Add the tribunals applications

terraform/environments/tribunals/README.md

@@ -1,4 +1,4 @@
-# Service Runbook
+## Service Runbook
 
 <!-- This is a template that should be populated by the development team when moving to the modernisation platform, but also reviewed and kept up to date.
 To ensure that people looking at your runbook can get the information they need quickly, your runbook should be short but clear. Throughout, only use acronyms if you’re confident that someone who has just been woken up at 3am would understand them. -->
@@ -74,3 +74,5 @@ Modernisation Platform
 ### **How to resolve specific issues:**
 
 <!-- Describe the steps someone might take to resolve a specific issue or incident, often for use when on call. This may be a large amount of information, so may need to be split out into multiple pages, or link to other documents.-->
+
+

terraform/environments/tribunals/application_variables.json

@@ -1,16 +1,102 @@
 {
   "accounts": {
     "development": {
-      "example_var": "dev-data"
+      "allocated_storage": "20",
+      "storage_type": "gp2",
+      "db_identifier": "tribunals-db-dev",
+      "engine": "sqlserver-se",
+      "engine_version": "15.00.4198.2.v1",
+      "instance_class": "db.m5.large",
+      "username": "admin",
+      "dms_source_db": "ec2-34-243-192-28.eu-west-1.compute.amazonaws.com",
+      "curserver": "DEVELOPMENT",
+      "support_team": "DTS Legacy Apps Support Team",
+      "support_email": "[email protected]",
+      "server_port_1": "80",
+      "lb_listener_protocol_1": "HTTP",
+      "server_port_2": "443",
+      "lb_listener_protocol_2": "HTTPS",
+      "server_port_3": "22",
+      "lb_listener_protocol_3": "TCP",
+      "ami_image_id": "ami-0d20b6fc5007adcb3",
+      "task_definition_volume": "tribunals",
+      "server_port": 8080,
+      "app_count": 1,
+      "appscaling_min_capacity": 1,
+      "appscaling_max_capacity": 2,
+      "ec2_scaling_cpu_threshold": 75,
+      "ec2_scaling_mem_threshold": 61,
+      "ecs_scaling_cpu_threshold": 80,
+      "ecs_scaling_mem_threshold": 80
     },
     "test": {
       "example_var": "test-data"
     },
     "preproduction": {
-      "example_var": "preproduction-data"
+      "allocated_storage": "20",
+      "storage_type": "gp2",
+      "db_identifier": "tribunals-db-preprod",
+      "engine": "sqlserver-se",
+      "engine_version": "15.00.4198.2.v1",
+      "instance_class": "db.m5.large",
+      "username": "admin",
+      "dms_source_db": "ec2-34-243-192-28.eu-west-1.compute.amazonaws.com",
+      "curserver": "PREPRODUCTION",
+      "support_team": "DTS Legacy Apps Support Team",
+      "support_email": "[email protected]",
+      "server_port_1": "80",
+      "lb_listener_protocol_1": "HTTP",
+      "server_port_2": "443",
+      "lb_listener_protocol_2": "HTTPS",
+      "server_port_3": "22",
+      "lb_listener_protocol_3": "TCP",
+      "ami_image_id": "ami-0d20b6fc5007adcb3",
+      "task_definition_volume": "tribunals",
+      "server_port": 8080,
+      "app_count": 1,
+      "appscaling_min_capacity": 1,
+      "appscaling_max_capacity": 6,
+      "ecs_scaling_cpu_threshold": 80,
+      "ecs_scaling_mem_threshold": 80
     },
     "production": {
-      "example_var": "production-data"
+      "allocated_storage": "20",
+      "storage_type": "gp2",
+      "db_identifier": "tribunals-db-prod",
+      "engine": "sqlserver-se",
+      "engine_version": "15.00.4198.2.v1",
+      "instance_class": "db.m5.large",
+      "username": "admin",
+      "dms_source_db": "ec2-34-243-192-28.eu-west-1.compute.amazonaws.com",
+      "curserver": "PRODUCTION",
+      "support_team": "DTS Legacy Apps Support Team",
+      "support_email": "[email protected]",
+      "server_port_1": "80",
+      "lb_listener_protocol_1": "HTTP",
+      "server_port_2": "443",
+      "lb_listener_protocol_2": "HTTPS",
+      "server_port_3": "22",
+      "lb_listener_protocol_3": "TCP",
+      "ami_image_id": "ami-0d233dc36193b1c63",
+      "task_definition_volume": "tribunals",
+      "server_port": 8080,
+      "app_count": 2,
+      "appscaling_min_capacity": 2,
+      "appscaling_max_capacity": 6,
+      "ecs_scaling_cpu_threshold": 80,
+      "ecs_scaling_mem_threshold": 80
+    }
+  },
+  "ec2_sg_rules": {
+    "TCP_80": {
+      "from_port": 80,
+      "to_port": 80,
+      "protocol": "TCP"
+    },
+    "TCP_443": {
+      "from_port": 443,
+      "to_port": 443,
+      "protocol": "TCP"
     }
   }
 }

