ministryofjustice · georgepstaylor · Mar 8, 2024 · Mar 6, 2024 · Mar 6, 2024 · Mar 6, 2024
@@ -122,7 +122,7 @@ locals {
     }
 
     pwm = {
-      image_tag      = "5.7.6"
+      image_tag      = "8179630699-1"
       container_port = 8080
     }
 

@@ -28,6 +28,13 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_globa
   cidr_ipv4         = each.key # Global Protect VPN
 }
 
+resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" {
+  security_group_id = aws_security_group.ancillary_alb_security_group.id
+  description       = "Access into alb over http (will redirect)"
+  ip_protocol       = "-1"
+  cidr_ipv4         = var.account_config.shared_vpc_cidr
+}
+
 # tfsec:ignore:aws-elb-alb-not-public
 resource "aws_lb" "delius_core_ancillary" {
   # checkov:skip=CKV_AWS_91

@@ -0,0 +1,159 @@
+module "pwm" {
+  source = "../helpers/delius_microservice"
+
+  name                  = "pwm"
+  certificate_arn       = local.certificate_arn
+  alb_security_group_id = aws_security_group.ancillary_alb_security_group.id
+  env_name              = var.env_name
+  container_port_config = [
+    {
+      containerPort = var.delius_microservice_configs.pwm.container_port
+      protocol      = "tcp"
+    }
+  ]
+
+  ecs_cluster_arn = module.ecs.ecs_cluster_arn
+  container_secrets = [
+    {
+      name      = "CONFIG_PASSWORD"
+      valueFrom = aws_ssm_parameter.delius_core_pwm_config_password.arn
+    },
+    {
+      name      = "LDAP_PASSWORD"
+      valueFrom = aws_ssm_parameter.ldap_admin_password.arn
+    }
+  ]
+  db_ingress_security_groups = []
+
+  cluster_security_group_id = aws_security_group.cluster.id
+
+  bastion_sg_id = module.bastion_linux.bastion_security_group
+
+  tags                               = var.tags
+  microservice_lb                    = aws_lb.delius_core_ancillary
+  microservice_lb_https_listener_arn = aws_lb_listener.ancillary_https.arn
+
+
+  alb_listener_rule_host_header = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+
+  platform_vars = var.platform_vars
+
+  container_image       = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
+  account_config        = var.account_config
+  health_check_path     = "/"
+  health_check_interval = "30"
+  account_info          = var.account_info
+
+  deployment_maximum_percent         = 200
+  deployment_minimum_healthy_percent = 100
+
+  container_environment_vars = [
+    {
+      name = "CONFIG_XML_BASE64"
+      value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
+        ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
+        ldap_user     = module.ldap.delius_core_ldap_principal_arn
+        pwm_url       = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+        # email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
+        email_smtp_address = "REPLACE"
+        # email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
+        email_from_address = "REPLACE"
+      }))
+    },
+    {
+      name  = "SECURITY_KEY"
+      value = "REPLACE"
+    }
+  ]
+
+  ignore_changes_task_definition = false
+
+  providers = {
+    aws          = aws
+    aws.core-vpc = aws.core-vpc
+  }
+}
+
+
+#############
+# SES
+#############"
+
+resource "aws_ses_domain_identity" "pwm" {
+  domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+}
+
+resource "aws_ses_domain_identity_verification" "pwm" {
+  domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
+}
+
+resource "aws_route53_record" "pwm_ses_verification_record" {
+  provider = aws.core-vpc
+  zone_id  = var.account_config.route53_external_zone.zone_id
+  name     = "_amazonses.${aws_ses_domain_identity.pwm.id}"
+  type     = "TXT"
+  ttl      = "600"
