diff --git a/Makefile b/Makefile index e28a787d..2312c06a 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ CURRENT_TIME := `date "+%Y.%m.%d-%H.%M.%S"` TERRAFORM_VERSION := `cat versions.tf 2> /dev/null | grep required_version | cut -d "\\"" -f 2 | cut -d " " -f 2` LOCAL_IMAGE := ministryofjustice/nvvs/terraforms:latest -DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:v0.2.0 +DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:latest DOCKER_RUN := @docker run --rm \ --env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \ @@ -137,6 +137,14 @@ clean: ## clean terraform cached providers etc gen-env: ## generate a ".env" file with the correct TF_VARS for the environment e.g. (make gen-env ENV_ARGUMENT=pre-production) $(DOCKER_RUN) /bin/bash -c "./scripts/generate-env-file.sh $$ENV_ARGUMENT" +.PHONY: aws_describe_instances +aws_describe_instances: ## Use AWS CLI to describe EC2 instances - outputs a table with instance id, type, IP and name for current environment + $(DOCKER_RUN) /bin/bash -c "./scripts/aws_describe_instances.sh" + +.PHONY: aws_ssm_start_session +aws_ssm_start_session: ## Use AWS CLI to start SSM session on an EC2 instance (make aws_ssm_start_session INSTANCE_ID=i-01d4de517c7336ff3) + $(DOCKER_RUN_IT) /bin/bash -c "./scripts/aws_ssm_start_session.sh $$INSTANCE_ID" + .PHONY: tfenv tfenv: ## tfenv pin - terraform version from versions.tf tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin diff --git a/bastion-rds-servers.tf b/bastion-rds-servers.tf new file mode 100644 index 00000000..8edd9862 --- /dev/null +++ b/bastion-rds-servers.tf @@ -0,0 +1,27 @@ +module "rds_servers_bastion_label" { + source = "./modules/label" + service_name = "rds-servers-bastion" + owner_email = var.owner_email +} + +module "rds_servers_bastion" { + source = "./modules/bastion" + prefix = module.rds_servers_bastion_label.id + vpc_id = module.servers_vpc.vpc.vpc_id + vpc_cidr_block = module.servers_vpc.vpc.vpc_cidr_block + private_subnets = module.servers_vpc.public_subnets + security_group_ids = [module.dhcp.security_group_ids.dhcp_server] + ami_name = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1" + number_of_bastions = 1 + assume_role = local.s3-mojo_file_transfer_assume_role_arn + associate_public_ip_address = true + tags = module.rds_servers_bastion_label.tags + + providers = { + aws = aws.env + } + + depends_on = [module.servers_vpc] + // Set in SSM parameter store, true or false to enable or disable this module. + count = var.enable_rds_servers_bastion == true ? 1 : 0 +} diff --git a/buildspec.yml b/buildspec.yml index 269e32ac..b9a8bf08 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -44,6 +44,7 @@ env: TF_VAR_enable_corsham_test_bastion: "/staff-device/dns-dhcp/$ENV/enable_bastion" TF_VAR_enable_load_testing: "/staff-device/dns-dhcp/$ENV/enable_load_testing" TF_VAR_enable_rds_admin_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion" + TF_VAR_enable_rds_servers_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion" TF_VAR_number_of_load_testing_nodes: "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes" TF_VAR_allowed_ip_ranges: "/staff-device/dns-dhcp/admin/$ENV/allowed_ip_ranges" ROLE_ARN: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role" diff --git a/modules/dhcp/outputs.tf b/modules/dhcp/outputs.tf index 11060ca6..ce90e570 100644 --- a/modules/dhcp/outputs.tf +++ b/modules/dhcp/outputs.tf @@ -79,6 +79,16 @@ output "db_port" { value = aws_db_instance.dhcp_server_db.port } +output "db" { + value = { + address = aws_db_instance.dhcp_server_db.address + name = aws_db_instance.dhcp_server_db.db_name + fqdn = aws_route53_record.dhcp_db.fqdn + port = aws_db_instance.dhcp_server_db.port + endpoint = aws_db_instance.dhcp_server_db.endpoint + } +} + output "ec2" { value = { dhcp_server_security_group_id = aws_security_group.dhcp_server.id @@ -88,3 +98,9 @@ output "ec2" { output "kea_metrics_namespace" { value = var.metrics_namespace } + +output "security_group_ids" { + value = { + dhcp_server = aws_security_group.dhcp_server.id + } +} diff --git a/outputs.tf b/outputs.tf index c78cdbed..22a7ecfc 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,6 +3,7 @@ output "terraform_outputs" { dhcp = { ecs = module.dhcp.ecs ecr = module.dhcp.ecr + db = module.dhcp.db } dhcp_standby = { diff --git a/scripts/aws_describe_instances.sh b/scripts/aws_describe_instances.sh new file mode 100755 index 00000000..6ac891ff --- /dev/null +++ b/scripts/aws_describe_instances.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +## Script to describe ec2 instances in target environment + +aws_describe_instances() { + aws \ + ec2 describe-instances \ + --query 'Reservations[].Instances[].[InstanceId,InstanceType,PublicIpAddress,Tags[?Key==`Name`]| [0].Value]' \ + --output table +} + +assume_role_in_environment() { + export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn "${TF_VAR_assume_role}" \ + --role-session-name MySessionName \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) +} + +main() { + assume_role_in_environment + aws_describe_instances +} + +main diff --git a/scripts/aws_ssm_get_parameters.sh b/scripts/aws_ssm_get_parameters.sh index 2ddddbf2..517cb24a 100755 --- a/scripts/aws_ssm_get_parameters.sh +++ b/scripts/aws_ssm_get_parameters.sh @@ -9,6 +9,7 @@ export PARAM=$(aws ssm get-parameters --region eu-west-2 --with-decryption --nam "/staff-device/dns-dhcp/$ENV/enable_load_testing" \ "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes" \ "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion" \ + "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion" \ --query Parameters) export PARAM2=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \ @@ -60,6 +61,7 @@ params["dhcp_db_password"]="$(echo $PARAM | jq '.[] | select(.Name | test("db/pa params["enable_load_testing"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_load_testing")) | .Value' --raw-output)" params["number_of_load_testing_nodes"]="$(echo $PARAM | jq '.[] | select(.Name | test("number_of_load_testing_nodes")) | .Value' --raw-output)" params["enable_rds_admin_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_admin_bastion")) | .Value' --raw-output)" +params["enable_rds_servers_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_servers_bastion")) | .Value' --raw-output)" params["admin_db_username"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("admin/db/username")) | .Value' --raw-output)" params["admin_db_password"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("admin/db/password")) | .Value' --raw-output)" diff --git a/scripts/aws_ssm_start_session.sh b/scripts/aws_ssm_start_session.sh new file mode 100755 index 00000000..9ad978d7 --- /dev/null +++ b/scripts/aws_ssm_start_session.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +## Script to describe ec2 instances in target environment + +aws_ssm_start_session() { + instance_id=${1} + + echo "the instance_id is ${instance_id}" + aws ssm start-session --target "${instance_id}" +} + +assume_role_in_environment() { + export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn "${TF_VAR_assume_role}" \ + --role-session-name MySessionName \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) +} + +main() { + assume_role_in_environment + aws_ssm_start_session "${1}" +} + +main "${1}" diff --git a/variables.tf b/variables.tf index 5953e38a..7e12e571 100644 --- a/variables.tf +++ b/variables.tf @@ -201,3 +201,8 @@ variable "enable_rds_admin_bastion" { type = bool default = false } + +variable "enable_rds_servers_bastion" { + type = bool + default = false +}