diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index e787aeafec0..6d5b6629295 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -4,7 +4,7 @@ "environment_name": "development", "container_port": 80, "client_id": "7ee6af8d-ea3c-4349-8765-644f2a1edf3b", - "ami_image_id": "ami-0bb2bf9a00240bf36", + "ami_image_id": "ami-084d79c0ad854f80b", "instance_type": "t3.xlarge", "app_count": 1, "ec2_desired_capacity": 1, diff --git a/terraform/environments/cdpt-ifs/database.tf b/terraform/environments/cdpt-ifs/database.tf index 8a9b1b47eff..3d2c8810a22 100644 --- a/terraform/environments/cdpt-ifs/database.tf +++ b/terraform/environments/cdpt-ifs/database.tf @@ -10,7 +10,7 @@ resource "aws_db_instance" "database" { instance_class = local.application_data.accounts[local.environment].db_instance_class identifier = local.application_data.accounts[local.environment].db_instance_identifier username = local.application_data.accounts[local.environment].db_user - password = aws_secretsmanager_secret_version.db_password.secret_string + password = aws_secretsmanager_secret_version.dbase_password.secret_string vpc_security_group_ids = [aws_security_group.db.id] depends_on = [aws_security_group.db] snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 252da8342ea..d2f4bc1d90c 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -133,7 +133,7 @@ resource "aws_ecs_task_definition" "ifs_task_definition" { secrets = [ { name : "RDS_PASSWORD", - valueFrom : aws_secretsmanager_secret_version.db_password.arn + valueFrom : aws_secretsmanager_secret_version.dbase_password.arn } ], } diff --git a/terraform/environments/cdpt-ifs/secrets.tf b/terraform/environments/cdpt-ifs/secrets.tf index 0e22ff06e85..f49bdec9fe6 100644 --- a/terraform/environments/cdpt-ifs/secrets.tf +++ b/terraform/environments/cdpt-ifs/secrets.tf @@ -1,5 +1,5 @@ -resource "aws_secretsmanager_secret" "db_password" { - name = "database_password" +resource "aws_secretsmanager_secret" "dbase_password" { + name = "dbase_password" } resource "random_password" "password_long" { @@ -7,7 +7,7 @@ resource "random_password" "password_long" { special = false } -resource "aws_secretsmanager_secret_version" "db_password" { - secret_id = aws_secretsmanager_secret.db_password.id +resource "aws_secretsmanager_secret_version" "dbase_password" { + secret_id = aws_secretsmanager_secret.dbase_password.id secret_string = random_password.password_long.result } diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index b9712fdb457..7f47f581d43 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -104,7 +104,7 @@ locals { rds_engine_version = "15" rds_instance_class = "db.t3.small" rds_allocated_storage = 30 - rds_username = "postgres" + rds_username = "dbadmin" rds_port = 5432 rds_license_model = "postgresql-license" rds_deletion_protection = false diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf index 8ff1ffec7c0..ccb6f05178c 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf @@ -138,6 +138,8 @@ resource "aws_iam_policy" "ec2_access_for_ansible" { # policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" #} +# Policy document for both Oracle database DBA and application secrets + data "aws_iam_policy_document" "db_access_to_secrets_manager" { statement { sid = "DbAccessToSecretsManager" @@ -151,41 +153,20 @@ data "aws_iam_policy_document" "db_access_to_secrets_manager" { ] effect = "Allow" resources = [ - aws_secretsmanager_secret.delius_core_dba_passwords.arn - ] - } -} - -data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" { - statement { - sid = "DbAccessToDeliusSecretsManager" - actions = ["secretsmanager:GetSecretValue"] - effect = "Allow" - resources = [ - "arn:aws:secretsmanager:*:${local.delius_account_id}:secret:delius-core-${var.env_name}-oracle-db-application-passwords*" + aws_secretsmanager_secret.delius_core_dba_passwords.arn, + aws_secretsmanager_secret.delius_core_application_passwords.arn, ] } } -data "aws_iam_policy_document" "combined_policy_documents" { - source_policy_documents = flatten([ - data.aws_iam_policy_document.db_access_to_secrets_manager.json, - data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json - ]) -} +# Policy to allow access to both Oracle database DBA