ministryofjustice · pbasumatary · May 28, 2024 · May 28, 2024
@@ -13,6 +13,7 @@ locals {
     legacy_engineering_vpc_cidr            = "10.161.98.0/25"
     ec2_user_ssh_key                       = file("${path.module}/files/.ssh/${terraform.workspace}/ec2-user.pub")
     homepage_path                          = "/"
+    has_mis_environment                    = true
   }
 
   ldap_config_dev = {

@@ -13,6 +13,7 @@ locals {
     legacy_engineering_vpc_cidr            = "10.161.98.0/25"
     ec2_user_ssh_key                       = file("${path.module}/files/.ssh/${terraform.workspace}/ec2-user.pub")
     homepage_path                          = "/"
+    has_mis_environment                    = false
   }
 
   ldap_config_test = {
@@ -34,7 +35,7 @@ locals {
     instance_policies = {
       "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access
     }
-    standby_count  = 0
+    standby_count = 0
     ebs_volumes = {
       "/dev/sdb" = { label = "app", size = 200 } # /u01
       "/dev/sdc" = { label = "app", size = 100 } # /u02

@@ -151,17 +151,16 @@ data "aws_iam_policy_document" "db_access_to_secrets_manager" {
     ]
     effect = "Allow"
     resources = [
-      aws_secretsmanager_secret.delius_core_dba_passwords.arn,
-      aws_secretsmanager_secret.delius_core_application_passwords.arn
+      aws_secretsmanager_secret.delius_core_dba_passwords.arn
     ]
   }
 }
 
 data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" {
   statement {
-    sid = "DbAccessToDeliusSecretsManager"
+    sid     = "DbAccessToDeliusSecretsManager"
     actions = ["secretsmanager:GetSecretValue"]
-    effect = "Allow"
+    effect  = "Allow"
     resources = [
       "arn:aws:secretsmanager:*:${local.delius_account_id}:secret:delius-core-${var.env_name}-oracle-db-application-passwords-*"
     ]
@@ -171,7 +170,7 @@ data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" {
 data "aws_iam_policy_document" "combined_policy_documents" {
   source_policy_documents = flatten([
     data.aws_iam_policy_document.db_access_to_secrets_manager.json,
-    var.db_suffix == "mis-db" ? [data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json] : []])
+  var.db_suffix == "mis-db" ? [data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json] : []])
 }
 
 resource "aws_iam_policy" "db_access_to_secrets_manager" {

@@ -32,39 +32,3 @@ resource "aws_secretsmanager_secret_version" "delius_core_dba_passwords" {
     ]
   }
 }
-
-resource "aws_secretsmanager_secret" "delius_core_application_passwords" {
-  name        = local.application_secret_name
-  description = "Application Users Credentials"
-  kms_key_id  = var.account_config.kms_keys.general_shared
-  tags        = var.tags
-}
-
-data "aws_iam_policy_document" "delius_core_application_passwords" {
-  statement {
-    sid    = "MisAWSAccountToReadTheSecret"
-    effect = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"]
-    }
-    actions   = ["secretsmanager:GetSecretValue"]
-    resources = [aws_secretsmanager_secret.delius_core_application_passwords.arn]
-  }
-}
-
-resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords" {
-  count      = var.account_info.application_name == "delius-core" ? 1 : 0
-  secret_arn = aws_secretsmanager_secret.delius_core_application_passwords.arn
-  policy     = data.aws_iam_policy_document.delius_core_application_passwords.json
-}
-
-resource "aws_secretsmanager_secret_version" "delius_core_application_passwords" {
-  secret_id     = aws_secretsmanager_secret.delius_core_application_passwords.id
-  secret_string = "REPLACE"
-  lifecycle {
-    ignore_changes = [
-      secret_string
-    ]
-  }
-}
@@ -104,7 +104,7 @@ module "oracle_db_standby" {
   environment_config = var.environment_config
   subnet_id          = var.account_config.ordered_private_subnet_ids[(count.index + length(module.oracle_db_primary)) % 3]
   availability_zone  = "eu-west-2${lookup(local.availability_zone_map, (count.index + length(module.oracle_db_primary)) % 3, "a")}"
-  tags = merge(local.tags, { "Patch Group" = "oracle_db_patchgroup" })
+  tags               = merge(local.tags, { "Patch Group" = "oracle_db_patchgroup" })
   user_data = templatefile(
     "${path.module}/templates/userdata.sh.tftpl",
     var.db_config.ansible_user_data_config
@@ -120,3 +120,65 @@ module "oracle_db_standby" {
     aws.core-vpc = aws.core-vpc
   }
 }
+
+resource "aws_secretsmanager_secret" "delius_core_application_passwords_secret" {
+  count = local.has_mis_environment ? 1 : 0
+
+  name        = local.application_secret_name
+  description = "Application Users Credentials"
+  kms_key_id  = var.account_config.kms_keys.general_shared
+  tags        = var.tags
+}
+
+data "aws_iam_policy_document" "delius_core_application_passwords_policy_doc" {
+
+  count = local.has_mis_environment ? 1 : 0
+  statement {
+    sid    = "MisAWSAccountToReadTheSecret"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"]
+    }
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn]
+  }
+}
+
+resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords_pol" {
+  count = local.has_mis_environment ? 1 : 0
+
+  secret_arn = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn
+  policy     = data.aws_iam_policy_document.delius_core_application_passwords_policy_doc[count.index].json
+}
+
+resource "aws_secretsmanager_secret_version" "delius_core_application_passwords" {
+  count = local.has_mis_environment ? 1 : 0
+
+  secret_id     = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].id
+  secret_string = "REPLACE"
+  lifecycle {
+    ignore_changes = [
+      secret_string
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "db_access_to_secrets_manager" {
+  count = local.has_mis_environment ? 1 : 0
+  statement {
+    sid = "DbAccessToSecretsManager"
+    actions = [
+      "secretsmanager:Describe*",
+      "secretsmanager:Get*",
+      "secretsmanager:ListSecret*",
+      "secretsmanager:Put*",
+      "secretsmanager:RestoreSecret",
+      "secretsmanager:Update*"
+    ]
+    effect = "Allow"
+    resources = [
+      aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn
+    ]
+  }
+}
@@ -37,4 +37,10 @@ locals {
     "217.138.45.110/32", # Unilink AOVPN
   ]
   all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
+
+  secret_prefix           = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}"
+  application_secret_name = "${local.secret_prefix}-application-passwords"
+  mis_account_id          = var.platform_vars.environment_management.account_ids[join("-", ["delius-mis", var.account_info.mp_environment])]
+
+  has_mis_environment = lookup(var.environment_config, "has_mis_environment", false)
 }
@@ -106,3 +106,9 @@ variable "enable_platform_backups" {
   type        = bool
   default     = null
 }
+
+variable "db_suffix" {
+  description = "identifier to append to name e.g. dsd, boe"
+  type        = string
+  default     = "db"
+}