terraform/environments/tribunals/asg-shared.tf

@@ -0,0 +1,263 @@
+locals {
+  app_name                  = "tribunals-shared"
+  instance_role_name        = join("-", [local.app_name, "ec2-instance-role"])
+  instance_profile_name     = join("-", [local.app_name, "ec2-instance-profile"])
+  ec2_instance_policy       = join("-", [local.app_name, "ec2-instance-policy"])
+  tags_common               = local.tags
+}
+
+# Create an IAM policy for the custom permissions required by the EC2 hosting instance
+resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
+  name = local.ec2_instance_policy
+  tags = merge(
+  local.tags_common,
+  {
+    Name = local.ec2_instance_policy
+  }
+  )
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DetachVolume",
+                "ec2:AttachVolume",
+                "ec2:DescribeVolumes",
+                "ec2:DescribeTags",
+                "ec2:DescribeInstances",
+                "ecs:CreateCluster",
+                "ecs:DeregisterContainerInstance",
+                "ecs:DiscoverPollEndpoint",
+                "ecs:Poll",
+                "ecs:RegisterContainerInstance",
+                "ecs:StartTelemetrySession",
+                "ecs:UpdateContainerInstancesState",
+                "ecs:Submit*",
+                "ecs:TagResource",
+                "ecr:*",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "logs:CreateLogGroup",
+                "logs:DescribeLogStreams",
+                "s3:ListBucket",
+                "s3:*Object*",
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:GenerateDataKey",
+                "kms:ReEncrypt",
+                "kms:GenerateDataKey",
+                "kms:DescribeKey",
+                "xray:*"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "ecs:TagResource",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "ecs:CreateAction": [
+                        "CreateCluster",
+                        "RegisterContainerInstance"
+                    ]
+                }
+            }
+        }
+    ]
+}
+EOF
+}
+
+# Create the IAM role to which the custom and predefined policies will be attached
+# The role will be added to the ec2 instance profile which is added to the launch template
+resource "aws_iam_role" "ec2_instance_role" {
+  name = local.instance_role_name
+  tags = merge(
+  local.tags,
+  {
+    Name = local.instance_role_name
+  }
+  )
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "ec2_s3_access" {
+  name   = "ec2-s3-access-policy"
+  role   = aws_iam_role.ec2_instance_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:ListBucket"
+        ],
+        Resource = [
+          "${aws_s3_bucket.ebs_backup.arn}",
+          "${aws_s3_bucket.ebs_backup.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+# Attach the custom policy and predefined policies to the role
+resource "aws_iam_role_policy_attachment" "ec2_policy_instance_policy" {
+  role       = aws_iam_role.ec2_instance_role.name
+  policy_arn = aws_iam_policy.ec2_instance_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_policy_ssm_core" {
+  role       = aws_iam_role.ec2_instance_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_policy_cloudwatch" {
+  role       = aws_iam_role.ec2_instance_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+# Create the Instance profile for the role
+resource "aws_iam_instance_profile" "ec2_instance_profile" {
+  name = local.instance_profile_name
+  role = aws_iam_role.ec2_instance_role.name
+  tags = merge(
+  local.tags_common,
+  {
+    Name = local.instance_profile_name
+  }
+  )
+}
+
+# Create the Launch Template and assign the instance profile
+resource "aws_launch_template" "tribunals-all-lt" {