and application secrets resource "aws_iam_policy" "db_access_to_secrets_manager" { name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-secrets-manager-access" - policy = data.aws_iam_policy_document.combined_policy_documents.json + policy = data.aws_iam_policy_document.db_access_to_secrets_manager.json } -#resource "aws_iam_role_policy_attachment" "db_access_to_secrets_manager" { -# role = aws_iam_role.db_ec2_instance_iam_role.name -# policy_arn = aws_iam_policy.db_access_to_secrets_manager.arn -#} - - data "aws_iam_policy_document" "instance_ssm" { statement { sid = "SSMManagedSSM" diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf index 6382a4553d9..5b3ff89e8ca 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf @@ -17,6 +17,8 @@ locals { delius_account_id = var.platform_vars.environment_management.account_ids[join("-", ["delius-core", var.account_info.mp_environment])] + has_mis_environment = lookup(var.environment_config, "has_mis_environment", false) + oracle_statistics_map = { "dev" = { # "target_account_id" = var.platform_vars.environment_management.account_ids["delius-core-test"] @@ -65,5 +67,4 @@ locals { oracle_backup_bucket_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-backups" - } diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf index 62f00a64776..0f3c8087c7d 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf @@ -1,3 +1,5 @@ +# Oracle Database DBA Secret + resource "aws_secretsmanager_secret" "delius_core_dba_passwords" { name = local.dba_secret_name description = "DBA Users Credentials" @@ -22,3 +24,34 @@ resource "aws_secretsmanager_secret_policy" "delius_core_dba_passwords" { secret_arn = aws_secretsmanager_secret.delius_core_dba_passwords.arn policy = data.aws_iam_policy_document.delius_core_dba_passwords.json } + +# Oracle Database Application Secret + +resource "aws_secretsmanager_secret" "delius_core_application_passwords" { + name = local.application_secret_name + description = "Application Users Credentials" + kms_key_id = var.account_config.kms_keys.general_shared + tags = var.tags +} + +# Allow Access To Delius Core Application Secret From MIS Primary EC2 Instance Role + +data "aws_iam_policy_document" "delius_core_application_passwords" { + count = local.has_mis_environment && var.account_info.application_name == "delius-core" ? 1 : 0 + statement { + sid = "MisAWSAccountToReadTheSecret" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"] + } + actions = ["secretsmanager:GetSecretValue"] + resources = [aws_secretsmanager_secret.delius_core_application_passwords.arn] + } +} + +resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords" { + count = local.has_mis_environment && var.account_info.application_name == "delius-core" ? 1 : 0 + secret_arn = aws_secretsmanager_secret.delius_core_application_passwords.arn + policy = data.aws_iam_policy_document.delius_core_application_passwords[count.index].json +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/delius_environment/database.tf b/terraform/environments/delius-core/modules/delius_environment/database.tf index 2a76911ba9e..a7920b13e52 100644 --- a/terraform/environments/delius-core/modules/delius_environment/database.tf +++ b/terraform/environments/delius-core/modules/delius_environment/database.tf @@ -122,54 +122,4 @@ module "oracle_db_standby" { providers = { aws.core-vpc = aws.core-vpc } -} - -resource "aws_secretsmanager_secret" "delius_core_application_passwords_secret" { - count = local.has_mis_environment ? 1 : 0 - - name = local.application_secret_name - description = "Application Users Credentials" - kms_key_id = var.account_config.kms_keys.general_shared - tags = var.tags -} - -data "aws_iam_policy_document" "delius_core_application_passwords_policy_doc" { - - count = local.has_mis_environment ? 1 : 0 - statement { - sid = "MisAWSAccountToReadTheSecret" - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"] - } - actions = ["secretsmanager:GetSecretValue"] - resources = [aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn] - } -} - -resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords_pol" { - count = local.has_mis_environment ? 