Apply dns changes to match those made to wardship

don't create 2 certs in prod use major version only for postgres
ministryofjustice · Sep 23, 2024 · 338d0c0 · 338d0c0
1 parent bb19963
commit 338d0c0
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 66 deletions.
diff --git a/terraform/environments/ncas/application_variables.json b/terraform/environments/ncas/application_variables.json
@@ -7,7 +7,7 @@
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.10",
+      "engine_version": "14",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",
@@ -27,7 +27,7 @@
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.10",
+      "engine_version": "14",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",
@@ -47,7 +47,7 @@
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.10",
+      "engine_version": "14",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",

diff --git a/terraform/environments/ncas/dns_ssl.tf b/terraform/environments/ncas/dns_ssl.tf
@@ -1,11 +1,9 @@
-// DEV + PRE-PRODUCTION DNS CONFIGURATION
-
 // ACM Public Certificate
 resource "aws_acm_certificate" "external" {
-  domain_name       = "modernisation-platform.service.justice.gov.uk"
+  domain_name       = local.is-production ? "neutral-citation-allocation.service.justice.gov.uk" : "modernisation-platform.service.justice.gov.uk"
   validation_method = "DNS"
 
-  subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"]
+  subject_alternative_names = local.is-production ? null : ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"]
   tags = {
     Environment = local.environment
   }
@@ -15,24 +13,36 @@ resource "aws_acm_certificate" "external" {
   }
 }
 
+// Validate Cert based on external route53 fqdn
 resource "aws_acm_certificate_validation" "external" {
   certificate_arn         = aws_acm_certificate.external.arn
-  validation_record_fqdns = [local.domain_name_main[0], local.domain_name_sub[0]]
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
 }
 
-// Route53 DNS records for certificate validation
-resource "aws_route53_record" "external_validation" {
+// Non production zone for validation is network-services (production is application zone)
+resource "aws_route53_record" "cert_validation" {
+
   provider = aws.core-network-services
 
+  for_each = {
+    for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => {
+      name  = dvo.resource_record_name
+      type  = dvo.resource_record_type
+      value = dvo.resource_record_value
+    }
+  }
   allow_overwrite = true
-  name            = local.domain_name_main[0]
-  records         = local.domain_record_main
-  ttl             = 60
-  type            = local.domain_type_main[0]
-  zone_id         = data.aws_route53_zone.network-services.zone_id
+  name            = each.value.name
+  records         = [each.value.value]
+  ttl             = 300
+  type            = each.value.type
+  zone_id         = local.is-production ? data.aws_route53_zone.application_zone.zone_id : data.aws_route53_zone.network-services.zone_id
 }
 
+// sub-domain validation only required for non-production sites
 resource "aws_route53_record" "external_validation_subdomain" {
+
+  count    = local.is-production ? 0 : 1
   provider = aws.core-vpc
 
   allow_overwrite = true
@@ -44,12 +54,13 @@ resource "aws_route53_record" "external_validation_subdomain" {
 }
 
 // Route53 DNS record for directing traffic to the service
-resource "aws_route53_record" "external" {
-  provider = aws.core-vpc
-
-  zone_id = data.aws_route53_zone.external.zone_id
-  name    = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
-  type    = "A"
+// Provider, zone and name dependent on production or non-production environment
+resource "aws_route53_record" "external-prod" {
+  count    = local.is-production ? 1 : 0
+  provider = aws.core-network-services
+  zone_id  = data.aws_route53_zone.application_zone.zone_id
+  name     = "neutral-citation-allocation.service.justice.gov.uk"
+  type     = "A"
 
   alias {
     name                   = aws_lb.ncas_lb.dns_name
@@ -58,50 +69,12 @@ resource "aws_route53_record" "external" {
   }
 }
 
-// PRODUCTION DNS CONFIGURATION
-
-// ACM Public Certificate
-resource "aws_acm_certificate" "external_prod" {
-  count = local.is-production ? 1 : 0
-
-  domain_name       = local.application_data.accounts[local.environment].domain_name
-  validation_method = "DNS"
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_acm_certificate_validation" "external_prod" {
-  count = local.is-production ? 1 : 0
-
-  certificate_arn         = aws_acm_certificate.external_prod[0].arn
-  validation_record_fqdns = [aws_route53_record.external_validation_prod[0].fqdn]
-  timeouts {
-    create = "10m"
-  }
-}
-
-// Route53 DNS record for certificate validation
-resource "aws_route53_record" "external_validation_prod" {
-  count    = local.is-production ? 1 : 0
-  provider = aws.core-network-services
-
-  allow_overwrite = true
-  name            = tolist(aws_acm_certificate.external_prod[0].domain_validation_options)[0].resource_record_name
-  records         = [tolist(aws_acm_certificate.external_prod[0].domain_validation_options)[0].resource_record_value]
-  type            = tolist(aws_acm_certificate.external_prod[0].domain_validation_options)[0].resource_record_type
-  zone_id         = data.aws_route53_zone.application_zone.zone_id
-  ttl             = 60
-}
-
-// Route53 DNS record for directing traffic to the service
-resource "aws_route53_record" "external_prod" {
-  count    = local.is-production ? 1 : 0
-  provider = aws.core-network-services
-
-  zone_id = data.aws_route53_zone.application_zone.zone_id
-  name    = local.application_data.accounts[local.environment].domain_name
-  type    = "A"
+resource "aws_route53_record" "external" {
+  count    = local.is-production ? 0 : 1
+  provider = aws.core-vpc
+  zone_id  = data.aws_route53_zone.external.zone_id
+  name     = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+  type     = "A"
 
   alias {
     name                   = aws_lb.ncas_lb.dns_name

diff --git a/terraform/environments/ncas/load_balancer.tf b/terraform/environments/ncas/load_balancer.tf
@@ -270,7 +270,7 @@ resource "aws_lb_listener" "ncas_lb" {
   depends_on = [
     aws_acm_certificate.external
   ]
-  certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
+  certificate_arn   = local.is-production ? aws_acm_certificate.external.arn : aws_acm_certificate.external.arn
   load_balancer_arn = aws_lb.ncas_lb.arn
   port              = local.application_data.accounts[local.environment].server_port_2
   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2