Merge pull request #364 from ministryofjustice/ND-188-ssm-parameters

Nd 188 ssm parameters

bastion-corsham-test.tf

@@ -1,13 +1,13 @@
 module "corsham_test_bastion" {
   source = "./modules/corsham_test"
 
-  bastion_allowed_egress_ip  = var.bastion_allowed_egress_ip
-  bastion_allowed_ingress_ip = var.bastion_allowed_ingress_ip
-  corsham_vm_ip              = var.corsham_vm_ip
+  bastion_allowed_egress_ip  = local.bastion_allowed_egress_ip
+  bastion_allowed_ingress_ip = local.bastion_allowed_ingress_ip
+  corsham_vm_ip              = local.corsham_vm_ip
   route_table_id             = module.servers_vpc.public_route_table_ids[0]
   subnets                    = module.servers_vpc.public_subnets
   tags                       = module.dhcp_label.tags
-  transit_gateway_id         = var.dhcp_transit_gateway_id
+  transit_gateway_id         = local.dhcp_transit_gateway_id
   vpc_id                     = module.servers_vpc.vpc_id
 
   depends_on = [
@@ -18,5 +18,5 @@ module "corsham_test_bastion" {
     aws = aws.env
   }
 
-  count = var.enable_corsham_test_bastion == true ? 1 : 0
+  count = local.enable_corsham_test_bastion == true ? 1 : 0
 }

bastion-load-testing.tf

@@ -6,9 +6,9 @@ module "load_testing_label" {
 
 module "load_testing" {
   source             = "github.com/ministryofjustice/diso-devops-module-ssm-bastion.git?ref=1fa79052e1e19a9dd3d18953db3db1b80c098986"
-  ami_owners         = ["${var.shared_services_account_id}"]
+  ami_owners         = ["${local.shared_services_account_id}"]
   assume_role        = local.s3-mojo_file_transfer_assume_role_arn
-  number_of_bastions = var.number_of_load_testing_nodes
+  number_of_bastions = local.number_of_load_testing_nodes
   prefix             = module.load_testing_label.id
   subnets            = module.servers_vpc.vpc.private_subnets
   vpc_cidr_block     = module.servers_vpc.vpc.vpc_cidr_block
@@ -21,5 +21,5 @@ module "load_testing" {
 
   depends_on = [module.servers_vpc]
   // Set in SSM parameter store, true or false to enable or disable this module.
-  count = var.enable_load_testing == true ? 1 : 0
+  count = local.enable_load_testing == true ? 1 : 0
 }

bastion-rds-admin.tf

@@ -6,7 +6,7 @@ module "rds_admin_bastion_label" {
 
 module "rds_admin_bastion" {
   source                      = "github.com/ministryofjustice/diso-devops-module-ssm-bastion.git?ref=1fa79052e1e19a9dd3d18953db3db1b80c098986"
-  ami_owners                  = ["${var.shared_services_account_id}"]
+  ami_owners                  = ["${local.shared_services_account_id}"]
   associate_public_ip_address = false
   assume_role                 = local.s3-mojo_file_transfer_assume_role_arn
   number_of_bastions          = 1
@@ -23,5 +23,6 @@ module "rds_admin_bastion" {
 
   depends_on = [module.admin_vpc]
   // Set in SSM parameter store, true or false to enable or disable this module.
-  count = var.enable_rds_admin_bastion == true ? 1 : 0
+  count = local.enable_rds_admin_bastion == true ? 1 : 0
 }
+

bastion-rds-servers.tf

@@ -6,7 +6,7 @@ module "rds_servers_bastion_label" {
 
 module "rds_servers_bastion" {
   source                      = "github.com/ministryofjustice/diso-devops-module-ssm-bastion.git?ref=1fa79052e1e19a9dd3d18953db3db1b80c098986"
-  ami_owners                  = ["${var.shared_services_account_id}"]
+  ami_owners                  = ["${local.shared_services_account_id}"]
   associate_public_ip_address = false
   assume_role                 = local.s3-mojo_file_transfer_assume_role_arn
   number_of_bastions          = 1
@@ -23,5 +23,5 @@ module "rds_servers_bastion" {
 
