Merge pull request #8496 from ministryofjustice/chore/ap-ingestion-ne…

…twork-debug

🧪 Debugging MoJO

terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf

@@ -8,3 +8,13 @@ module "transfer_structured_logs" {
   kms_key_id        = module.transfer_logs_kms.key_arn
   retention_in_days = 400
 }
+
+module "connected_vpc_route53_resolver_logs" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+  version = "5.6.0"
+
+  name              = "/aws/route53-resolver/connected-vpc"
+  retention_in_days = 400
+}

terraform/environments/analytical-platform-ingestion/ec2-instances.tf

@@ -2,7 +2,7 @@ module "datasync_instance" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
 
   source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "5.7.0"
+  version = "5.7.1"
 
   name = "${local.application_name}-${local.environment}-datasync"
   # ami                    = data.aws_ssm_parameter.datasync_ami.value
@@ -41,3 +41,40 @@ module "datasync_instance" {
     }
   )
 }
+
+/* This instance is temporary and will be retired when we're satisfied with DataSync end-to-end */
+module "mojo_network_debug_instance" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "5.7.1"
+
+  name                        = "mojo-network-debug"
+  ami                         = "ami-0acc77abdfc7ed5a6"
+  instance_type               = "t3.micro"
+  subnet_id                   = element(module.connected_vpc.private_subnets, 0)
+  vpc_security_group_ids      = [module.mojo_network_debug_security_group.security_group_id]
+  associate_public_ip_address = false
+
+  root_block_device = [
+    {
+      encrypted   = true
+      volume_type = "gp3"
+      volume_size = 8
+    }
+  ]
+
+  create_iam_instance_profile = true
+  iam_role_policies = {
+    SSMCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+
+  metadata_options = {
+    http_endpoint               = "enabled"
+    http_put_response_hop_limit = 1
+    http_tokens                 = "required"
+    instance_metadata_tags      = "enabled"
+  }
+
+  tags = local.tags
+}

terraform/environments/analytical-platform-ingestion/environment-configuration.tf

@@ -15,18 +15,17 @@ locals {
 
       /* Transit Gateway */
       transit_gateway_routes = [
-        /* MoJO DNS Resolver Service */
-        "10.180.80.5/32",
-        "10.180.81.5/32"
+        /* Send all traffic not destined for local down to the transit gateway */
+        "10.0.0.0/8"
       ]
 
       /* Observability Platform */
       observability_platform = "development"
 
       /* Image Versions */
-      scan_image_version     = "0.1.2"
-      transfer_image_version = "0.0.17"
-      notify_image_version   = "0.0.18"
+      scan_image_version     = "0.1.3"
+      transfer_image_version = "0.0.18"
+      notify_image_version   = "0.0.19"
 
       /* Target Buckets */
       target_buckets = ["mojap-land-dev"]
@@ -60,18 +59,17 @@ locals {
 
       /* Transit Gateway */
       transit_gateway_routes = [
-        /* MoJO DNS Resolver Service */
-        "10.180.80.5/32",
-        "10.180.81.5/32"
+        /* Send all traffic not destined for local down to the transit gateway */
+        "10.0.0.0/8"
       ]
 
       /* Observability Platform */
       observability_platform = "production"
 
       /* Image Versions */
-      scan_image_version     = "0.1.2"
-      transfer_image_version = "0.0.17"
-      notify_image_version   = "0.0.18"
+      scan_image_version     = "0.1.3"
+      transfer_image_version = "0.0.18"
+      notify_image_version   = "0.0.19"
 
       /* Target Buckets */
       target_buckets = ["mojap-land"]

terraform/environments/analytical-platform-ingestion/route53-resolver-query-logging.tf

@@ -0,0 +1,9 @@
+resource "aws_route53_resolver_query_log_config" "connected_vpc" {
+  name            = "connected-vpc"
+  destination_arn = module.connected_vpc_route53_resolver_logs.cloudwatch_log_group_arn
+}
+
+resource "aws_route53_resolver_query_log_config_association" "connected_vpc" {
+  resolver_query_log_config_id = aws_route53_resolver_query_log_config.connected_vpc.id
+  resource_id                  = module.connected_vpc.vpc_id
+}

terraform/environments/analytical-platform-ingestion/security-group-rules.tf

@@ -1,5 +1,5 @@
 resource "aws_security_group_rule" "connected_vpc_endpoints_allow_all_vpc" {
-  cidr_blocks       = [module.isolated_vpc.vpc_cidr_block]
+  cidr_blocks       = [module.connected_vpc.vpc_cidr_block]
   description       = "Allow all traffic in from VPC CIDR"
   from_port         = 0
   protocol          = -1

terraform/environments/analytical-platform-ingestion/security-groups.tf

@@ -191,3 +191,19 @@ moved {
   from = module.datasync_security_group
   to   = module.datasync_instance_security_group
 }
+
+/* This security group is temporary and will be retired when we're satisfied with DataSync end-to-end */
+module "mojo_network_debug_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.2.0"
+
+  name        = "mojo-network-debug"
+  vpc_id      = module.connected_vpc.vpc_id
+
+  egress_cidr_blocks  = ["0.0.0.0/0"]
+  egress_rules        = ["all-all"]
+
+  tags = local.tags
+}

terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf

@@ -20,6 +20,37 @@ module "connected_vpc_endpoints" {
         local.tags,
         { Name = format("%s-datasync", "${local.application_name}-${local.environment}-connected") }
       )
+    },
+    /*  These VPC endpoints (ssm, ssmmessages and ec2messages) are temporary and will be retired when we're satisfied with DataSync end-to-end */
+    ssm = {
+      service             = "ssm"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      security_group_ids  = [aws_security_group.connected_vpc_endpoints.id]
+      tags = merge(
+        local.tags,
+        { Name = format("%s-ssm", "${local.application_name}-${local.environment}-connected") }
+      )
+    },
+    ssmmessages = {
+      service             = "ssmmessages"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      security_group_ids  = [aws_security_group.connected_vpc_endpoints.id]
+      tags = merge(
+        local.tags,
+        { Name = format("%s-ssmmessages", "${local.application_name}-${local.environment}-connected") }
+      )
+    },
+    ec2messages = {
+      service             = "ec2messages"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      security_group_ids  = [aws_security_group.connected_vpc_endpoints.id]
+      tags = merge(
+        local.tags,
+        { Name = format("%s-ec2messages", "${local.application_name}-${local.environment}-connected") }
+      )
     }
   }
 }

terraform/environments/analytical-platform-ingestion/vpc.tf

@@ -10,6 +10,10 @@ module "connected_vpc" {
   private_subnets = local.environment_configuration.connected_vpc_private_subnets
   public_subnets  = local.environment_configuration.connected_vpc_public_subnets
 
+  /* NAT gateway is temporary and will be retired when we're satisfied with DataSync end-to-end */
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
   enable_flow_log                      = true
   create_flow_log_cloudwatch_log_group = true
   create_flow_log_cloudwatch_iam_role  = true