Merge branch 'main' of github.com:ministryofjustice/modernisation-pla…

…tform-environments

.github/workflows/code-scanning.yml

@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@241876ea3d5fabb323aa396efc2bd215c7553820 # v12.2882.0
+        uses: bridgecrewio/checkov-action@806e3d5cf1c14ea518f62a78eeb1873a790f3a69 # v12.2883.0
         with:
           directory: ./
           framework: terraform

terraform/environments/analytical-platform-ingestion/data.tf

@@ -33,3 +33,7 @@ data "dns_a_record_set" "datasync_activation_nlb" {
 data "aws_network_interface" "datasync_vpc_endpoint" {
   id = tolist(module.connected_vpc_endpoints.endpoints["datasync"].network_interface_ids)[0]
 }
+
+data "aws_ec2_transit_gateway" "moj_tgw" {
+  id = "tgw-026162f1ba39ce704"
+}

terraform/environments/analytical-platform-ingestion/security-groups.tf

@@ -90,10 +90,10 @@ module "datasync_activation_nlb_security_group" {
   vpc_id = module.connected_vpc.vpc_id
 
   egress_cidr_blocks = ["${local.environment_configuration.datasync_instance_private_ip}/32"]
-  egress_rules       = ["http-80-tcp",]
+  egress_rules       = ["http-80-tcp", ]
 
   ingress_cidr_blocks = ["${data.external.external_ip.result["ip"]}/32"]
-  ingress_rules = ["http-80-tcp"]
+  ingress_rules       = ["http-80-tcp"]
 
   tags = local.tags
 }
@@ -110,7 +110,7 @@ module "datasync_vpc_endpoint_security_group" {
   vpc_id = module.connected_vpc.vpc_id
 
   egress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
-  egress_rules       = ["all-all",]
+  egress_rules       = ["all-all", ]
 
   ingress_with_cidr_blocks = [
     {

terraform/environments/analytical-platform-ingestion/transit-gateway-vpc-attachments.tf

@@ -0,0 +1,8 @@
+resource "aws_ec2_transit_gateway_vpc_attachment" "moj_tgw" {
+  transit_gateway_id                 = data.aws_ec2_transit_gateway.moj_tgw.id
+  vpc_id                             = module.connected_vpc.vpc_id
+  subnet_ids                         = module.connected_vpc.private_subnets
+  security_group_referencing_support = "enable"
+
+  tags = local.tags
+}

terraform/environments/apex/backups.tf

@@ -57,13 +57,13 @@ resource "aws_backup_vault_policy" "apex" {
 }
 
 ############################################################################
-## This following is required for setting up hourly backup for production
+## This following is required for setting up backup for production
 ############################################################################
 
 
 resource "aws_backup_vault" "prod_apex" {
   count = local.environment == "production" ? 1 : 0
-  name = "${local.application_name}-production-backup-vault"
+  name  = "${local.application_name}-production-backup-vault"
   tags = merge(
     local.tags,
     { "Name" = "${local.application_name}-production-backup-vault" },
@@ -72,14 +72,14 @@ resource "aws_backup_vault" "prod_apex" {
 
 resource "aws_backup_plan" "prod_apex" {
   count = local.environment == "production" ? 1 : 0
-  name  = "${local.application_name}-backup-hourly-retain-35-days"
+  name  = "${local.application_name}-backup-retain-35-days"
 
   rule {
-    rule_name         = "${local.application_name}-backup-hourly-retain-35-days"
+    rule_name         = "${local.application_name}-backup-retain-35-days"
     target_vault_name = aws_backup_vault.prod_apex[0].name
 
