Merge pull request #309 from ministryofjustice/308-add-database-basti…

…on-for-service Add database bastion for service
ministryofjustice · Dec 21, 2023 · 1c5b87d · 1c5b87d
2 parents 16cf656 + c325736
commit 1c5b87d
Show file tree

Hide file tree

Showing 9 changed files with 113 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ CURRENT_TIME := `date "+%Y.%m.%d-%H.%M.%S"`
 TERRAFORM_VERSION := `cat versions.tf 2> /dev/null | grep required_version | cut -d "\\"" -f 2 | cut -d " " -f 2`
 
 LOCAL_IMAGE := ministryofjustice/nvvs/terraforms:latest
-DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:v0.2.0
+DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:latest
 
 DOCKER_RUN := @docker run --rm \
 				--env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \
@@ -137,6 +137,14 @@ clean: ## clean terraform cached providers etc
 gen-env: ## generate a ".env" file with the correct TF_VARS for the environment e.g. (make gen-env ENV_ARGUMENT=pre-production)
 	$(DOCKER_RUN) /bin/bash -c "./scripts/generate-env-file.sh $$ENV_ARGUMENT"
 
+.PHONY: aws_describe_instances
+aws_describe_instances: ## Use AWS CLI to describe EC2 instances - outputs a table with instance id, type, IP and name for current environment
+	$(DOCKER_RUN) /bin/bash -c "./scripts/aws_describe_instances.sh"
+
+.PHONY: aws_ssm_start_session
+aws_ssm_start_session: ## Use AWS CLI to start SSM session on an EC2 instance (make aws_ssm_start_session INSTANCE_ID=i-01d4de517c7336ff3)
+	$(DOCKER_RUN_IT) /bin/bash -c "./scripts/aws_ssm_start_session.sh $$INSTANCE_ID"
+
 .PHONY: tfenv
 tfenv: ## tfenv pin - terraform version from versions.tf
 	tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin

diff --git a/bastion-rds-servers.tf b/bastion-rds-servers.tf
@@ -0,0 +1,27 @@
+module "rds_servers_bastion_label" {
+  source       = "./modules/label"
+  service_name = "rds-servers-bastion"
+  owner_email  = var.owner_email
+}
+
+module "rds_servers_bastion" {
+  source                      = "./modules/bastion"
+  prefix                      = module.rds_servers_bastion_label.id
+  vpc_id                      = module.servers_vpc.vpc.vpc_id
+  vpc_cidr_block              = module.servers_vpc.vpc.vpc_cidr_block
+  private_subnets             = module.servers_vpc.public_subnets
+  security_group_ids          = [module.dhcp.security_group_ids.dhcp_server]
+  ami_name                    = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1"
+  number_of_bastions          = 1
+  assume_role                 = local.s3-mojo_file_transfer_assume_role_arn
+  associate_public_ip_address = true
+  tags                        = module.rds_servers_bastion_label.tags
+
+  providers = {
+    aws = aws.env
+  }
+
+  depends_on = [module.servers_vpc]
+  // Set in SSM parameter store, true or false to enable or disable this module.
+  count = var.enable_rds_servers_bastion == true ? 1 : 0
+}
diff --git a/buildspec.yml b/buildspec.yml
@@ -44,6 +44,7 @@ env:
     TF_VAR_enable_corsham_test_bastion: "/staff-device/dns-dhcp/$ENV/enable_bastion"
     TF_VAR_enable_load_testing: "/staff-device/dns-dhcp/$ENV/enable_load_testing"
     TF_VAR_enable_rds_admin_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion"
+    TF_VAR_enable_rds_servers_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion"
     TF_VAR_number_of_load_testing_nodes: "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes"
     TF_VAR_allowed_ip_ranges: "/staff-device/dns-dhcp/admin/$ENV/allowed_ip_ranges"
     ROLE_ARN: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role"

diff --git a/modules/dhcp/outputs.tf b/modules/dhcp/outputs.tf
@@ -79,6 +79,16 @@ output "db_port" {
   value = aws_db_instance.dhcp_server_db.port
 }
 