   depends_on = [module.servers_vpc]
   // Set in SSM parameter store, true or false to enable or disable this module.
-  count = var.enable_rds_servers_bastion == true ? 1 : 0
+  count = local.enable_rds_servers_bastion == true ? 1 : 0
 }

buildspec.yml

@@ -4,41 +4,8 @@ env:
   variables:
     #TF_IN_AUTOMATION: true
     TF_INPUT: 0
-    TF_VAR_enable_critical_notifications: true
-    TF_VAR_enable_authentication: true
-    TF_VAR_admin_db_backup_retention_period: 30
-    TF_VAR_enable_dhcp_transit_gateway_attachment: true
-    TF_VAR_enable_ssh_key_generation: false
-    TF_VAR_enable_dhcp_cloudwatch_log_metrics: true
   parameter-store:
-    TF_VAR_assume_role: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role"
-    TF_VAR_pdns_ips: "/staff-device/dns/pdns/ips"
-    TF_VAR_pdns_ips_list: "/staff-device/dns/pdns/ips_list"
-    TF_VAR_azure_federation_metadata_url: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/azure_federation_metadata_url"
-    TF_VAR_critical_notification_recipients: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/critical_notification_recipients"
-    TF_VAR_vpn_hosted_zone_id: "/codebuild/$ENV/vpn_hosted_zone_id"
-    TF_VAR_vpn_hosted_zone_domain: "/route53/$ENV/vpn_hosted_zone_domain"
-    TF_VAR_dhcp_transit_gateway_id: "/staff-device/dhcp/$ENV/transit_gateway_id"
-    TF_VAR_transit_gateway_route_table_id: "/staff-device/dhcp/$ENV/transit_gateway_route_table_id"
-    TF_VAR_dns_load_balancer_private_ip_eu_west_2a: "/staff-device/dns/$ENV/load_balancer_private_ip_eu_west_2a"
-    TF_VAR_dns_load_balancer_private_ip_eu_west_2b: "/staff-device/dns/$ENV/load_balancer_private_ip_eu_west_2b"
-    TF_VAR_dns_route53_resolver_ip_eu_west_2a: "/staff-device/dns/$ENV/dns_route53_resolver_ip_eu_west_2a"
-    TF_VAR_dns_route53_resolver_ip_eu_west_2b: "/staff-device/dns/$ENV/dns_route53_resolver_ip_eu_west_2b"
-    TF_VAR_dns_private_zone: "/staff-device/admin/$ENV/dns_private_zone"
-    TF_VAR_bastion_allowed_ingress_ip: "/staff-device/corsham_testing/bastion_allowed_ingress_ip"
-    TF_VAR_bastion_allowed_egress_ip: "/staff-device/corsham_testing/bastion_allowed_egress_ip"
-    TF_VAR_corsham_vm_ip: "/staff-device/corsham_testing/corsham_vm_ip"
-    TF_VAR_model_office_vm_ip: "/staff-device/dns-dhcp/model_office_vm_ip"
-    TF_VAR_dhcp_egress_transit_gateway_routes: "/staff-device/$ENV/dhcp_egress_transit_gateway_routes"
-    TF_VAR_byoip_pool_id: "/staff-device/dns/$ENV/public_ip_pool_id"
-    TF_VAR_enable_corsham_test_bastion: "/staff-device/dns-dhcp/$ENV/enable_bastion"
-    TF_VAR_enable_load_testing: "/staff-device/dns-dhcp/$ENV/enable_load_testing"
-    TF_VAR_enable_rds_admin_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion"
-    TF_VAR_enable_rds_servers_bastion: "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion"
-    TF_VAR_number_of_load_testing_nodes: "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes"
-    TF_VAR_allowed_ip_ranges: "/staff-device/dns-dhcp/admin/$ENV/allowed_ip_ranges"
     ROLE_ARN: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role"
-    TF_VAR_shared_services_account_id: "/codebuild/staff_device_shared_services_account_id"
 