+  records  = [aws_ses_domain_identity.pwm.verification_token]
+}
+
+resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {
+  domain     = aws_ses_domain_identity.pwm.id
+  depends_on = [aws_route53_record.pwm_ses_verification_record]
+}
+
+
+resource "aws_ses_domain_dkim" "pwm" {
+  domain = aws_ses_domain_identity.pwm.domain
+}
+
+resource "aws_route53_record" "pwm_amazonses_dkim_record" {
+  provider = aws.core-vpc
+  count    = 3
+  zone_id  = var.account_config.route53_external_zone.zone_id
+  name     = "${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}._domainkey"
+  type     = "CNAME"
+  ttl      = "600"
+  records  = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
+}
+
+######################
+# SES SMTP User
+######################
+
+resource "aws_iam_user" "pwm_ses_smtp_user" {
+  name = "pwm-smtp-user"
+}
+
+resource "aws_iam_access_key" "pwm_ses_smtp_user" {
+  user = aws_iam_user.pwm_ses_smtp_user.name
+}
+
+resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
+  name = "pwm-ses-smtp-user-policy"
+  user = aws_iam_user.pwm_ses_smtp_user.name
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ses:SendRawEmail",
+          "ses:SendEmail"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
+  name = "/pwm/ses_smtp"
+  type = "SecureString"
+  value = jsonencode({
+    user              = aws_iam_user.pwm_ses_smtp_user.name,
+    key               = aws_iam_access_key.pwm_ses_smtp_user.id,
+    secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
+    ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
+  })
+}
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<PwmConfiguration pwmVersion="1.9.1" xmlVersion="4" createTime="1970-01-01T00:00:00Z">
+<PwmConfiguration pwmVersion="2.0.6" xmlVersion="4" createTime="1970-01-01T00:00:00Z">
   <localeBundle bundle="password.pwm.i18n.Display" key="Title_Application">
     <value><![CDATA[National Delius - Account Self Service]]></value>
   </localeBundle>
@@ -18,9 +18,13 @@
       <label>Security Key</label>
       <value plaintext="true">$${SECURITY_KEY}</value>
     </setting>
+     <setting key="pwm.appProperty.overrides" modifyTime="2023-10-24T00:19:49Z" syntax="STRING_ARRAY" syntaxVersion="0">
+    <label>Settings ⇨ Application ⇨ Application ⇨ App Property Overrides</label>
+    <value>security.http.permittedUrlPathCharacters=^[a-zA-Z0-9-_=\\s]*$</value>
+  </setting>
     <setting key="template.ldap" syntax="SELECT">
       <label>LDAP Vendor Default Settings</label>
-      <value><![CDATA[DEFAULT]]></value>
+      <value><![CDATA[OPEN_LDAP]]></value>
     </setting>
     <setting key="template.storage" syntax="SELECT">
       <label>Storage Default Settings</label>
@@ -32,31 +36,31 @@
     </setting>
     <setting key="ldap.serverUrls" syntax="STRING_ARRAY" profile="default">
       <label>LDAP URLs</label>
-      <value><![CDATA[${ldap_url}]]></value>
+      <value><![CDATA[${ldap_host_url}]]></value>
     </setting>
     <setting key="ldap.proxy.username" syntax="STRING" profile="default">
       <label>LDAP Proxy User</label>
-      <value><![CDATA[${ldap_user}]]></value>
+      <value><![CDATA[cn=admin,dc=moj,dc=com]]></value>
     </setting>
     <setting key="ldap.proxy.password" syntax="PASSWORD" profile="default">
       <label>LDAP Proxy Password</label>
       <value plaintext="true">$${LDAP_PASSWORD}</value>
     </setting>
     <setting key="ldap.rootContexts" syntax="STRING_ARRAY" profile="default">
       <label>LDAP Contextless Login Roots</label>
-      <value><![CDATA[${user_base}]]></value>
+      <value><![CDATA[ou=Users,dc=moj,dc=com]]></value>
     </setting>
