_group.ancillary_alb_security_group.id
env_name = var.env_name
container_port_config = [
{
containerPort = var.delius_microservice_configs.pwm.container_port
protocol = "tcp"
}
]

ecs_cluster_arn = module.ecs.ecs_cluster_arn
container_secrets = [
{
name = "CONFIG_PASSWORD"
valueFrom = aws_ssm_parameter.delius_core_pwm_config_password.arn
},
{
name = "LDAP_PASSWORD"
valueFrom = aws_ssm_parameter.ldap_admin_password.arn
}
]

db_ingress_security_groups = []

cluster_security_group_id = aws_security_group.cluster.id

bastion_sg_id = module.bastion_linux.bastion_security_group

ecs_service_ingress_security_group_ids = []
ecs_service_egress_security_group_ids = [{
ip_protocol = "tcp"
port = 389
cidr_ipv4 = var.account_config.shared_vpc_cidr
},
{
ip_protocol = "tcp"
port = 25
cidr_ipv4 = "10.180.104.0/22" # https://github.com/ministryofjustice/staff-infrastructure-network-services/blob/main/README.md#smtp-relay-service

}]

tags = var.tags
microservice_lb = aws_lb.delius_core_ancillary
microservice_lb_https_listener_arn = aws_lb_listener.ancillary_https.arn


alb_listener_rule_host_header = "pwm.${var.env_name}.${var.account_config.dns_suffix}"

platform_vars = var.platform_vars

container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
account_config = var.account_config
health_check_path = "/"
health_check_interval = "15"
account_info = var.account_info

target_group_protocol_version = "HTTP1"
health_check_grace_period_seconds = 10

container_cpu = 1024
container_memory = 2048
deployment_maximum_percent = 200
deployment_minimum_healthy_percent = 100

container_environment_vars = [
{
name = "CONFIG_XML_BASE64"
value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
ldap_user = module.ldap.delius_core_ldap_principal_arn
pwm_url = "https://pwm.${var.env_name}.${var.account_config.dns_suffix}"
# email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
email_smtp_address = "production-smtp-relay-70e032e2738d0a27.elb.eu-west-2.amazonaws.com"
# email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
email_from_address = "noreply-ndelius-pwm-${var.env_name}@digital.justice.gov.uk"
}))
},
{
name = "SECURITY_KEY"
value = "${uuid()}"
}
]

ignore_changes_task_definition = false
force_new_deployment = true

providers = {
aws = aws
aws.core-vpc = aws.core-vpc
}
}




#############
# SES
#############"

resource "aws_ses_domain_identity" "pwm" {
domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
}

resource "aws_ses_domain_identity_verification" "pwm" {
domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
}

resource "aws_route53_record" "pwm_ses_verification_record" {
provider = aws.core-vpc
zone_id = var.account_config.route53_external_zone.zone_id
name = "_amazonses.${aws_ses_domain_identity.pwm.id}"
type = "TXT"
ttl = "600"
records = [aws_ses_domain_identity.pwm.verification_token]
}

resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {
domain = aws_ses_domain_identity.pwm.id
depends_on = [aws_route53_record.pwm_ses_verification_record]
}


resource "aws_ses_domain_dkim" "pwm" {
domain = aws_ses_domain_identity.pwm.domain
}

resource "aws_route53_record" "pwm_amazonses_dkim_record" {
provider = aws.core-vpc
count = 3
zone_id = var.account_config.route53_external_zone.zone_id
name = "${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}._domainkey"
type = "CNAME"
ttl = "600"
records = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
}

######################
# SES SMTP User
######################

# resource "aws_iam_user" "pwm_ses_smtp_user" {
# name = "pwm-smtp-user"
# }
#
# resource "aws_iam_access_key" "pwm_ses_smtp_user" {
# user = aws_iam_user.pwm_ses_smtp_user.name
# }
#
# resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
# name = "pwm-ses-smtp-user-policy"
# user = aws_iam_user.pwm_ses_smtp_user.name
#
# policy = jsonencode({
# Version = "2012-10-17",
# Statement = [
# {
# Effect = "Allow",
# Action = [
# "ses:SendRawEmail",
# "ses:SendEmail"
# ],
# Resource = "*"
# }
# ]
# })
# }

# resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
# name = "/pwm/ses_smtp"
# type = "SecureString"
# value = jsonencode({
# user = aws_iam_user.pwm_ses_smtp_user.name,
# key = aws_iam_access_key.pwm_ses_smtp_user.id,
# secret = aws_iam_access_key.pwm_ses_smtp_user.secret
# ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
# })
# }
Loading