 phases:
   install:

data.tf

@@ -1,4 +1,3 @@
-
 #-----------------------------------------------------------------
 ### Getting the staff-device-shared-services-infrastructure state
 #-----------------------------------------------------------------
@@ -10,6 +9,11 @@ data "terraform_remote_state" "staff-device-shared-services-infrastructure" {
     key    = "env:/ci/terraform/v1/state"
     region = "eu-west-2"
   }
+
+  #-----------------------------------------------------------------
+  ### Getting xsiam secrets from secret manager
+  #-----------------------------------------------------------------
+
 }
 data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" {
   name = "/dhcp-server/${terraform.workspace}/xsiam_endpoint_secrets"
@@ -20,6 +24,14 @@ data "aws_secretsmanager_secret_version" "xsiam_secrets_version" {
   version_id = terraform.workspace == "pre-production" ? local.xsiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xsiam_secrets_version_production : local.xsiam_secrets_version_development
 }
 
+#-----------------------------------------------------------------
+### Getting ssm parameters for variables
+#-----------------------------------------------------------------
+
+data "aws_ssm_parameter" "assume_role" {
+  name = "/codebuild/pttp-ci-infrastructure-core-pipeline/${terraform.workspace}/assume_role"
+}
+
 data "aws_ssm_parameter" "dns_private_zone" {
   provider = aws.env
   name     = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.target_account.account_id}:parameter/staff-device/admin/${terraform.workspace}/dns_private_zone"
@@ -34,3 +46,111 @@ data "aws_ssm_parameter" "dhcp_load_balancer_private_ip_eu_west_2b" {
   provider = aws.env
   name     = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.target_account.account_id}:parameter/staff-device/dhcp/${terraform.workspace}/load_balancer_private_ip_eu_west_2b"
 }
+
+data "aws_ssm_parameter" "pdns_ips" {
+  name = "/staff-device/dns/pdns/ips"
+}
+
+data "aws_ssm_parameter" "azure_federation_metadata_url" {
+  name = "/codebuild/pttp-ci-infrastructure-core-pipeline/${terraform.workspace}/azure_federation_metadata_url"
+}
+
+data "aws_ssm_parameter" "enable_load_testing" {
+  name = "/staff-device/dns-dhcp/${terraform.workspace}/enable_load_testing"
+}
+
+data "aws_ssm_parameter" "number_of_load_testing_nodes" {
+  name = "/staff-device/dns-dhcp/${terraform.workspace}/number_of_load_testing_nodes"
+}
+
+data "aws_ssm_parameter" "enable_rds_admin_bastion" {
+  name = "/staff-device/dns-dhcp/${terraform.workspace}/enable_rds_admin_bastion"
+}
+
+data "aws_ssm_parameter" "enable_rds_servers_bastion" {
+  name = "/staff-device/dns-dhcp/${terraform.workspace}/enable_rds_servers_bastion"
+}
+
+data "aws_ssm_parameter" "pdns_ips_list" {
+  name            = "/staff-device/dns/pdns/ips_list"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "vpn_hosted_zone_id" {
+  name            = "/codebuild/${terraform.workspace}/vpn_hosted_zone_id"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "byoip_pool_id" {
+  name            = "/staff-device/dns/${terraform.workspace}/public_ip_pool_id"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "vpn_hosted_zone_domain" {
+  name = "/route53/${terraform.workspace}/vpn_hosted_zone_domain"
+}
+
+data "aws_ssm_parameter" "dhcp_transit_gateway_id" {
+  name            = "/staff-device/dhcp/${terraform.workspace}/transit_gateway_id"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "transit_gateway_route_table_id" {
+  name            = "/staff-device/dhcp/${terraform.workspace}/transit_gateway_route_table_id"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "dns_load_balancer_private_ip_eu_west_2a" {
+  name            = "/staff-device/dns/${terraform.workspace}/load_balancer_private_ip_eu_west_2a"
+  with_decryption = true
+}
+
+
+data "aws_ssm_parameter" "dns_load_balancer_private_ip_eu_west_2b" {
+  name            = "/staff-device/dns/${terraform.workspace}/load_balancer_private_ip_eu_west_2b"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "dns_route53_resolver_ip_eu_west_2a" {
+  name            = "/staff-device/dns/${terraform.workspace}/dns_route53_resolver_ip_eu_west_2a"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "dns_route53_resolver_ip_eu_west_2b" {
+  name            = "/staff-device/dns/${terraform.workspace}/dns_route53_resolver_ip_eu_west_2b"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "bastion_allowed_ingress_ip" {
+  name            = "/staff-device/corsham_testing/bastion_allowed_ingress_ip"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "bastion_allowed_egress_ip" {
+  name            = "/staff-device/corsham_testing/bastion_allowed_egress_ip"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "enable_corsham_test_bastion" {
+  name            = "/staff-device/dns-dhcp/${terraform.workspace}/enable_bastion"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "corsham_vm_ip" {
+  name            = "/staff-device/corsham_testing/corsham_vm_ip"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "model_office_vm_ip" {
+  name            = "/staff-device/dns-dhcp/model_office_vm_ip"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "allowed_ip_ranges" {
+  name = "/staff-device/dns-dhcp/admin/${terraform.workspace}/allowed_ip_ranges"
+}
+
+data "aws_ssm_parameter" "shared_services_account_id" {
+  name            = "/codebuild/staff_device_shared_services_account_id"
+  with_decryption = true
+}