+  name_prefix   = "tribunals-all"
+  image_id      = "ami-0b145c21f0f71b68c"
+  instance_type = "m5.4xlarge"
+  update_default_version = true
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.ec2_instance_profile.name
+  }
+
+  block_device_mappings {
+    device_name = "/dev/sda1"
+
+    ebs {
+      volume_size = 80
+      volume_type = "gp2"
+    }
+  }
+  ebs_optimized = true
+
+  network_interfaces {
+    device_index                = 0
+    security_groups             = [aws_security_group.cluster_ec2.id]
+    subnet_id                   = data.aws_subnet.public_subnets_a.id
+    delete_on_termination       = true
+    associate_public_ip_address = true
+  }
+
+  user_data = filebase64("ec2-shared-user-data.sh")
+}
+
+# Finally, create the Auto scaling group for the launch template
+resource "aws_autoscaling_group" "tribunals-all-asg" {
+  vpc_zone_identifier = [data.aws_subnet.public_subnets_a.id]
+  desired_capacity   = 1
+  max_size           = 1
+  min_size           = 1
+  name               = local.app_name
+
+  launch_template {
+    id      = "${aws_launch_template.tribunals-all-lt.id}"
+    version = "$Latest"
+  }
+}
+
+###########################################################################
+
+
+# EC2 Security Group
+# Controls access to the EC2 instances
+
+resource "aws_security_group" "cluster_ec2" {
+  #checkov:skip=CKV_AWS_23
+  name        = "tribunals-cluster-ec2-security-group"
+  description = "controls access to the cluster ec2 instance"
+  vpc_id      = data.aws_vpc.shared.id
+
+  ingress {
+    description = "Cluster EC2 ingress rule"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    security_groups = [
+      module.appeals.tribunals_lb_sc_id,
+      module.ahmlr.tribunals_lb_sc_id,
+      module.care_standards.tribunals_lb_sc_id,
+      module.cicap.tribunals_lb_sc_id,
+      module.employment_appeals.tribunals_lb_sc_id,
+      module.finance_and_tax.tribunals_lb_sc_id,
+      module.immigration_services.tribunals_lb_sc_id,
+      module.information_tribunal.tribunals_lb_sc_id,
+      module.lands_tribunal.tribunals_lb_sc_id,
+      module.transport.tribunals_lb_sc_id,
+      module.charity_tribunal_decisions.tribunals_lb_sc_id, module.charity_tribunal_decisions.tribunals_lb_sc_id_sftp,
+      module.claims_management_decisions.tribunals_lb_sc_id, module.claims_management_decisions.tribunals_lb_sc_id_sftp,
+      module.consumer_credit_appeals.tribunals_lb_sc_id, module.consumer_credit_appeals.tribunals_lb_sc_id_sftp,
+      module.estate_agent_appeals.tribunals_lb_sc_id, module.estate_agent_appeals.tribunals_lb_sc_id_sftp,
+      module.primary_health_lists.tribunals_lb_sc_id, module.primary_health_lists.tribunals_lb_sc_id_sftp,
+      module.siac.tribunals_lb_sc_id, module.siac.tribunals_lb_sc_id_sftp,
+      module.sscs_venue_pages.tribunals_lb_sc_id, module.sscs_venue_pages.tribunals_lb_sc_id_sftp,
+      module.tax_chancery_decisions.tribunals_lb_sc_id, module.tax_chancery_decisions.tribunals_lb_sc_id_sftp,
+      module.tax_tribunal_decisions.tribunals_lb_sc_id, module.tax_tribunal_decisions.tribunals_lb_sc_id_sftp,
+      module.ftp-admin-appeals.tribunals_lb_sc_id, module.ftp-admin-appeals.tribunals_lb_sc_id_sftp
+    ]
+  }
+
+  ingress {
+    protocol    = "tcp"
+    description = "Allow traffic from bastion"
+    from_port   = 0
+    to_port     = 0
+    security_groups = [
+      module.bastion_linux.bastion_security_group
+    ]
+  }
+
+  egress {
+    description = "Cluster EC2 loadbalancer egress rule"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  } 
+
+  tags = merge(
+    local.tags_common,
+    {
+      Name = "tribunals-cluster-ec2-security-group"
+    }
+  )
+}