-    # Backup hourly
-    schedule = "cron(0 * * * ? *)"
+    # Backup every 6 hours on the hour
+    schedule = "cron(0 0,6,12,18 * * ? *)"
 
     lifecycle {
       delete_after = 35
@@ -108,7 +108,7 @@ resource "aws_backup_selection" "prod_apex" {
 
   condition {
     string_equals {
-      key   = "aws:ResourceTag/snapshot-with-hourly-35-day-retention"
+      key   = "aws:ResourceTag/snapshot-35-day-retention"
       value = "yes"
     }
     # TODO tags required to be confirmed

terraform/environments/apex/cloudwatch.tf

@@ -51,7 +51,7 @@ resource "aws_cloudwatch_metric_alarm" "database_cpu" {
 resource "aws_cloudwatch_metric_alarm" "database_oracle_alerts" {
 
   alarm_name          = "${local.application_name}-${local.environment}-oracle-alerts-log-errors"
-  alarm_description   = "Errors Detected in Oracle Alerts Log."
+  alarm_description   = "Errors Detected in Oracle Alerts Log, please check the log group ${aws_cloudwatch_log_group.database.name}"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   metric_name         = aws_cloudwatch_log_metric_filter.database.name

terraform/environments/apex/cloudwatch_agent_config.json

@@ -90,6 +90,11 @@
             "file_path": "/home/oracle/logs/pmon_status_alert.log",
             "log_group_name": "APEX-EC2-database-pmon-status",
             "log_stream_name": "pmon-status-{instance_id}"
+          },
+          {
+            "file_path": "/home/oracle/logs/alert_log_check.txt",
+            "log_group_name": "APEX-EC2-database-alert",
+            "log_stream_name": "alertlog-{instance_id}"
           }
         ]
       }

terraform/environments/apex/ec2.tf

@@ -26,14 +26,16 @@ resource "aws_instance" "apex_db_instance" {
     tags = merge(
       local.tags,
       { "Name" = "${local.application_name}db-ec2-root" },
-      local.backup_schedule_tags
+      { "backup" = "false" }
     )
   }
 
   tags = merge(
     local.tags,
     { "Name" = local.database_ec2_name },
-    { "instance-scheduling" = "skip-scheduling" }
+    { "instance-scheduling" = "skip-scheduling" },
+    { "backup" = "false" },
+    local.backup_schedule_tags
   )
 }
 
@@ -177,7 +179,7 @@ resource "aws_ebs_volume" "u01-orahome" {
   tags = merge(
     local.tags,
     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
-    local.backup_schedule_tags
+    { "backup" = "false" }
   )
 }
 resource "aws_volume_attachment" "u01-orahome" {
@@ -199,7 +201,7 @@ resource "aws_ebs_volume" "u02-oradata" {
   tags = merge(
     local.tags,
     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
-    local.backup_schedule_tags
+    { "backup" = "false" }
   )
 }
 
@@ -224,7 +226,7 @@ resource "aws_ebs_volume" "u03-redo" {
   tags = merge(
     local.tags,
     { "Name" = "${local.application_name}db-ec2-u03-redo" },
-    local.backup_schedule_tags
+    { "backup" = "false" }
   )
 }
 resource "aws_volume_attachment" "u03-redo" {
@@ -246,7 +248,7 @@ resource "aws_ebs_volume" "u04-arch" {
   tags = merge(
     local.tags,
     { "Name" = "${local.application_name}db-ec2-u04-arch" },
-    local.backup_schedule_tags
+    { "backup" = "false" }
   )
 }
 resource "aws_volume_attachment" "u04-arch" {
@@ -318,4 +320,3 @@ resource "aws_cloudwatch_log_metric_filter" "pmon_status" {
 
 
 
-

terraform/environments/apex/efs.tf

@@ -46,8 +46,7 @@ resource "aws_efs_file_system" "efs" {
 
   tags = merge(
     local.tags,
-    { "Name" = "mp-${local.application_name}-efs" },
-    local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
+    { "Name" = "mp-${local.application_name}-efs" }
   )
 
   lifecycle_policy {

terraform/environments/apex/locals.tf

@@ -78,7 +78,7 @@ locals {
   app_db_password_name = "APP_APEX_DBPASSWORD_TAD"
   db_hostname          = "db.${local.application_name}"
 
-  backup_schedule_tags = local.environment == "production" ? { "snapshot-with-hourly-35-day-retention" = "yes" } : { "snapshot-with-daily-7-day-retention" = "yes" }
+  backup_schedule_tags       = local.environment == "production" ? { "snapshot-35-day-retention" = "yes" } : null
   database-instance-userdata = <<EOF
 #!/bin/bash
 cd /tmp