1 : 0 - - secret_arn = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn - policy = data.aws_iam_policy_document.delius_core_application_passwords_policy_doc[count.index].json -} - -data "aws_iam_policy_document" "db_access_to_secrets_manager" { - count = local.has_mis_environment ? 1 : 0 - statement { - sid = "DbAccessToSecretsManager" - actions = [ - "secretsmanager:Describe*", - "secretsmanager:Get*", - "secretsmanager:ListSecret*", - "secretsmanager:Put*", - "secretsmanager:RestoreSecret", - "secretsmanager:Update*" - ] - effect = "Allow" - resources = [ - aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn - ] - } -} +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf b/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf index c11877c12e3..5871d6019d2 100644 --- a/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf +++ b/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf @@ -46,7 +46,7 @@ module "gdpr_api_service" { rds_backup_retention_period = var.delius_microservice_configs.gdpr_api.rds_backup_retention_period rds_backup_window = var.delius_microservice_configs.gdpr_api.rds_backup_window rds_deletion_protection = var.delius_microservice_configs.gdpr_api.rds_deletion_protection - snapshot_identifier = var.delius_microservice_configs.gdpr_api.snapshot_identifier + snapshot_identifier = data.aws_ssm_parameter.gdpr_api_snapshot_identifier.value rds_skip_final_snapshot = var.delius_microservice_configs.gdpr_api.rds_skip_final_snapshot container_vars_default = { @@ -80,3 +80,20 @@ module "gdpr_api_service" { frontend_lb_arn_suffix = aws_lb.delius_core_frontend.arn_suffix enable_platform_backups = var.enable_platform_backups } + +####################### +# GDPR API Params # +####################### + +resource "aws_ssm_parameter" "gpdr_api_snapshot_identifier" { + name = "/delius-core-${var.env_name}/gdpr-api/snapshot_id" + type = "String" + value = "DEFAULT" + lifecycle { + ignore_changes = [value] + } +} + +data "aws_ssm_parameter" "gdpr_api_snapshot_identifier" { + name = aws_ssm_parameter.gpdr_api_snapshot_identifier.name +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/delius_environment/locals.tf b/terraform/environments/delius-core/modules/delius_environment/locals.tf index 0ee1201ea5e..c87dda0fae1 100644 --- a/terraform/environments/delius-core/modules/delius_environment/locals.tf +++ b/terraform/environments/delius-core/modules/delius_environment/locals.tf @@ -42,5 +42,4 @@ locals { application_secret_name = "${local.secret_prefix}-application-passwords" mis_account_id = var.platform_vars.environment_management.account_ids[join("-", ["delius-mis", var.account_info.mp_environment])] - has_mis_environment = lookup(var.environment_config, "has_mis_environment", false) } diff --git a/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf b/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf index be24e3e9fac..fe80a83eff5 100644 --- a/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf +++ b/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf @@ -36,7 +36,7 @@ module "merge_api_service" { rds_username = var.delius_microservice_configs.merge_api.rds_username rds_license_model = var.delius_microservice_configs.merge_api.rds_license_model rds_deletion_protection = var.delius_microservice_configs.merge_api.rds_deletion_protection - snapshot_identifier = var.delius_microservice_configs.merge_api.snapshot_identifier + snapshot_identifier = data.aws_ssm_parameter.merge_api_snapshot_identifier.value rds_skip_final_snapshot = var.delius_microservice_configs.merge_api.rds_skip_final_snapshot maintenance_window = var.delius_microservice_configs.merge_api.maintenance_window rds_backup_retention_period = var.delius_microservice_configs.merge_api.rds_backup_retention_period @@ -79,3 +79,20 @@ module "merge_api_service" { frontend_lb_arn_suffix = aws_lb.delius_core_frontend.arn_suffix enable_platform_backups = var.enable_platform_backups } + +####################### +# Merge API Params # +####################### + +resource "aws_ssm_parameter" "merge_api_snapshot_identifier" { + name = "/delius-core-${var.env_name}/merge-api/snapshot_id" + type = "String" + value = "DEFAULT" + lifecycle { + ignore_changes = [value] + } +} + +data "aws_ssm_parameter" "merge_api_snapshot_identifier" { + name = aws_ssm_parameter.merge_api_snapshot_identifier.name +} \ No newline at end of file diff --git a/terraform/environments/digital-prison-reporting/data.tf b/terraform/environments/digital-prison-reporting/data.tf index 0dbde46d914..89d824dc2eb 100644 --- a/terraform/environments/digital-prison-reporting/data.tf +++ b/terraform/environments/digital-prison-reporting/data.tf @@ -29,6 +29,21 @@ data "aws_secretsmanager_secret_version" "datamart" { depends_on = [aws_secretsmanager_secret.redshift] } +# Operational DataStore Secrets for use in DataHub +data "aws_secretsmanager_secret" "operational_datastore" { + count = (local.environment == "development" ? 1 : 0) + name = aws_secretsmanager_secret.operational_datastore[0].id + + depends_on = [aws_secretsmanager_secret_version.operational_datastore[0]] +} + +data "aws_secretsmanager_secret_version" "operational_datastore" { + count = (local.environment == "development" ? 1 : 0) + secret_id = data.aws_secretsmanager_secret.operational_datastore[0].id + + depends_on = [aws_secretsmanager_secret.operational_datastore[0]] +} + # AWS _IAM_ Policy data "aws_iam_policy" "rds_full_access" { diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index d8aa3ac5dca..2b1ccee2145 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -323,6 +323,12 @@ locals { port = "5432" } + # Operational DataStore Secrets PlaceHolder + operational_datastore_secrets_placeholder = { + username = "placeholder" + password = "placeholder" + } + # biprws Secrets Placeholder enable_biprws_secrets = local.application_data.accounts[local.environment].biprws.enable biprws_secrets_placeholder = { diff --git a/terraform/environments/digital-prison-reporting/operational_datastore.tf b/terraform/environments/digital-prison-reporting/operational_datastore.tf new file mode 100644 index 00000000000..3c8bd6a18cc --- /dev/null +++ b/terraform/environments/digital-prison-reporting/operational_datastore.tf @@ -0,0 +1,45 @@ +resource "aws_glue_connection" "glue_operational_datastore_connection" { + count = (local.environment == "development" ? 1 : 0) + name = "${local.project}-operational-datastore-connection" + connection_type = "JDBC" + + connection_properties = { + # This will be replaced by the details for the real Operational Data Store + JDBC_CONNECTION_URL = "jdbc:postgresql://dpr2-834-instance-1.cja8lnnvvipo.eu-west-2.rds.amazonaws.com:5432/postgres" + SECRET_ID = data.aws_secretsmanager_secret.operational_datastore[0].name + } + + physical_connection_requirements { + availability_zone = data.aws_subnet.private_subnets_a.availability_zone + security_group_id_list = [aws_security_group.glue_operational_datastore_connection_sg[0].id] + subnet_id = data.aws_subnet.private_subnets_a.id + } +} + +resource aws_security_group "glue_operational_datastore_connection_sg" { + count = (local.environment == "development" ? 1 : 0) + name = "${local.project}-operational-datastore-connection_sg" + description = "Security group to allow glue access to Operational Datastore via JDBC Connection" + vpc_id = data.aws_vpc.shared.id + + # This SG is attached to the Glue connection and should also be attached to the Operational Datastore RDS + # See https://docs.aws.amazon.com/glue/latest/dg/setup-vpc-for-glue-access.html + + # A self-referencing inbound rule for all TCP ports to enable AWS Glue to communicate between its components + ingress { + from_port = 0 + to_port = 65535 + protocol = "TCP" + self = true + description = "Security Group can Ingress to itself on all ports - required for Glue to communicate with itself" + } + + # Allow all traffic out + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all traffic out from this Security Group" + } +} \ No newline at end of file diff --git a/terraform/environments/digital-prison-reporting/secrets.tf b/terraform/environments/digital-prison-reporting/secrets.tf index 76a6976c217..efdc8642f26 100644 --- a/terraform/environments/digital-prison-reporting/secrets.tf +++ b/terraform/environments/digital-prison-reporting/secrets.tf @@ -53,6 +53,31 @@ resource "aws_secretsmanager_secret_version" "dps" { } } +# Operational DataStore Secrets for use in DataHub +# PlaceHolder Secrets +resource "aws_secretsmanager_secret" "operational_datastore" { + count = (local.environment == "development" ? 