ministryofjustice · markgov · Oct 18, 2024 · Oct 17, 2024 · Oct 18, 2024 · Oct 18, 2024
@@ -60,31 +60,32 @@
 
 # # Build loadbalancer
 #tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public.
-# resource "aws_lb" "certificate_example_lb" {
-#   name               = "certificate-example-loadbalancer"
-#   load_balancer_type = "application"
-#   subnets            = data.aws_subnets.shared-public.ids
-#   #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
-#   enable_deletion_protection = false
-#   # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
-#   idle_timeout               = 240
-#   drop_invalid_header_fields = true
+resource "aws_lb" "certificate_example_lb" {
+  #checkov:skip=CKV2_AWS_28:Ensure public facing ALB are protected by WAF
+  name               = "certificate-example-loadbalancer"
+  load_balancer_type = "application"
+  subnets            = data.aws_subnets.shared-public.ids
+  #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
+  enable_deletion_protection = false
+  # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
+  idle_timeout               = 240
+  drop_invalid_header_fields = true
 
-#   security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
+  security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
 
-#   access_logs {
-#     bucket  = module.s3-bucket-lb.bucket.id
-#     prefix  = "test-lb"
-#     enabled = true
-#   }
+  access_logs {
+    bucket  = module.s3-bucket-lb.bucket.id
+    prefix  = "test-lb"
+    enabled = true
+  }
 
-#   tags       = { Name = "${local.application_name}-external-loadbalancer" }
-#   depends_on = [aws_security_group.certificate_example_load_balancer_sg]
-# }
+  tags       = { Name = "${local.application_name}-external-loadbalancer" }
+  depends_on = [aws_security_group.certificate_example_load_balancer_sg]
+}
 
-# resource "aws_security_group" "certificate_example_load_balancer_sg" {
-#   name        = "certificate-example-lb-sg"
-#   description = "controls access to load balancer"
-#   vpc_id      = data.aws_vpc.shared.id
-#   tags        = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) }
-# }
+resource "aws_security_group" "certificate_example_load_balancer_sg" {
+  name        = "certificate-example-lb-sg"
+  description = "controls access to load balancer"
+  vpc_id      = data.aws_vpc.shared.id
+  tags        = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) }
+}
@@ -0,0 +1,4 @@
+rm -Rf .terraform
+rm .terraform.lock.hcl
+terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::946070829339:role/modernisation-account-terraform-state-member-access\"}
+terraform workspace select example-development
@@ -1,7 +1,3 @@
-# ##########################################################################################
-# # ------------------------Comment out file if not required----------------------------------
-# ##########################################################################################
-
 #### This file can be used to store data specific to the member account ####
 
 #For macie code

@@ -1,38 +1,35 @@
-# ##########################################################################################
-# # ------------------------Comment out file if not required----------------------------------
-# ##########################################################################################
 
 # # tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
-# module "bastion_linux" {
-#   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1
+module "bastion_linux" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1
 
-#   providers = {
-#     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
-#     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
-#   }
-#   # s3 - used for logs and user ssh public keys
-#   bucket_name = "bastion-example"
-#   # public keys
-#   public_key_data = local.public_key_data.keys[local.environment]
-#   # logs
-#   log_auto_clean       = "Enabled"
-#   log_standard_ia_days = 30  # days before moving to IA storage
-#   log_glacier_days     = 60  # days before moving to Glacier
-#   log_expiry_days      = 180 # days before log expiration
-#   # bastion
-#   allow_ssh_commands = false
-#   app_name           = var.networking[0].application
-#   business_unit      = local.vpc_name
-#   subnet_set         = local.subnet_set
-#   environment        = local.environment
-#   region             = "eu-west-2"
+  providers = {
+    aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
+    aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
+  }
+  # s3 - used for logs and user ssh public keys
+  bucket_name = "bastion-example"
+  # public keys
+  public_key_data = local.public_key_data.keys[local.environment]
+  # logs
+  log_auto_clean       = "Enabled"
+  log_standard_ia_days = 30  # days before moving to IA storage
+  log_glacier_days     = 60  # days before moving to Glacier
+  log_expiry_days      = 180 # days before log expiration
+  # bastion
+  allow_ssh_commands = false
+  app_name           = var.networking[0].application
+  business_unit      = local.vpc_name
+  subnet_set         = local.subnet_set
+  environment        = local.environment
+  region             = "eu-west-2"
 
-#   # Tags
-#   tags_common = local.tags
-#   tags_prefix = terraform.workspace
-# }
+  # Tags
+  tags_common = local.tags
+  tags_prefix = terraform.workspace
+}
 
 
-# locals {
-#   public_key_data = jsondecode(file("./bastion_linux.json"))
-# }
+locals {
+  public_key_data = jsondecode(file("./bastion_linux.json"))
+}
@@ -1,13 +1,13 @@
-data "aws_ssoadmin_instances" "example" {
-  provider = aws.sso-readonly
-}
+# data "aws_ssoadmin_instances" "example" {
+#   provider = aws.sso-readonly
+# }
 
-data "aws_identitystore_group" "example" {
-  provider          = aws.sso-readonly
-  identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
+# data "aws_identitystore_group" "example" {
+#   provider          = aws.sso-readonly
+#   identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
 
-  filter {
-    attribute_path  = "DisplayName"
-    attribute_value = "modernisation-platform"
-  }
-}
+#   filter {
+#     attribute_path  = "DisplayName"
+#     attribute_value = "modernisation-platform"
+#   }
+# }