From a9f94729734aff1d292d98ac49060256ea0ace26 Mon Sep 17 00:00:00 2001 From: Ijaz Sultan Date: Mon, 6 Nov 2023 12:30:06 +0000 Subject: [PATCH 01/46] Rename added to ami build command --- .../ssm-documents/ami-build-automation.yaml | 4 +++- .../ssm-documents/ami-build-command.yaml | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-automation.yaml b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-automation.yaml index 478e939b6be..725cb1ea740 100644 --- a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-automation.yaml +++ b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-automation.yaml @@ -43,4 +43,6 @@ mainSteps: NoReboot: true outputs: - Name: ImageID - Selector: createImage.ImageID \ No newline at end of file + Selector: createImage.ImageID + + \ No newline at end of file diff --git a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml index f4aeb194318..1cda7622909 100644 --- a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml +++ b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml @@ -56,4 +56,17 @@ mainSteps: onFailure: Abort inputs: name: AWSEC2Launch-Agent - action: Install \ No newline at end of file + action: Install + + - name: NewHostName + action: aws:runPowerShellScript + onFailure: Abort + inputs: + runCommand: + - $currentHostName = (Get-WmiObject -Class Win32_ComputerSystem).Name + - if ($currentName -like '*t*') { Write-Output $currentHostName } + - $newHostName = $currentHostName -replace 't', '' + - Rename-Computer -NewName $newHostName -Restart + - exit 3010 + - Write-Host "INFO: Hostname has been succesfully changed to $newHostname" + $hostname = $newHostname \ No newline at end of file From 2390792f47b4288a5c7a57a5400a877a17cb82d2 Mon Sep 17 00:00:00 2001 From: Ijaz Sultan Date: Mon, 6 Nov 2023 14:04:24 +0000 Subject: [PATCH 02/46] rename command fix --- .../ssm-documents/ami-build-command.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml index 1cda7622909..dfe464f3d59 100644 --- a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml +++ b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml @@ -62,11 +62,12 @@ mainSteps: action: aws:runPowerShellScript onFailure: Abort inputs: - runCommand: - - $currentHostName = (Get-WmiObject -Class Win32_ComputerSystem).Name - - if ($currentName -like '*t*') { Write-Output $currentHostName } - - $newHostName = $currentHostName -replace 't', '' - - Rename-Computer -NewName $newHostName -Restart - - exit 3010 - - Write-Host "INFO: Hostname has been succesfully changed to $newHostname" + runCommand: - + | + $currentHostName = (Get-WmiObject -Class Win32_ComputerSystem).Name + if ($currentName -like '*t*') { Write-Output $currentHostName } + $newHostName = $currentHostName -replace 't', '' + Rename-Computer -NewName $newHostName -Restart + exit 3010 + Write-Host "INFO: Hostname has been succesfully changed to $newHostname" $hostname = $newHostname \ No newline at end of file From db9adfbbc9e228c1bbbc01bf1849ecdb465b9e41 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 6 Nov 2023 11:18:34 +0000 Subject: [PATCH 03/46] Update_SNS_Sub_061123 --- terraform/environments/ppud/secrets.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ppud/secrets.tf b/terraform/environments/ppud/secrets.tf index f1f61d96835..f541ebd0d35 100644 --- a/terraform/environments/ppud/secrets.tf +++ b/terraform/environments/ppud/secrets.tf @@ -36,7 +36,8 @@ resource "aws_secretsmanager_secret" "support_email_account" { resource "aws_secretsmanager_secret_version" "support_email_account" { count = local.is-production == true ? 1 : 0 secret_id = aws_secretsmanager_secret.support_email_account[0].id - secret_string = "default@email.com" # Use a dummy email id just for creation. Actual email id manually +# secret_string = "default@email.com" # Use a dummy email id just for creation. Actual email id manually + secret_string = "PPUDAlerts@colt.net" # Use a dummy email id just for creation. Actual email id manually lifecycle { ignore_changes = [secret_string, ] } From b804beba6b0c5b9ec5edb74915d619f06ed207d9 Mon Sep 17 00:00:00 2001 From: "priya.basker" Date: Mon, 6 Nov 2023 11:11:44 +0000 Subject: [PATCH 04/46] upgraded version --- .../data-platform/application_variables.auto.tfvars.json | 8 ++++---- terraform/environments/data-platform/iam.tf | 9 +++++++-- terraform/environments/data-platform/lambda.tf | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/terraform/environments/data-platform/application_variables.auto.tfvars.json b/terraform/environments/data-platform/application_variables.auto.tfvars.json index afc40c032f5..f8af4922cb7 100644 --- a/terraform/environments/data-platform/application_variables.auto.tfvars.json +++ b/terraform/environments/data-platform/application_variables.auto.tfvars.json @@ -78,10 +78,10 @@ "production": "1.0.1" }, "preview_data_versions": { - "development": "1.0.0", - "test": "1.0.0", - "preproduction": "1.0.0", - "production": "1.0.0" + "development": "1.0.2", + "test": "1.0.2", + "preproduction": "1.0.2", + "production": "1.0.2" }, "delete_table_for_data_product_versions": { "development": "2.0.0", diff --git a/terraform/environments/data-platform/iam.tf b/terraform/environments/data-platform/iam.tf index ff4ede27e23..7a21ded3a8a 100644 --- a/terraform/environments/data-platform/iam.tf +++ b/terraform/environments/data-platform/iam.tf @@ -609,6 +609,7 @@ resource "aws_iam_role_policy_attachment" "api_gateway_cloudwatchlogs" { data "aws_iam_policy_document" "iam_policy_document_for_preview_data" { source_policy_documents = [ data.aws_iam_policy_document.log_to_bucket.json, + data.aws_iam_policy_document.read_metadata.json, data.aws_iam_policy_document.create_write_lambda_logs.json, ] statement { @@ -629,6 +630,7 @@ data "aws_iam_policy_document" "iam_policy_document_for_preview_data" { actions = [ "s3:GetObject", "s3:ListBucket", + "s3:PutObject", "s3:GetBucketLocation" ] resources = [ @@ -640,8 +642,11 @@ data "aws_iam_policy_document" "iam_policy_document_for_preview_data" { sid = "GluePermissions" effect = "Allow" actions = [ - "glue:GetPartitions", - "glue:GetTable" + "glue:GetTable", + "glue:GetPartitions", + "glue:GetPartition", + "glue:GetDatabases", + "glue:GetDatabase" ] resources = [ "*" diff --git a/terraform/environments/data-platform/lambda.tf b/terraform/environments/data-platform/lambda.tf index da630de6339..45381f3f65f 100644 --- a/terraform/environments/data-platform/lambda.tf +++ b/terraform/environments/data-platform/lambda.tf @@ -377,7 +377,7 @@ module "preview_data_lambda" { source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=a4392c1" # ref for V2.1 application_name = "data_product_preview_data" tags = local.tags - description = "Query small sample of data through athena " + description = "Preview small sample of data through athena " role_name = "preview_data_role_${local.environment}" policy_json = data.aws_iam_policy_document.iam_policy_document_for_preview_data.json policy_json_attached = true From 9a14d7ce05202144b2d6f14df7f72e039e01c69d Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Mon, 6 Nov 2023 11:34:41 +0000 Subject: [PATCH 05/46] updating termination and stop api calls on preprod servers and adding missing r53 records on some servers --- .../locals_preproduction.tf | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index c2c0b4f4115..4ecb6c4cc8f 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -38,6 +38,9 @@ locals { } }) + disable_api_termination = true + disable_api_stop = true + ssm_parameters = { asm-passwords = {} } @@ -86,6 +89,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-14-b = { @@ -123,6 +128,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-17-a = { @@ -160,6 +167,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-18-b = { @@ -197,6 +206,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-2-b = { @@ -232,6 +243,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-3-a = { @@ -267,6 +280,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-15-a = { @@ -304,6 +319,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-a-16-b = { @@ -341,6 +358,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-1-a = { @@ -374,6 +393,12 @@ locals { ami = "PPCWW00001" component = "web" } + route53_records = { + create_internal_record = true + create_external_record = true + } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-2-b = { @@ -411,6 +436,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-5-a = { @@ -447,6 +474,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-6-b = { @@ -484,6 +513,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-7-a = { @@ -515,6 +546,12 @@ locals { ami = "pp-csr-w-7-b" component = "web" } + route53_records = { + create_internal_record = true + create_external_record = true + } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-8-b = { @@ -546,6 +583,12 @@ locals { ami = "pp-csr-w-8-b" component = "web" } + route53_records = { + create_internal_record = true + create_external_record = true + } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-3-a = { @@ -583,6 +626,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } pp-csr-w-4-b = { @@ -620,6 +665,8 @@ locals { create_internal_record = true create_external_record = true } + disable_api_termination = true + disable_api_stop = true } } From 54b707de5d50858a84b47af5f5fa9373c67a67b3 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 6 Nov 2023 11:36:06 +0000 Subject: [PATCH 06/46] Update_SNS_Sub_061123_2 --- terraform/environments/ppud/secrets.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/ppud/secrets.tf b/terraform/environments/ppud/secrets.tf index f541ebd0d35..fb76b515eed 100644 --- a/terraform/environments/ppud/secrets.tf +++ b/terraform/environments/ppud/secrets.tf @@ -36,7 +36,6 @@ resource "aws_secretsmanager_secret" "support_email_account" { resource "aws_secretsmanager_secret_version" "support_email_account" { count = local.is-production == true ? 1 : 0 secret_id = aws_secretsmanager_secret.support_email_account[0].id -# secret_string = "default@email.com" # Use a dummy email id just for creation. Actual email id manually secret_string = "PPUDAlerts@colt.net" # Use a dummy email id just for creation. Actual email id manually lifecycle { ignore_changes = [secret_string, ] From 8167f156bfd092c039181cbd0c4a8536065a5124 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Nov 2023 00:34:08 +0000 Subject: [PATCH 07/46] Bump bridgecrewio/checkov-action from 12.2556.0 to 12.2561.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2556.0 to 12.2561.