documentation/archive/aws_ssm_get_parameters.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+# export PARAM=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \
+#     "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role" \
+#     "/staff-device/dns/pdns/ips" \
+#     "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/azure_federation_metadata_url" \
+#     "/staff-device/dns-dhcp/$ENV/enable_load_testing" \
+#     "/staff-device/dns-dhcp/$ENV/number_of_load_testing_nodes" \
+#     "/staff-device/dns-dhcp/$ENV/enable_rds_admin_bastion" \
+#     "/staff-device/dns-dhcp/$ENV/enable_rds_servers_bastion" \
+#     --query Parameters)
+
+# export PARAM2=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \
+#     "/staff-device/dns/pdns/ips_list" \
+#     "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/critical_notification_recipients" \
+#     "/codebuild/$ENV/vpn_hosted_zone_id" \
+#     "/route53/$ENV/vpn_hosted_zone_domain" \
+#     "/staff-device/dhcp/$ENV/transit_gateway_id" \
+#     "/staff-device/dhcp/$ENV/transit_gateway_route_table_id" \
+#     --query Parameters)
+
+# export PARAM3=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \
+#     "/staff-device/dns/$ENV/load_balancer_private_ip_eu_west_2a" \
+#     "/staff-device/dns/$ENV/load_balancer_private_ip_eu_west_2b" \
+#     "/staff-device/dns/$ENV/dns_route53_resolver_ip_eu_west_2a" \
+#     "/staff-device/dns/$ENV/dns_route53_resolver_ip_eu_west_2b" \
+#     "/staff-device/admin/sentry_dsn" \
+#     "/staff-device/corsham_testing/bastion_allowed_ingress_ip" \
+#     "/staff-device/corsham_testing/bastion_allowed_egress_ip" \
+#     --query Parameters)
+
+# export PARAM4=$(aws ssm get-parameters --region eu-west-2 --with-decryption --names \
+#     "/staff-device/corsham_testing/corsham_vm_ip" \
+#     "/staff-device/dns-dhcp/model_office_vm_ip" \
+#     "/staff-device/$ENV/dhcp_egress_transit_gateway_routes" \
+#     "/staff-device/dns/$ENV/public_ip_pool_id" \
+#     "/staff-device/dns-dhcp/$ENV/enable_bastion" \
+#     "/staff-device/dns-dhcp/admin/$ENV/allowed_ip_ranges" \
+#     "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role" \
+#     "/codebuild/staff_device_shared_services_account_id" \
+#     --query Parameters)
+
+# declare -A params
+
+# params["assume_role"]="$(echo $PARAM | jq '.[] | select(.Name | test("assume_role")) | .Value' --raw-output)"
+# params["pdns_ips"]="$(echo $PARAM | jq '.[] | select(.Name | test("dns/pdns/ips")) | .Value' --raw-output)"
+# params["azure_federation_metadata_url"]="$(echo $PARAM | jq '.[] | select(.Name | test("azure_federation_metadata_url")) | .Value' --raw-output)"
+# params["enable_load_testing"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_load_testing")) | .Value' --raw-output)"
+# params["number_of_load_testing_nodes"]="$(echo $PARAM | jq '.[] | select(.Name | test("number_of_load_testing_nodes")) | .Value' --raw-output)"
+# params["enable_rds_admin_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_admin_bastion")) | .Value' --raw-output)"