1 : 0) + name = "external/operational_data_store" + + tags = merge( + local.all_tags, + { + Name = "external/operational_data_store" + Resource_Type = "Secrets" + } + ) +} + +resource "aws_secretsmanager_secret_version" "operational_datastore" { + count = (local.environment == "development" ? 1 : 0) + secret_id = aws_secretsmanager_secret.operational_datastore[0].id + secret_string = jsonencode(local.operational_datastore_secrets_placeholder) + + lifecycle { + ignore_changes = [secret_string,] + } +} + # Redshift Access Secrets resource "aws_secretsmanager_secret" "redshift" { name = "dpr-redshift-sqlworkbench-${local.env}" diff --git a/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf b/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf index 58c7a88134c..74a46d2b5fe 100644 --- a/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf @@ -7,6 +7,12 @@ resource "aws_sqs_queue" "lambda_dlq" { kms_master_key_id = aws_kms_key.lambda_env_key.id } +data "external" "latest_image_update_log_table" { + program = [ + "bash", "-c", + "echo {}"] +} + resource "aws_kms_key" "lambda_env_key" { description = "KMS key for encrypting Lambda environment variables for ${var.function_name}" enable_key_rotation = true diff --git a/terraform/environments/nomis/locals_production.tf b/terraform/environments/nomis/locals_production.tf index a1feef97e1c..bd9891cfa13 100644 --- a/terraform/environments/nomis/locals_production.tf +++ b/terraform/environments/nomis/locals_production.tf @@ -86,7 +86,7 @@ locals { # ACTIVE (green deployment) prod-nomis-web-b = merge(local.ec2_autoscaling_groups.web, { autoscaling_group = merge(module.baseline_presets.ec2_autoscaling_group.default_with_ready_hook_and_warm_pool, { - desired_capacity = 8 + desired_capacity = 6 max_size = 8 # instance_refresh = { @@ -168,8 +168,8 @@ locals { "/dev/sdc" = { label = "app", size = 1000 } # /u02 }) ebs_volume_config = merge(local.ec2_instances.db.ebs_volume_config, { - data = { total_size = 4000, iops = 12000, throughput = 750 } - flash = { total_size = 1000, iops = 5000, throughput = 500 } + data = { total_size = 4000, iops = 9000, throughput = 250 } + flash = { total_size = 1000, iops = 3000, throughput = 250 } }) instance = merge(local.ec2_instances.db.instance, { disable_api_termination = true @@ -200,8 +200,8 @@ locals { "/dev/sdc" = { label = "app", size = 500 } }) ebs_volume_config = merge(local.ec2_instances.db.ebs_volume_config, { - data = { total_size = 4000, iops = 12000, throughput = 750 } - flash = { total_size = 1000, iops = 5000, throughput = 500 } + data = { total_size = 4000, iops = 9000, throughput = 250 } + flash = { total_size = 1000, iops = 3000, throughput = 125 } }) instance = merge(local.ec2_instances.db.instance, { disable_api_termination = true @@ -233,8 +233,8 @@ locals { "/dev/sdc" = { label = "app", size = 1000 } # /u02 }) ebs_volume_config = merge(local.ec2_instances.db.ebs_volume_config, { - data = { total_size = 6000, iops = 12000, throughput = 750 } - flash = { total_size = 1000, iops = 5000, throughput = 500 } + data = { total_size = 6000, iops = 9000, throughput = 250 } + flash = { total_size = 1000, iops = 3000, throughput = 250 } }) instance = merge(local.ec2_instances.db.instance, { disable_api_termination = true @@ -267,8 +267,10 @@ locals { "/dev/sdc" = { label = "app", size = 500 } }) ebs_volume_config = merge(local.ec2_instances.db.ebs_volume_config, { - data = { total_size = 6000, iops = 12000, throughput = 750 } - flash = { total_size = 1000, iops = 5000, throughput = 500 } + data = { total_size = 6000, iops = 3000, throughput = 125 } + flash = { total_size = 1000, iops = 3000, throughput = 125 } + # data = { total_size = 6000, iops = 9000, throughput = 250 } # replace above with this on failover + # flash = { total_size = 1000, iops = 3000, throughput = 250 } # replace above with this on failover }) instance = merge(local.ec2_instances.db.instance, { disable_api_termination = true diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 6dc77ef4186..66705a6ac86 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -192,7 +192,7 @@ locals { certificate_names_or_arns = ["planetfm_wildcard_cert"] port = 443 protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-2016-08" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" default_action = { type = "fixed-response" diff --git a/terraform/environments/planetfm/locals_production.tf b/terraform/environments/planetfm/locals_production.tf index 885665534c7..8be0dc1c4b6 100644 --- a/terraform/environments/planetfm/locals_production.tf +++ b/terraform/environments/planetfm/locals_production.tf @@ -346,7 +346,7 @@ locals { certificate_names_or_arns = ["planetfm_wildcard_cert"] port = 443 protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-2016-08" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" default_action = { type = "fixed-response" diff --git a/terraform/modules/baseline/bastion_linux.tf b/terraform/modules/baseline/bastion_linux.tf index 82d49ba2a6a..0e8149b5f4e 100644 --- a/terraform/modules/baseline/bastion_linux.tf +++ b/terraform/modules/baseline/bastion_linux.tf @@ -3,7 +3,7 @@ module "bastion_linux" { count = var.bastion_linux.public_key_data != null ? 1 : 0 - source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0" + source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=6c4f0918a2db00ababbb40648b2ee57556ab90ab" # temp guid will be replaced with a release ref=v4.2.2? next week providers = { aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index bd20adc41bb..53a95695a08 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -84,8 +84,9 @@ variable "bastion_linux" { # see https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structure.html # cannot define a type without fully defining the entire cloudwatch dashboard json structure +# tflint-ignore: terraform_typed_variables variable "cloudwatch_dashboards" { - # tflint-ignore: terraform_typed_variables + description = "map of cloudwatch dashboards where key is the dashboard name. Use widget_groups if you want baseline to work out x,y,width,height" #type = map(object({ # account_name = optional(string) # for monitoring account, limit to given account @@ -474,8 +475,8 @@ variable "efs" { default = {} } -variable "environment" { # tflint-ignore: terraform_typed_variables + variable "environment" { # Not defining 'type' as it is defined in the output of the environment module description = "Standard environmental data resources from the environment module" } diff --git a/terraform/modules/baseline_presets/variables.tf b/terraform/modules/baseline_presets/variables.tf index e5e2c6878ae..f08738401bd 100644 --- a/terraform/modules/baseline_presets/variables.tf +++ b/terraform/modules/baseline_presets/variables.tf @@ -1,11 +1,11 @@ + # tflint-ignore: terraform_typed_variables variable "environment" { - # tflint-ignore: terraform_typed_variables # Not defining 'type' as it is defined in the output of the environment module description = "Standard environmental data resources from the environment module" } +# tflint-ignore: terraform_typed_variables variable "ip_addresses" { - # tflint-ignore: terraform_typed_variables # Not defining 'type' as it is defined in the output of the ip_addresses module description = "ip address resources from the ip_address module" } diff --git a/terraform/modules/cost_usage_report/main.tf b/terraform/modules/cost_usage_report/main.tf index 2e0532feee7..1dfaa1fb9c7 100644 --- a/terraform/modules/cost_usage_report/main.tf +++ b/terraform/modules/cost_usage_report/main.tf @@ -14,6 +14,7 @@ resource "aws_cur_report_definition" "cost_usage_report" { depends_on = [module.s3_bucket] #ensures bucket permissions are applied before athena bucket access validation checks run } +#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket module "s3_bucket" { #checkov:skip=CKV_TF_1:Ensure Terraform module sources use a commit hash; skip as this is MoJ Repo @@ -56,7 +57,7 @@ data "aws_iam_policy_document" "cur_bucket_policy" { condition { test = "StringEquals" variable = "aws:SourceAccount" - values = ["${var.account_number}"] + values = [var.account_number] } principals { @@ -80,7 +81,7 @@ data "aws_iam_policy_document" "cur_bucket_policy" { condition { test = "StringEquals" variable = "aws:SourceAccount" - values = ["${var.account_number}"] + values = [var.account_number] } principals {