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/d10362aac526e5664795463df08c39ca503c9b5d...3b830838fec7a285493826a2272e65b1879fbc3c) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 7b3fdfbb169..d31e658a993 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@d10362aac526e5664795463df08c39ca503c9b5d # v12.2556.0 + uses: bridgecrewio/checkov-action@3b830838fec7a285493826a2272e65b1879fbc3c # v12.2561.0 with: directory: ./ framework: terraform From ab9ef9f0a50a10ab5605229e89309b2bacd7beaa Mon Sep 17 00:00:00 2001 From: Mitch Dawson Date: Mon, 6 Nov 2023 12:50:26 +0000 Subject: [PATCH 08/46] :bricks: Register delete table components for deployment --- terraform/environments/data-platform/api.tf | 1 + .../data-platform/application_variables.auto.tfvars.json | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/terraform/environments/data-platform/api.tf b/terraform/environments/data-platform/api.tf index fd781fd8e7b..851a1a9af02 100644 --- a/terraform/environments/data-platform/api.tf +++ b/terraform/environments/data-platform/api.tf @@ -34,6 +34,7 @@ resource "aws_api_gateway_deployment" "deployment" { aws_api_gateway_method.get_schema_for_data_product_table_name, aws_api_gateway_method.update_data_product, aws_api_gateway_method.update_schema_for_data_product_table_name, + aws_api_gateway_method.delete_table_for_data_product, aws_api_gateway_integration.docs_to_lambda, aws_api_gateway_integration.upload_data_for_data_product_table_name_to_lambda, aws_api_gateway_integration.proxy_to_lambda, diff --git a/terraform/environments/data-platform/application_variables.auto.tfvars.json b/terraform/environments/data-platform/application_variables.auto.tfvars.json index f8af4922cb7..fcede1cecf5 100644 --- a/terraform/environments/data-platform/application_variables.auto.tfvars.json +++ b/terraform/environments/data-platform/application_variables.auto.tfvars.json @@ -84,9 +84,9 @@ "production": "1.0.2" }, "delete_table_for_data_product_versions": { - "development": "2.0.0", - "test": "2.0.0", - "preproduction": "2.0.0", - "production": "2.0.0" + "development": "1.0.0", + "test": "1.0.0", + "preproduction": "1.0.0", + "production": "1.0.0" } } From 93de087b1b3544b59bd151e40b6ee6afcd20281c Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 6 Nov 2023 13:33:05 +0000 Subject: [PATCH 09/46] Update_SNS_Sub_061123_3 --- terraform/environments/ppud/secrets.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/ppud/secrets.tf b/terraform/environments/ppud/secrets.tf index fb76b515eed..ca6d350c750 100644 --- a/terraform/environments/ppud/secrets.tf +++ b/terraform/environments/ppud/secrets.tf @@ -33,11 +33,11 @@ resource "aws_secretsmanager_secret" "support_email_account" { } -resource "aws_secretsmanager_secret_version" "support_email_account" { - count = local.is-production == true ? 1 : 0 - secret_id = aws_secretsmanager_secret.support_email_account[0].id - secret_string = "PPUDAlerts@colt.net" # Use a dummy email id just for creation. Actual email id manually - lifecycle { - ignore_changes = [secret_string, ] - } -} \ No newline at end of file +#resource "aws_secretsmanager_secret_version" "support_email_account" { +# count = local.is-production == true ? 1 : 0 +# secret_id = aws_secretsmanager_secret.support_email_account[0].id +# secret_string = "PPUDAlerts@colt.net" # Use a dummy email id just for creation. Actual email id manually +# lifecycle { +# ignore_changes = [secret_string, ] +# } +#} \ No newline at end of file From 9175493eae0a8cdf28c7a9e06b95341e5b64e8ac Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Mon, 6 Nov 2023 14:13:55 +0000 Subject: [PATCH 10/46] removing dupplicate termination settings --- .../locals_preproduction.tf | 47 ++++++------------- 1 file changed, 15 insertions(+), 32 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index 4ecb6c4cc8f..eaed41e871d 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -64,6 +64,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -89,8 +90,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-14-b = { @@ -103,6 +102,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -128,8 +128,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-17-a = { @@ -142,6 +140,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -167,8 +166,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-18-b = { @@ -206,8 +203,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-2-b = { @@ -220,6 +215,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -243,8 +239,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-3-a = { @@ -257,6 +251,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -280,8 +275,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-15-a = { @@ -294,6 +287,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -319,8 +313,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-a-16-b = { @@ -333,6 +325,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "app", "jumpserver"] tags = { @@ -358,8 +351,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-1-a = { @@ -372,6 +363,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["web", "domain", "jumpserver"] tags = { @@ -397,8 +389,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-2-b = { @@ -411,6 +401,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -436,8 +427,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-5-a = { @@ -450,6 +439,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -474,8 +464,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-6-b = { @@ -488,6 +476,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -513,8 +502,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-7-a = { @@ -527,6 +514,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -550,8 +538,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-8-b = { @@ -564,6 +550,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -587,8 +574,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-3-a = { @@ -601,6 +586,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -626,8 +612,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } pp-csr-w-4-b = { @@ -640,6 +624,7 @@ locals { instance = merge(module.baseline_presets.ec2_instance.instance.default, { instance_type = "m5.2xlarge" disable_api_termination = true + disable_api_stop = true monitoring = true vpc_security_group_ids = ["domain", "web", "jumpserver"] tags = { @@ -665,8 +650,6 @@ locals { create_internal_record = true create_external_record = true } - disable_api_termination = true - disable_api_stop = true } } From a3aedd0863563cb78f1fe1b3123cb2f624617d43 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 6 Nov 2023 13:56:23 +0000 Subject: [PATCH 11/46] Update_SNS_Sub_061123_4 --- terraform/environments/ppud/sns.tf | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index cdbbc9f57b6..e616bd97161 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -1,17 +1,17 @@ #### Cloud Watch #### -resource "aws_sns_topic" "cw_alerts" { - count = local.is-production == true ? 1 : 0 - name = "ppud-prod-cw-alerts" -} +#resource "aws_sns_topic" "cw_alerts" { +# count = local.is-production == true ? 1 : 0 +# name = "ppud-prod-cw-alerts" +#} -resource "aws_sns_topic_policy" "sns_policy" { - count = local.is-production == true ? 1 : 0 - arn = aws_sns_topic.cw_alerts[0].arn - policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json -} -resource "aws_sns_topic_subscription" "cw_subscription" { - count = local.is-production == true ? 1 : 0 - topic_arn = aws_sns_topic.cw_alerts[0].arn - protocol = "email" - endpoint = aws_secretsmanager_secret_version.support_email_account[0].secret_string -} +#resource "aws_sns_topic_policy" "sns_policy" { +# count = local.is-production == true ? 1 : 0 +# arn = aws_sns_topic.cw_alerts[0].arn +# policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json +#} +#resource "aws_sns_topic_subscription" "cw_subscription" { +# count = local.is-production == true ? 1 : 0 +# topic_arn = aws_sns_topic.cw_alerts[0].arn +# protocol = "email" +# endpoint = aws_secretsmanager_secret_version.support_email_account[0].secret_string +#} From 605e3cc0f343eece4fff0ba658f2f6639e5363eb Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 6 Nov 2023 14:02:36 +0000 Subject: [PATCH 12/46] Update_SNS_Sub_061123_5 --- terraform/environments/ppud/secrets.tf | 12 +++++------ terraform/environments/ppud/sns.tf | 29 +++++++++++++------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/terraform/environments/ppud/secrets.tf b/terraform/environments/ppud/secrets.tf index ca6d350c750..4a597f0ecd4 100644 --- a/terraform/environments/ppud/secrets.tf +++ b/terraform/environments/ppud/secrets.tf @@ -25,12 +25,12 @@ resource "aws_secretsmanager_secret_version" "sversion" { #### Secret for SNS email address ### -resource "aws_secretsmanager_secret" "support_email_account" { - count = local.is-production == true ? 1 : 0 - name = "Application_email_account" - description = "email address of the support account for cw alerts" - recovery_window_in_days = 0 -} +#resource "aws_secretsmanager_secret" "support_email_account" { +# count = local.is-production == true ? 1 : 0 +# name = "Application_email_account" +# description = "email address of the support account for cw alerts" +# recovery_window_in_days = 0 +#} #resource "aws_secretsmanager_secret_version" "support_email_account" { diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index e616bd97161..73e2e955668 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -1,17 +1,18 @@ #### Cloud Watch #### -#resource "aws_sns_topic" "cw_alerts" { -# count = local.is-production == true ? 1 : 0 -# name = "ppud-prod-cw-alerts" -#} +resource "aws_sns_topic" "cw_alerts" { + count = local.is-production == true ? 1 : 0 + name = "ppud-prod-cw-alerts" +} -#resource "aws_sns_topic_policy" "sns_policy" { -# count = local.is-production == true ? 1 : 0 -# arn = aws_sns_topic.cw_alerts[0].arn -# policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json -#} -#resource "aws_sns_topic_subscription" "cw_subscription" { -# count = local.is-production == true ? 1 : 0 -# topic_arn = aws_sns_topic.cw_alerts[0].arn -# protocol = "email" +resource "aws_sns_topic_policy" "sns_policy" { + count = local.is-production == true ? 1 : 0 + arn = aws_sns_topic.cw_alerts[0].arn + policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json +} +resource "aws_sns_topic_subscription" "cw_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "email" + endpoint = "PPUDAlerts@colt.net" # endpoint = aws_secretsmanager_secret_version.support_email_account[0].secret_string -#} +} From 258215474238b1383f28f95c83c48389656f72e5 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Mon, 6 Nov 2023 14:31:16 +0000 Subject: [PATCH 13/46] DSOS-2332: fix for adding secrets to EC2 (#3891) --- terraform/modules/baseline/ec2_instance.