     <setting key="ldap.guidAttribute" syntax="STRING" profile="default">
       <label>LDAP GUID Attribute</label>
       <value><![CDATA[uid]]></value>
     </setting>
     <setting key="ldap.testuser.username" syntax="STRING" profile="default">
       <label>LDAP Test User</label>
-      <value><![CDATA[cn=pwm-test,${user_base}]]></value>
+      <value><![CDATA[cn=pwm-test,ou=Users,dc=moj,dc=com]]></value>
     </setting>
     <setting key="pwmAdmin.queryMatch" syntax="USER_PERMISSION" syntaxVersion="2">
       <label>Administrator Permission</label>
-      <value>{"ldapBase":"${user_base}","ldapQuery":"(pwmAdmin=TRUE)","type":"ldapQuery"}</value>
+      <value>{"ldapBase":"ou=Users,dc=moj,dc=com","ldapQuery":"(pwmAdmin=TRUE)","type":"ldapQuery"}</value>
     </setting>
     <setting key="pwm.publishStats.enable" syntax="BOOLEAN">
       <label>Enable Anonymous Statistics Publishing</label>
@@ -68,7 +72,7 @@
     </setting>
     <setting key="pwm.selfURL" syntax="STRING">
       <label>Site URL</label>
-      <value><![CDATA[${site_url}]]></value>
+      <value><![CDATA[${pwm_url}]]></value>
     </setting>
     <setting key="pwm.introURL" syntax="SELECT">
       <label>Intro URL</label>
@@ -141,11 +145,11 @@
     </setting>
     <setting key="email.smtp.address" syntax="STRING" profile="default">
       <label>SMTP Server Address</label>
-      <value><![CDATA[${email_smtp_address}]]></value>
+      <value><![CDATA[$${pwm_ses_endpoint}]]></value>
     </setting>
     <setting key="email.default.fromAddress" syntax="STRING">
       <label>Default From Address</label>
-      <value><![CDATA[${email_from_address}]]></value>
+      <value><![CDATA[$${pwm_ses_from_address}]]></value>
     </setting>
     <setting key="network.allowMultiIPSession" syntax="BOOLEAN">
       <label>Allow Roaming Source Network Address</label>
@@ -163,5 +167,13 @@
       <label>Sticky Session Verification</label>
       <value><![CDATA[OFF]]></value>
     </setting>
+    <setting key="token.storageMethod" syntax="SELECT">
+      <label>Token Storage Method</label>
+      <value><![CDATA[STORE_LOCALDB]]></value>
+    </setting>
+    <setting key="token.length" syntax="SELECT">
+      <label>Token Length</label>
+      <value><![CDATA[64]]></value>
+    </setting>
   </settings>
 </PwmConfiguration>
@@ -70,7 +70,7 @@ module "ecs_service" {
 
   exec_enabled = true
 
-  ignore_changes_task_definition = true # task definition managed by Delius App team
-  redeploy_on_apply              = false
-  force_new_deployment           = false
+  ignore_changes_task_definition = var.ignore_changes_task_definition # task definition managed by Delius App team
+  redeploy_on_apply              = var.redeploy_on_apply
+  force_new_deployment           = var.force_new_deployment
 }
@@ -442,4 +442,22 @@ variable "deployment_maximum_percent" {
   type        = number
   description = "The upper limit of the number of tasks (as a percentage of `desired_count`) that can be running in a service during a deployment"
   default     = 100
+}
+
+variable "ignore_changes_task_definition" {
+  description = "Ignore changes to the task definition"
+  type        = bool
+  default     = true
+}
+
+variable "redeploy_on_apply" {
+  description = "Redeploy the ecs service on apply"
+  type        = bool
+  default     = false
+}
+
+variable "force_new_deployment" {
+  description = "Force a new deployment"
+  type        = bool
+  default     = false
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -122,7 +122,7 @@ locals { @@
         }
         pwm = {
-          image_tag      = "5.7.6"
+          image_tag      = "8179630699-1"
           container_port = 8080
         }
@@ Expand Down @@