Add load balancer certificate (#4548)

ministryofjustice · Jan 15, 2024 · ee35751 · ee35751
1 parent aec9ca3
commit ee35751
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 60 deletions.
diff --git a/terraform/environments/hmpps-domain-services/locals_development.tf b/terraform/environments/hmpps-domain-services/locals_development.tf
@@ -5,21 +5,22 @@ locals {
   development_config = {
 
     baseline_acm_certificates = {
-      # remote_desktop_wildcard_cert = {
-      #   # domain_name limited to 64 chars so use modernisation platform domain for this
-      #   # and put the wildcard in the san
-      #   domain_name = module.environment.domains.public.modernisation_platform
-      #   subject_alternate_names = [
-      #     "*.${module.environment.domains.public.application_environment}",
-      #     "hmppgw2.justice.gov.uk",
-      #     "*.hmppgw2.justice.gov.uk",
-      #   ]
-      #   external_validation_records_created = false
-      #   cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
-      #   tags = {
-      #     description = "wildcard cert for remote desktop services"
-      #   }
-      # }
+      remote_desktop_wildcard_cert = {
+        # domain_name limited to 64 chars so use modernisation platform domain for this
+        # and put the wildcard in the san
+        domain_name = module.environment.domains.public.modernisation_platform
+        subject_alternate_names = [
+          "*.${module.environment.domains.public.application_environment}",
+          "*.development.hmpps-domain.service.justice.gov.uk",
+          "hmppgw2.justice.gov.uk",
+          "*.hmppgw2.justice.gov.uk",
+        ]
+        external_validation_records_created = false
+        cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
+        tags = {
+          description = "wildcard cert for hmpps domain load balancer"
+        }
+      }
     }
 
     baseline_ec2_autoscaling_groups = {

diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
@@ -5,21 +5,20 @@ locals {
   preproduction_config = {
 
     baseline_acm_certificates = {
-      # remote_desktop_wildcard_cert = {
-      #   # domain_name limited to 64 chars so use modernisation platform domain for this
-      #   # and put the wildcard in the san
-      #   domain_name = module.environment.domains.public.modernisation_platform
-      #   subject_alternate_names = [
-      #     "*.${module.environment.domains.public.application_environment}",
-      #     "pp.hmpps-az-gw1.justice.gov.uk",
-      #     "*.pp.hmpps-az-gw1.justice.gov.uk",
-      #   ]
-      #   external_validation_records_created = false
-      #   cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
-      #   tags = {
-      #     description = "wildcard cert for remote desktop services"
-      #   }
-      # }
+      remote_desktop_wildcard_cert = {
+        # domain_name limited to 64 chars so use modernisation platform domain for this
+        # and put the wildcard in the san
+        domain_name = module.environment.domains.public.modernisation_platform
+        subject_alternate_names = [
+          "*.${module.environment.domains.public.application_environment}",
+          "*.preproduction.hmpps-domain.service.justice.gov.uk",
+        ]
+        external_validation_records_created = false
+        cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
+        tags = {
+          description = "wildcard cert for hmpps domain load balancer"
+        }
+      }
     }
 
     baseline_lbs = {

diff --git a/terraform/environments/hmpps-domain-services/locals_production.tf b/terraform/environments/hmpps-domain-services/locals_production.tf
@@ -5,21 +5,22 @@ locals {
   production_config = {
 
     baseline_acm_certificates = {
-      # remote_desktop_wildcard_cert = {
-      #   # domain_name limited to 64 chars so use modernisation platform domain for this
-      #   # and put the wildcard in the san
-      #   domain_name = module.environment.domains.public.modernisation_platform
-      #   subject_alternate_names = [
-      #     "*.${module.environment.domains.public.application_environment}",
-      #     "hmpps-az-gw1.justice.gov.uk",
-      #     "*.hmpps-az-gw1.justice.gov.uk",
-      #   ]
-      #   external_validation_records_created = false
-      #   cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
-      #   tags = {
-      #     description = "wildcard cert for remote desktop services"
-      #   }
-      # }
+      remote_desktop_wildcard_cert = {
+        # domain_name limited to 64 chars so use modernisation platform domain for this
+        # and put the wildcard in the san
+        domain_name = module.environment.domains.public.modernisation_platform
+        subject_alternate_names = [
+          "*.${module.environment.domains.public.application_environment}",
+          "*.hmpps-domain.service.justice.gov.uk",
+          "hmpps-az-gw1.justice.gov.uk",
+          "*.hmpps-az-gw1.justice.gov.uk",
+        ]
+        external_validation_records_created = false
+        cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
+        tags = {
+          description = "wildcard cert for hmpps domain load balancer"
+        }
+      }
     }
 
     baseline_lbs = {
@@ -74,6 +75,12 @@ locals {
 
     baseline_route53_zones = {
       "hmpps-domain.service.justice.gov.uk" = {
+        records = [
+          { name = "development", type = "NS", ttl = "86400", records = [] },
+          { name = "test", type = "NS", ttl = "86400", records = ["ns-134.awsdns-16.com", "ns-1426.awsdns-50.org", "ns-1934.awsdns-49.co.uk", "ns-927.awsdns-51.net", ] },
+          { name = "preproduction", type = "NS", ttl = "86400", records = ["ns-1509.awsdns-60.org", "ns-1925.awsdns-48.co.uk", "ns-216.awsdns-27.com", "ns-753.awsdns-30.net", ] },
+        ]
+
         lb_alias_records = [
           { name = "rdgateway1", type = "A", lbs_map_key = "public" },
           { name = "rdweb1", type = "A", lbs_map_key = "public" },

diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf
@@ -12,21 +12,22 @@ locals {
     }
 
     baseline_acm_certificates = {
-      # remote_desktop_wildcard_cert = {
-      #   # domain_name limited to 64 chars so use modernisation platform domain for this
-      #   # and put the wildcard in the san
-      #   domain_name = module.environment.domains.public.modernisation_platform
-      #   subject_alternate_names = [
-      #     "*.${module.environment.domains.public.application_environment}",
-      #     "hmppgw1.justice.gov.uk",
-      #     "*.hmppgw1.justice.gov.uk",
-      #   ]
-      #   external_validation_records_created = false
-      #   cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
-      #   tags = {
-      #     description = "wildcard cert for remote desktop services"
-      #   }
-      # }
+      remote_desktop_wildcard_cert = {
+        # domain_name limited to 64 chars so use modernisation platform domain for this
+        # and put the wildcard in the san
+        domain_name = module.environment.domains.public.modernisation_platform
+        subject_alternate_names = [
+          "*.${module.environment.domains.public.application_environment}",
+          "*.test.hmpps-domain.service.justice.gov.uk",
+          "hmppgw1.justice.gov.uk",
+          "*.hmppgw1.justice.gov.uk",
+        ]
+        external_validation_records_created = false
+        cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
+        tags = {
+          description = "wildcard cert for hmpps domain load balancer"
+        }
+      }
     }
 
     baseline_ec2_autoscaling_groups = {