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/baseline/ec2_instance.tf b/terraform/modules/baseline/ec2_instance.tf index ee024f9a632..f4400f4161f 100644 --- a/terraform/modules/baseline/ec2_instance.tf +++ b/terraform/modules/baseline/ec2_instance.tf @@ -49,7 +49,7 @@ module "ec2_instance" { } ) } - secretsmanager_secrets = each.value.secretsmanager_secrets == null ? null : { + secretsmanager_secrets = each.value.secretsmanager_secrets == null ? {} : { for key, value in each.value.secretsmanager_secrets : key => merge(value, value.kms_key_id == null ? { kms_key_id = null } : { kms_key_id = try(var.environment.kms_keys[value.kms_key_id].arn, value.kms_key_id) } ) From 792ef0b3d4347744b5c8e764a76e0d1a14bf180a Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Mon, 6 Nov 2023 14:41:35 +0000 Subject: [PATCH 14/46] rebasing branch --- .../corporate-staff-rostering/locals_preproduction.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index eaed41e871d..ef3ecbf2d16 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -17,6 +17,8 @@ locals { instance = merge(local.database_ec2.instance, { instance_type = "r6i.xlarge" metadata_options_http_tokens = "optional" # the Oracle installer cannot accommodate a token + disable_api_termination = true + disable_api_stop = true }) ebs_volumes = merge(local.database_ec2.ebs_volumes, { @@ -38,9 +40,6 @@ locals { } }) - disable_api_termination = true - disable_api_stop = true - ssm_parameters = { asm-passwords = {} } From 807a0a3739a5ee7ea9cb61e7c4371c319c6d82b8 Mon Sep 17 00:00:00 2001 From: Mitch Dawson Date: Mon, 6 Nov 2023 13:48:11 +0000 Subject: [PATCH 15/46] :bricks: Add lambda integration --- terraform/environments/data-platform/api.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/data-platform/api.tf b/terraform/environments/data-platform/api.tf index 851a1a9af02..002156dccec 100644 --- a/terraform/environments/data-platform/api.tf +++ b/terraform/environments/data-platform/api.tf @@ -46,6 +46,7 @@ resource "aws_api_gateway_deployment" "deployment" { aws_api_gateway_integration.update_data_product_to_lambda, aws_api_gateway_integration.update_schema_for_data_product_table_name_to_lambda, aws_api_gateway_integration.preview_data_from_data_product_lambda, + aws_api_gateway_integration.delete_table_for_data_product_to_lambda, ])) } From 3b698a80814b8c7faf65e8154e31062c65f148ff Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 6 Nov 2023 15:22:44 +0000 Subject: [PATCH 16/46] add traina and trainb to loadbalancer in preprod plus prod redirect (#3892) --- .../locals_preproduction.tf | 147 +++++++++++++++++- .../locals_production.tf | 2 + 2 files changed, 148 insertions(+), 1 deletion(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index ef3ecbf2d16..d9edcf8f348 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -716,6 +716,28 @@ locals { { ec2_instance_name = "pp-csr-w-2-b" }, ] } + web-34-7770 = { + port = 7770 + protocol = "HTTP" + health_check = { + enabled = true + interval = 30 + healthy_threshold = 3 + matcher = "200-399" + path = "/" + port = 7770 + timeout = 5 + unhealthy_threshold = 5 + } + stickiness = { + enabled = true + type = "lb_cookie" + } + attachments = [ + { ec2_instance_name = "pp-csr-w-3-a" }, + { ec2_instance_name = "pp-csr-w-4-b" }, + ] + } web-56-7770 = { port = 7770 protocol = "HTTP" @@ -782,6 +804,28 @@ locals { { ec2_instance_name = "pp-csr-w-2-b" }, ] } + web-34-7771 = { + port = 7771 + protocol = "HTTP" + health_check = { + enabled = true + interval = 30 + healthy_threshold = 3 + matcher = "200-399" + path = "/" + port = 7771 + timeout = 5 + unhealthy_threshold = 5 + } + stickiness = { + enabled = true + type = "lb_cookie" + } + attachments = [ + { ec2_instance_name = "pp-csr-w-3-a" }, + { ec2_instance_name = "pp-csr-w-4-b" }, + ] + } web-56-7771 = { port = 7771 protocol = "HTTP" @@ -848,6 +892,28 @@ locals { { ec2_instance_name = "pp-csr-w-2-b" }, ] } + web-34-7780 = { + port = 7780 + protocol = "HTTP" + health_check = { + enabled = true + interval = 30 + healthy_threshold = 3 + matcher = "200-399" + path = "/" + port = 7780 + timeout = 5 + unhealthy_threshold = 5 + } + stickiness = { + enabled = true + type = "lb_cookie" + } + attachments = [ + { ec2_instance_name = "pp-csr-w-3-a" }, + { ec2_instance_name = "pp-csr-w-4-b" }, + ] + } web-56-7780 = { port = 7780 protocol = "HTTP" @@ -914,6 +980,28 @@ locals { { ec2_instance_name = "pp-csr-w-2-b" }, ] } + web-34-7781 = { + port = 7781 + protocol = "HTTP" + health_check = { + enabled = true + interval = 30 + healthy_threshold = 3 + matcher = "200-399" + path = "/" + port = 7781 + timeout = 5 + unhealthy_threshold = 5 + } + stickiness = { + enabled = true + type = "lb_cookie" + } + attachments = [ + { ec2_instance_name = "pp-csr-w-3-a" }, + { ec2_instance_name = "pp-csr-w-4-b" }, + ] + } web-56-7781 = { port = 7781 protocol = "HTTP" @@ -990,6 +1078,20 @@ locals { } }] } + web-34-7770 = { + priority = 3470 + actions = [{ + type = "forward" + target_group_name = "web-34-7770" + }] + conditions = [{ + host_header = { + values = [ + "traina.pp.csr.service.justice.gov.uk", + ] + } + }] + } web-56-7770 = { priority = 5670 actions = [{ @@ -1033,6 +1135,20 @@ locals { } }] } + web-34-7771 = { + priority = 3471 + actions = [{ + type = "forward" + target_group_name = "web-34-7771" + }] + conditions = [{ + host_header = { + values = [ + "trainb.pp.csr.service.justice.gov.uk", + ] + } + }] + } web-56-7771 = { priority = 5671 actions = [{ @@ -1092,6 +1208,20 @@ locals { } }] } + web-34-7780 = { + priority = 1280 + actions = [{ + type = "forward" + target_group_name = "web-34-7780" + }] + conditions = [{ + host_header = { + values = [ + "traina.pp.csr.service.justice.gov.uk", + ] + } + }] + } web-56-7780 = { priority = 5680 actions = [{ @@ -1152,6 +1282,20 @@ locals { } }] } + web-34-7781 = { + priority = 3481 + actions = [{ + type = "forward" + target_group_name = "web-34-7781" + }] + conditions = [{ + host_header = { + values = [ + "trainb.pp.csr.service.justice.gov.uk", + ] + } + }] + } web-56-7781 = { priority = 5681 actions = [{ @@ -1193,7 +1337,6 @@ locals { { name = "ppiwfm", type = "A", ttl = "300", records = ["10.40.42.132"] }, { name = "ppiwfm-a", type = "A", ttl = "300", records = ["10.40.42.132"] }, { name = "ppiwfm-b", type = "CNAME", ttl = "300", records = ["pp-csr-db-a.corporate-staff-rostering.hmpps-preproduction.modernisation-platform.service.justice.gov.uk"] }, - # { name = "r3", type = "CNAME", ttl = "300", records = ["pp-csr-w-5-a.corporate-staff-rostering.hmpps-preproduction.modernisation-platform.service.justice.gov.uk"] }, ] lb_alias_records = [ { name = "r1", type = "A", lbs_map_key = "private" }, @@ -1202,6 +1345,8 @@ locals { { name = "r4", type = "A", lbs_map_key = "private" }, { name = "r5", type = "A", lbs_map_key = "private" }, { name = "r6", type = "A", lbs_map_key = "private" }, + { name = "traina", type = "A", lbs_map_key = "private" }, + { name = "trainb", type = "A", lbs_map_key = "private" }, ] } } diff --git a/terraform/environments/corporate-staff-rostering/locals_production.tf b/terraform/environments/corporate-staff-rostering/locals_production.tf index 4aa4794f047..14eb95e6112 100644 --- a/terraform/environments/corporate-staff-rostering/locals_production.tf +++ b/terraform/environments/corporate-staff-rostering/locals_production.tf @@ -85,6 +85,8 @@ locals { { name = "test", type = "NS", ttl = "86400", records = ["ns-1332.awsdns-38.org", "ns-2038.awsdns-62.co.uk", "ns-62.awsdns-07.com", "ns-689.awsdns-22.net"] }, { name = "pp", type = "NS", ttl = "86400", records = ["ns-1408.awsdns-48.org", "ns-1844.awsdns-38.co.uk", "ns-447.awsdns-55.com", "ns-542.awsdns-03.net"] }, { name = "piwfm", type = "A", ttl = "300", records = ["10.40.8.132"] }, + { name = "traina", type = "CNAME", ttl = "300", records = ["traina.pp.csr.service.justice.gov.uk"] }, + { name = "trainb", type = "CNAME", ttl = "300", records = ["trainb.pp.csr.service.justice.gov.uk"] }, ] } } From 5c941f0281bf57a66e721fb95f7e7355afdef6d0 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 6 Nov 2023 15:42:14 +0000 Subject: [PATCH 17/46] fix duplicate priority (#3894) --- .../corporate-staff-rostering/locals_preproduction.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index d9edcf8f348..d9d1344e5bc 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -1209,7 +1209,7 @@ locals { }] } web-34-7780 = { - priority = 1280 + priority = 3480 actions = [{ type = "forward" target_group_name = "web-34-7780" From cb15d0af6ce90812b56b4bacfc37c12c97c7be75 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 09:22:15 +0100 Subject: [PATCH 18/46] CC-2147: Creation of pre-requisite infra --- .../application_variables.json | 127 +++++- .../ccms-ebs-upgrade/certificates.tf | 62 +++ .../ccms-ebs-upgrade/cloudwatch.tf | 126 ++++++ .../environments/ccms-ebs-upgrade/dlm.tf | 88 +++++ .../ec2-oracle_ebs_db-cloudwatch.tf | 299 ++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf | 365 ++++++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 325 ++++++++++++++++ .../ccms-ebs-upgrade/ec2-security_groups.tf | 38 ++ .../environments/ccms-ebs-upgrade/iam.tf | 246 ++++++++++++ .../environments/ccms-ebs-upgrade/kms.tf | 12 + .../environments/ccms-ebs-upgrade/locals.tf | 1 - .../ccms-ebs-upgrade/member-data.tf | 52 +++ .../ccms-ebs-upgrade/member-locals.tf | 31 ++ .../ccms-ebs-upgrade/modules/cloudwatch.tf | 287 ++++++++++++++ .../ccms-ebs-upgrade/modules/cw-ec2/main.tf | 184 +++++++++ .../modules/cw-ec2/variables.tf | 105 +++++ .../ccms-ebs-upgrade/modules/cw-logs/main.tf | 10 + .../modules/cw-logs/output.tf | 9 + .../modules/cw-logs/variables.tf | 40 ++ .../environments/ccms-ebs-upgrade/r53.tf | 9 + terraform/environments/ccms-ebs-upgrade/s3.tf | 278 +++++++++++++ .../environments/ccms-ebs-upgrade/ses.tf | 69 ++++ .../environments/ccms-ebs-upgrade/sns.tf | 65 ++++ .../templates/create_table.sql | 54 +++ .../templates/cw_agent_config.json | 65 ++++ .../templates/ec2_user_data_accessgate.sh | 20 + .../templates/ec2_user_data_clamav.sh | 26 ++ .../templates/ec2_user_data_ebs.sh | 30 ++ .../templates/ec2_user_data_ebs_apps.sh | 20 + .../templates/ec2_user_data_ftp.sh | 78 ++++ .../templates/ec2_user_data_mailrelay.sh | 71 ++++ .../templates/ec2_user_data_webgate.sh | 20 + .../templates/install-and-manage-cwagent.yaml | 27 ++ .../templates/lb_http_gets.sql | 9 + 34 files changed, 3246 insertions(+), 2 deletions(-) create mode 100644 terraform/environments/ccms-ebs-upgrade/certificates.