Merge pull request #8440 from ministryofjustice/feat/ap-ingestion-r53…

…-resolver

🌐 Add Route53 resolver endpoint

.github/workflows/reusable_terraform_plan_apply.yml

@@ -162,7 +162,7 @@ jobs:
         working-directory: "terraform/environments/${{ inputs.application }}"
         shell: bash
         run: |
-          bash -x ${GITHUB_WORKSPACE}/scripts/terraform-plan-evaluator.sh tfplan.json
+          bash ${GITHUB_WORKSPACE}/scripts/terraform-plan-evaluator.sh tfplan.json
 
       - name: Create Plan PR message (Optional)
         if: github.event_name == 'pull_request' && steps.plan.outputs.exitcode == '2' && inputs.post_plan_to_pr == true

scripts/terraform-plan-evaluator.sh

@@ -33,12 +33,11 @@ RESOURCES_TO_CHECK_FOR=(
 resourcesFound=false
 
 for resource in "${RESOURCES_TO_CHECK_FOR[@]}"; do
+  echo "Checking for resource: ${resource}"
   checkForResource=$(jq -r --arg resourceType "${resource}" '.resource_changes[] | select(.type == $resourceType) | .change.actions[] | select(. != "no-op" and . != "read")' "${TERRAFORM_PLAN}")
   if [[ -n "${checkForResource}" ]]; then
     echo "Resource ${resource} found in plan"
     resourcesFound=true
-  else
-    echo "Resource ${resource} not found in plan"
   fi
 done
 

terraform/environments/analytical-platform-ingestion/environment-configuration.tf

@@ -13,6 +13,13 @@ locals {
       isolated_vpc_enable_nat_gateway     = true
       isolated_vpc_one_nat_gateway_per_az = true
 
+      /* Transit Gateway */
+      transit_gateway_routes = [
+        /* MoJO DNS Resolver Service */
+        "10.180.80.5/32",
+        "10.180.81.5/32"
+      ]
+
       /* Observability Platform */
       observability_platform = "development"
 
@@ -51,6 +58,13 @@ locals {
       isolated_vpc_enable_nat_gateway     = true
       isolated_vpc_one_nat_gateway_per_az = true
 
+      /* Transit Gateway */
+      transit_gateway_routes = [
+        /* MoJO DNS Resolver Service */
+        "10.180.80.5/32",
+        "10.180.81.5/32"
+      ]
+
       /* Observability Platform */
       observability_platform = "production"
 

terraform/environments/analytical-platform-ingestion/modules/routes/main.tf

@@ -0,0 +1,7 @@
+resource "aws_route" "this" {
+  for_each = toset(var.destination_cidr_blocks)
+
+  route_table_id         = var.route_table_id
+  destination_cidr_block = each.value
+  transit_gateway_id     = var.transit_gateway_id
+}

terraform/environments/analytical-platform-ingestion/modules/routes/providers.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  required_version = "~> 1.0"
+}

terraform/environments/analytical-platform-ingestion/modules/routes/variables.tf

@@ -0,0 +1,11 @@
+variable "route_table_id" {
+  type = string
+}
+
+variable "destination_cidr_blocks" {
+  type = list(string)
+}
+
+variable "transit_gateway_id" {
+  type = string
+}

terraform/environments/analytical-platform-ingestion/route53-resolver-associations.tf

@@ -0,0 +1,13 @@
+module "connected_vpc_route53_resolver_associations" {
+
+  source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
+  version = "4.1.0"
+
+  vpc_id = module.connected_vpc.vpc_id
+
+  resolver_rule_associations = {
+    mojo-dns-resolver-dom1-infra-int = {
+      resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
+    }
+  }
+}

terraform/environments/analytical-platform-ingestion/route53-resolver-endpoints.tf

@@ -0,0 +1,27 @@
+module "connected_vpc_outbound_route53_resolver_endpoint" {
+  source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
+  version = "4.1.0"
+
+  name      = "connected-vpc-outbound"
+  vpc_id    = module.connected_vpc.vpc_id
+  direction = "OUTBOUND"
+  protocols = ["Do53"]
+
+  ip_address = [
+    {
+      subnet_id = module.connected_vpc.private_subnets[0]
+    },
+    {
+      subnet_id = module.connected_vpc.private_subnets[1]
+    }
+  ]
+
+  security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
+  security_group_egress_cidr_blocks = [
+    /* MoJO DNS Resolver Service */
+    "10.180.80.5/32",
+    "10.180.81.5/32"
+  ]
+
+  tags = local.tags
+}

terraform/environments/analytical-platform-ingestion/route53-resolver-rules.tf

@@ -0,0 +1,18 @@
+resource "aws_route53_resolver_rule" "mojo_dns_resolver_dom1_infra_int" {
+  name                 = "mojo-dns-resolver-dom1-infra-int"
+  domain_name          = "dom1.infra.int"
+  rule_type            = "FORWARD"
+  resolver_endpoint_id = module.connected_vpc_outbound_route53_resolver_endpoint.route53_resolver_endpoint_id
+
+  /* MoJO DNS Resolver Service */
+  target_ip {
+    ip = "10.180.80.5"
+  }
+
+  /* MoJO DNS Resolver Service */
+  target_ip {
+    ip = "10.180.81.5"
+  }
+
+  tags = local.tags
+}

terraform/environments/analytical-platform-ingestion/routes.tf

@@ -0,0 +1,9 @@
+module "connected_vpc_transit_gateway_routes" {
+  for_each = toset(module.connected_vpc.private_route_table_ids)
+
+  source = "./modules/routes"
+
+  route_table_id          = each.value
+  destination_cidr_blocks = local.environment_configuration.transit_gateway_routes
+  transit_gateway_id      = data.aws_ec2_transit_gateway.moj_tgw.id
+}

terraform/environments/analytical-platform-ingestion/scripts/get-ip-address.sh

@@ -4,4 +4,4 @@
 ip="$(curl --silent https://cloudflare.com/cdn-cgi/trace | awk -F= '/ip=/{print $2}')"
 
 # Return it as a JSON object
-echo "{\"ip\": \"${ip}\"}"
+echo "{\"ip\": \"${ip}\"}"

terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf

@@ -6,7 +6,6 @@ module "connected_vpc_endpoints" {
 
   vpc_id     = module.connected_vpc.vpc_id
   subnet_ids = module.connected_vpc.private_subnets
-  # security_group_ids = [aws_security_group.connected_vpc_endpoints.id]
 
   endpoints = {
     datasync = {