From ee35751025f263e8ee4292c0a23fe641469b907f Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Mon, 15 Jan 2024 15:00:49 +0000 Subject: [PATCH] Add load balancer certificate (#4548) --- .../locals_development.tf | 31 ++++++++-------- .../locals_preproduction.tf | 29 +++++++-------- .../locals_production.tf | 37 +++++++++++-------- .../hmpps-domain-services/locals_test.tf | 31 ++++++++-------- 4 files changed, 68 insertions(+), 60 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_development.tf b/terraform/environments/hmpps-domain-services/locals_development.tf index 777df34f25d..c99d5dd81a4 100644 --- a/terraform/environments/hmpps-domain-services/locals_development.tf +++ b/terraform/environments/hmpps-domain-services/locals_development.tf @@ -5,21 +5,22 @@ locals { development_config = { baseline_acm_certificates = { - # remote_desktop_wildcard_cert = { - # # domain_name limited to 64 chars so use modernisation platform domain for this - # # and put the wildcard in the san - # domain_name = module.environment.domains.public.modernisation_platform - # subject_alternate_names = [ - # "*.${module.environment.domains.public.application_environment}", - # "hmppgw2.justice.gov.uk", - # "*.hmppgw2.justice.gov.uk", - # ] - # external_validation_records_created = false - # cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - # tags = { - # description = "wildcard cert for remote desktop services" - # } - # } + remote_desktop_wildcard_cert = { + # domain_name limited to 64 chars so use modernisation platform domain for this + # and put the wildcard in the san + domain_name = module.environment.domains.public.modernisation_platform + subject_alternate_names = [ + "*.${module.environment.domains.public.application_environment}", + "*.development.hmpps-domain.service.justice.gov.uk", + "hmppgw2.justice.gov.uk", + "*.hmppgw2.justice.gov.uk", + ] + external_validation_records_created = false + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + tags = { + description = "wildcard cert for hmpps domain load balancer" + } + } } baseline_ec2_autoscaling_groups = { diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf index 0e610912e4d..79ac78fbc85 100644 --- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf +++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf @@ -5,21 +5,20 @@ locals { preproduction_config = { baseline_acm_certificates = { - # remote_desktop_wildcard_cert = { - #  # domain_name limited to 64 chars so use modernisation platform domain for this - # # and put the wildcard in the san - # domain_name = module.environment.domains.public.modernisation_platform - # subject_alternate_names = [ - # "*.${module.environment.domains.public.application_environment}", - # "pp.hmpps-az-gw1.justice.gov.uk", - #  "*.pp.hmpps-az-gw1.justice.gov.uk", - # ] - # external_validation_records_created = false - #  cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - #  tags = { - #  description = "wildcard cert for remote desktop services" - #  } - # } + remote_desktop_wildcard_cert = { + # domain_name limited to 64 chars so use modernisation platform domain for this + # and put the wildcard in the san + domain_name = module.environment.domains.public.modernisation_platform + subject_alternate_names = [ + "*.${module.environment.domains.public.application_environment}", + "*.preproduction.hmpps-domain.service.justice.gov.uk", + ] + external_validation_records_created = false + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + tags = { + description = "wildcard cert for hmpps domain load balancer" + } + } } baseline_lbs = { diff --git a/terraform/environments/hmpps-domain-services/locals_production.tf b/terraform/environments/hmpps-domain-services/locals_production.tf index 0ffd1579e63..1deaf7eecdf 100644 --- a/terraform/environments/hmpps-domain-services/locals_production.tf +++ b/terraform/environments/hmpps-domain-services/locals_production.tf @@ -5,21 +5,22 @@ locals { production_config = { baseline_acm_certificates = { - # remote_desktop_wildcard_cert = { - # # domain_name limited to 64 chars so use modernisation platform domain for this - # # and put the wildcard in the san - # domain_name = module.environment.domains.public.modernisation_platform - # subject_alternate_names = [ - # "*.${module.environment.domains.public.application_environment}", - # "hmpps-az-gw1.justice.gov.uk", - # "*.hmpps-az-gw1.justice.gov.uk", - # ] - # external_validation_records_created = false - # cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - #  tags = { - # description = "wildcard cert for remote desktop services" - # } - # } + remote_desktop_wildcard_cert = { + # domain_name limited to 64 chars so use modernisation platform domain for this + # and put the wildcard in the san + domain_name = module.environment.domains.public.modernisation_platform + subject_alternate_names = [ + "*.${module.environment.domains.public.application_environment}", + "*.hmpps-domain.service.justice.gov.uk", + "hmpps-az-gw1.justice.gov.uk", + "*.hmpps-az-gw1.justice.gov.uk", + ] + external_validation_records_created = false + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + tags = { + description = "wildcard cert for hmpps domain load balancer" + } + } } baseline_lbs = { @@ -74,6 +75,12 @@ locals { baseline_route53_zones = { "hmpps-domain.service.justice.gov.uk" = { + records = [ + { name = "development", type = "NS", ttl = "86400", records = [] }, + { name = "test", type = "NS", ttl = "86400", records = ["ns-134.awsdns-16.com", "ns-1426.awsdns-50.org", "ns-1934.awsdns-49.co.uk", "ns-927.awsdns-51.net", ] }, + { name = "preproduction", type = "NS", ttl = "86400", records = ["ns-1509.awsdns-60.org", "ns-1925.awsdns-48.co.uk", "ns-216.awsdns-27.com", "ns-753.awsdns-30.net", ] }, + ] + lb_alias_records = [ { name = "rdgateway1", type = "A", lbs_map_key = "public" }, { name = "rdweb1", type = "A", lbs_map_key = "public" }, diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf index db418bfd826..66a09a720e1 100644 --- a/terraform/environments/hmpps-domain-services/locals_test.tf +++ b/terraform/environments/hmpps-domain-services/locals_test.tf @@ -12,21 +12,22 @@ locals { } baseline_acm_certificates = { - # remote_desktop_wildcard_cert = { - # # domain_name limited to 64 chars so use modernisation platform domain for this - # # and put the wildcard in the san - # domain_name = module.environment.domains.public.modernisation_platform - # subject_alternate_names = [ - # "*.${module.environment.domains.public.application_environment}", - # "hmppgw1.justice.gov.uk", - # "*.hmppgw1.justice.gov.uk", - #  ] - # external_validation_records_created = false - # cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - # tags = { - #  description = "wildcard cert for remote desktop services" - #  } - # } + remote_desktop_wildcard_cert = { + # domain_name limited to 64 chars so use modernisation platform domain for this + # and put the wildcard in the san + domain_name = module.environment.domains.public.modernisation_platform + subject_alternate_names = [ + "*.${module.environment.domains.public.application_environment}", + "*.test.hmpps-domain.service.justice.gov.uk", + "hmppgw1.justice.gov.uk", + "*.hmppgw1.justice.gov.uk", + ] + external_validation_records_created = false + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + tags = { + description = "wildcard cert for hmpps domain load balancer" + } + } } baseline_ec2_autoscaling_groups = {