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/cloudwatch.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/dlm.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-security_groups.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/iam.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/kms.tf delete mode 100644 terraform/environments/ccms-ebs-upgrade/locals.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/member-data.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/member-locals.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cloudwatch.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/main.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/variables.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cw-logs/main.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cw-logs/output.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/modules/cw-logs/variables.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/r53.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/s3.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ses.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/sns.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/create_table.sql create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/cw_agent_config.json create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_accessgate.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_clamav.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs_apps.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ftp.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_mailrelay.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_webgate.sh create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/install-and-manage-cwagent.yaml create mode 100644 terraform/environments/ccms-ebs-upgrade/templates/lb_http_gets.sql diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 4b62ee0bf64..04744c1ccaf 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -1,7 +1,132 @@ { "accounts": { "development": { - "example_var": "dev-data" + "short_env": "dev", + "dns": "laa-development", + "ses_domain_identity": "dev.legalservices.gov.uk", + "instance-scheduling": "skip-scheduling", + "ec2_oracle_instance_type_ebsdb_test": "x2iedn.8xlarge", + "ec2_oracle_instance_type_ebsdb": "m5d.4xlarge", + "ec2_oracle_instance_cores_ebsdb": "8", + "ec2_oracle_instance_threads_ebsdb": "2", + "ec2_oracle_instance_type_ebsapps": "m5d.2xlarge", + "ec2_oracle_instance_cores_ebsapps": "4", + "ec2_oracle_instance_threads_ebsapps": "2", + "ec2_oracle_instance_type_webgate": "m5d.large", + "ec2_oracle_instance_cores_webgate": "1", + "ec2_oracle_instance_threads_webgate": "2", + "ec2_oracle_instance_type_accessgate": "m5d.xlarge", + "ec2_oracle_instance_cores_accessgate": "2", + "ec2_oracle_instance_threads_accessgate": "2", + "ami_owner": "self", + "ec2_instance_type_ftp": "c5d.large", + "ftp_ami_id": "ami-0d8e665f120c20253", + "ec2_instance_type_clamav": "c5d.large", + "clamav_ami_id": "ami-0965b5afb3ac7174e", + "ebsdb_ami_id": "ami-07b8dc1b66c170400", + "ebsapps_ami_id-1": "ami-0d4b266f7ae87bbfc", + "ebsapps_ami_id-2": "ami-0d4b266f7ae87bbfc", + "accessgate_ami_id-1": "ami-0695726199c3e30e5", + "accessgate_ami_id-2": "ami-0695726199c3e30e5", + "webgate_ami_id-1": "ami-0e398cd57c81356a7", + "webgate_ami_id-2": "ami-0e398cd57c81356a7", + "restored_db_image": "ami-0df5f31cae1c86635", + "orace_base_prereqs_ami_name": "Oracle79-prereqs-v2_0", + "orace_db_ami_name": "Oracle79-prereqs-v1_8", + "orace_db_dr_ami_name": "EBSDB-DR-test", + "webgate_ami_name": "ebs-webgate-v2_0", + "accessgate_ami_name": "ebs-accessgate-v2_0", + "ec2_instance_type_mailrelay": "c4.large", + "mailrelay_ami_id": "ami-0e183a740dfc54442", + "key_name": "oracle-base-dev", + "lz_aws_account_id_env": "411213865113", + "lz_aws_subnet_env": "10.202.0.0/20", + "lz_aws_workspace_nonprod_subnet_env": "10.200.0.0/20", + "lz_aws_workspace_prod_subnet_env": "10.200.16.0/20", + "lz_aws_workspace_nonprod_prod": "10.200.0.0/19", + "lz_aws_appstream_subnet_a_b": "10.200.32.0/23", + "cloud_platform_subnet": "172.20.0.0/16", + "lz_ftp_bucket_environment": "development", + "lz_domain_name": "*.dev.legalservices.gov.uk", + "mp_aws_subnet_env": "10.200.0.0/20", + "ebs_default_iops": 12000, + "webgate_no_instances": 2, + "webgate_default_iops": 3000, + "webgate_u01_size": 100, + "webgate_dns_prefix": "wgatedev", + "accessgate_no_instances": 2, + "accessgate_default_iops": 3000, + "accessgate_u01_size": 150, + "accessgate_dns_prefix": "agatedev", + "ebsapps_no_instances": 2, + "ebsapps_default_iops": 3000, + "ebsapps_exhome_size": 100, + "ebsapps_u01_size": 200, + "ebsapps_u03_size": 200, + "ebsapps_stage_size": 100, + "tg_apps_port": 8000, + "ebs_size_ebsdb_exhome": 100, + "ebs_size_ebsdb_u01": 300, + "ebs_size_ebsdb_arch": 500, + "ebs_size_ebsdb_dbf": 11000, + "ebs_size_ebsdb_dbf_dr": 8000, + "ebs_size_ebsdb_redoA": 100, + "ebs_size_ebsdb_redoB": 50, + "ebs_size_ebsdb_techst": 100, + "ebs_size_ebsdb_backup": 8000, + "ebs_size_ebsdb_diag": 