+output "db" {
+  value = {
+    address  = aws_db_instance.dhcp_server_db.address
+    name     = aws_db_instance.dhcp_server_db.db_name
+    fqdn     = aws_route53_record.dhcp_db.fqdn
+    port     = aws_db_instance.dhcp_server_db.port
+    endpoint = aws_db_instance.dhcp_server_db.endpoint
+  }
+}
+
 output "ec2" {
   value = {
     dhcp_server_security_group_id = aws_security_group.dhcp_server.id
@@ -88,3 +98,9 @@ output "ec2" {
 output "kea_metrics_namespace" {
   value = var.metrics_namespace
 }
+
+output "security_group_ids" {
+  value = {
+    dhcp_server = aws_security_group.dhcp_server.id
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -3,6 +3,7 @@ output "terraform_outputs" {
     dhcp = {
       ecs = module.dhcp.ecs
       ecr = module.dhcp.ecr
+      db  = module.dhcp.db
     }
 
     dhcp_standby = {

diff --git a/scripts/aws_describe_instances.sh b/scripts/aws_describe_instances.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+## Script to describe ec2 instances in target environment
+
+aws_describe_instances() {
+	aws \
+	ec2 describe-instances \
+	--query 'Reservations[].Instances[].[InstanceId,InstanceType,PublicIpAddress,Tags[?Key==`Name`]| [0].Value]' \
+	--output table
+}
+
+assume_role_in_environment() {
+  export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
+  $(aws sts assume-role \
+  --role-arn "${TF_VAR_assume_role}" \
+  --role-session-name MySessionName \
+  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+  --output text))
+}
+
+main() {
+  assume_role_in_environment
+  aws_describe_instances
+}
+
+main
diff --git a/scripts/aws_ssm_get_parameters.sh b/scripts/aws_ssm_get_parameters.sh
@@ -9,6 +9,7 @@ export PARAM=$(aws ssm get-parameters --region eu-west-2 --with-decryption --nam
     "/staff-device/dns-dhcp/$ENV/enable_load_testing" \
     "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes" \
     "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion" \
+    "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion" \
     --query Parameters)
 
 export PARAM2=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \
@@ -60,6 +61,7 @@ params["dhcp_db_password"]="$(echo $PARAM | jq '.[] | select(.Name | test("db/pa
 params["enable_load_testing"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_load_testing")) | .Value' --raw-output)"
 params["number_of_load_testing_nodes"]="$(echo $PARAM | jq '.[] | select(.Name | test("number_of_load_testing_nodes")) | .Value' --raw-output)"
 params["enable_rds_admin_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_admin_bastion")) | .Value' --raw-output)"
+params["enable_rds_servers_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_servers_bastion")) | .Value' --raw-output)"
 
 params["admin_db_username"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("admin/db/username")) | .Value' --raw-output)"
 params["admin_db_password"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("admin/db/password")) | .Value' --raw-output)"

diff --git a/scripts/aws_ssm_start_session.sh b/scripts/aws_ssm_start_session.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+## Script to describe ec2 instances in target environment
+
+aws_ssm_start_session() {
+ instance_id=${1}
+
+ echo "the instance_id is ${instance_id}"
+ aws ssm start-session --target "${instance_id}"
+}
+
+assume_role_in_environment() {
+  export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
+  $(aws sts assume-role \
+  --role-arn "${TF_VAR_assume_role}" \
+  --role-session-name MySessionName \
+  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+  --output text))
+}
+
+main() {
+  assume_role_in_environment
+  aws_ssm_start_session "${1}"
+}
+
+main "${1}"
diff --git a/variables.tf b/variables.tf
@@ -201,3 +201,8 @@ variable "enable_rds_admin_bastion" {
   type    = bool
   default = false
 }
+
+variable "enable_rds_servers_bastion" {
+  type    = bool
+  default = false
+}