+# params["enable_rds_servers_bastion"]="$(echo $PARAM | jq '.[] | select(.Name | test("enable_rds_servers_bastion")) | .Value' --raw-output)"
+
+# params["pdns_ips_list"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("dns/pdns/ips_list")) | .Value' --raw-output)"
+# params["critical_notification_recipients"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("critical_notification_recipients")) | .Value' --raw-output)"
+# params["vpn_hosted_zone_id"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("vpn_hosted_zone_id")) | .Value' --raw-output)"
+# params["vpn_hosted_zone_domain"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("vpn_hosted_zone_domain")) | .Value' --raw-output)"
+# params["dhcp_transit_gateway_id"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("transit_gateway_id")) | .Value' --raw-output)"
+# params["transit_gateway_route_table_id"]="$(echo $PARAM2 | jq '.[] | select(.Name | test("transit_gateway_route_table_id")) | .Value' --raw-output)"
+
+# params["dns_load_balancer_private_ip_eu_west_2a"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("load_balancer_private_ip_eu_west_2a")) | .Value' --raw-output)"
+# params["dns_load_balancer_private_ip_eu_west_2b"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("load_balancer_private_ip_eu_west_2b")) | .Value' --raw-output)"
+# params["dns_route53_resolver_ip_eu_west_2a"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("dns_route53_resolver_ip_eu_west_2a")) | .Value' --raw-output)"
+# params["dns_route53_resolver_ip_eu_west_2b"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("dns_route53_resolver_ip_eu_west_2b")) | .Value' --raw-output)"
+# params["bastion_allowed_ingress_ip"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("bastion_allowed_ingress_ip")) | .Value' --raw-output)"
+# params["bastion_allowed_egress_ip"]="$(echo $PARAM3 | jq '.[] | select(.Name | test("bastion_allowed_egress_ip")) | .Value' --raw-output)"
+
+# params["corsham_vm_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("corsham_vm_ip")) | .Value' --raw-output)"
+# params["model_office_vm_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("model_office_vm_ip")) | .Value' --raw-output)"
+# params["dhcp_egress_transit_gateway_routes"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("dhcp_egress_transit_gateway_routes")) | .Value' --raw-output)"
+# params["byoip_pool_id"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("public_ip_pool_id")) | .Value' --raw-output)"
+# params["enable_corsham_test_bastion"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("enable_bastion")) | .Value' --raw-output)"
+# params["allowed_ip_ranges"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("allowed_ip_ranges")) | .Value' --raw-output)"
+# params["ROLE_ARN"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("assume_role")) | .Value' --raw-output)"
+# params["shared_services_account_id"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("staff_device_shared_services_account_id")) | .Value' --raw-output)"