50, + "ebs_default_iops_test": 9000, + "dbf_device": "nvme5n1", + "dbf_path": "/CCMS/EBS/dbf", + "ebs_type_ebsdb_backup": "gp3" + } + }, + "webgate_ebs": { + "u01": { + "mapping": "u01", + "type": "io2", + "device_name": "/dev/sdh" + } + }, + "cloudwatch_ec2": { + "cpu": { + "eval_periods": 1, + "period": 60, + "threshold": 80 + }, + "mem": { + "eval_periods": 2, + "period": 60, + "threshold": 10 + }, + "disk": { + "eval_periods": 2, + "period": 60, + "threshold": 80, + "threshold_dbf": 90 + }, + "iowait": { + "eval_periods": 6, + "period": 60, + "threshold": 90 + }, + "insthc": { + "eval_periods": 3, + "period": 60, + "threshold": 1 + }, + "syshc": { + "eval_periods": 3, + "period": 60, + "threshold": 1 + } + }, + "cw_log_groups": { + "cwagent-var-log-messages": { + "retention_days": 30 + }, + "cwagent-var-log-secure": { + "retention_days": 90 } } } diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf new file mode 100644 index 00000000000..674bc41f6fd --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -0,0 +1,62 @@ +## Certificates +# *.laa-development.modernisation-platform.service.justice.gov.uk +# *.laa-test.modernisation-platform.service.justice.gov.uk +# *.laa-preproduction.modernisation-platform.service.justice.gov.uk + +resource "aws_acm_certificate" "external" { + count = local.is-production ? 0 : 1 + + validation_method = "DNS" + domain_name = "modernisation-platform.service.justice.gov.uk" + subject_alternative_names = [ + "*.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + ] + + tags = merge(local.tags, + { Environment = local.environment } + ) + + lifecycle { + create_before_destroy = true + } +} + + + +## Validation +resource "aws_route53_record" "external_validation" { + depends_on = [ +// aws_instance.ec2_oracle_ebs + ] + + provider = aws.core-network-services + + for_each = { + for dvo in local.cert_opts : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = local.cert_zone_id +} + +resource "aws_acm_certificate_validation" "external" { + count = local.is-production ? 1 : 1 + + depends_on = [ + aws_route53_record.external_validation + ] + + certificate_arn = local.cert_arn + validation_record_fqdns = [for record in aws_route53_record.external_validation : record.fqdn] + + timeouts { + create = "10m" + } +} diff --git a/terraform/environments/ccms-ebs-upgrade/cloudwatch.tf b/terraform/environments/ccms-ebs-upgrade/cloudwatch.tf new file mode 100644 index 00000000000..0c16f43e750 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/cloudwatch.tf @@ -0,0 +1,126 @@ +resource "aws_ssm_document" "cloud_watch_agent" { + name = "InstallAndManageCloudWatchAgent" + document_type = "Command" + document_format = "YAML" + content = file("./templates/install-and-manage-cwagent.yaml") + + tags = merge( + local.tags, + { + Name = "install-and-manage-cloud-watch-agent" + }, + ) +} + +resource "aws_cloudwatch_log_group" "groups" { + for_each = local.application_data.cw_log_groups + name = each.key + retention_in_days = each.value.retention_days + + tags = merge( + local.tags, + { + Name = each.key + }, + ) +} + +resource "aws_ssm_parameter" "cw_agent_config" { + description = "cloud watch agent config" + name = "cloud-watch-config" + type = "String" + value = file("./templates/cw_agent_config.json") + + tags = merge(local.tags, + { Name = "cw-config" } + ) +} + +resource "aws_ssm_association" "update_ssm_agent" { + name = "AWS-UpdateSSMAgent" + association_name = "update-ssm-agent" + parameters = { + allowDowngrade = "false" + } + targets { + # we could just target all instances, but this would also include the bastion, which gets rebuilt everyday + key = "tag:name" + values = [lower(format("ec2-%s-%s-*", local.application_name, local.environment))] + } + apply_only_at_cron_interval = false + schedule_expression = "cron(30 7 ? * MON *)" +} + +data "aws_iam_policy_document" "cloudwatch_datasource" { + statement { + sid = "AllowReadWriteForCloudWatch" + effect = "Allow" + actions = [ + "cloudwatch:PutMetricData", + "cloudwatch:DescribeAlarmsForMetric", + "cloudwatch:DescribeAlarmHistory", + "cloudwatch:DescribeAlarms", + "cloudwatch:ListMetrics", + "cloudwatch:GetMetricData", + "cloudwatch:GetInsightRuleReport" + ] + #tfsec:ignore:aws-iam-no-policy-wildcards + resources = ["*"] + } + statement { + sid = "AllowReadingLogsFromCloudWatch" + effect = "Allow" + actions = [ + "logs:DescribeLogGroups", + "logs:GetLogGroupFields", + "logs:StartQuery", + "logs:StopQuery", + "logs:GetQueryResults", + "logs:GetQueryResults", + "logs:GetLogEvents" + ] + #tfsec:ignore:aws-iam-no-policy-wildcards + resources = ["*"] + } + statement { + sid = "AllowReadingTagsInstancesRegionsFromEC2" + effect = "Allow" + actions = [ + "ec2:DescribeRegions", + "ec2:DescribeVolumes", + "ec2:DescribeTags", + "ec2:DescribeInstances", + "ec2:DescribeRegions" + ] + resources = ["*"] + } + statement { + sid = "AllowReadingResourcesForTags" + effect = "Allow" + actions = [ + "tag:GetResources" + ] + resources = ["*"] + } + +} + +resource "aws_iam_policy" "cloudwatch_datasource_policy" { + name = "cloudwatch-datasource-policy" + path = "/" + description = "Policy for the Monitoring Cloudwatch Datasource" + policy = data.aws_iam_policy_document.cloudwatch_datasource.json + tags = merge( + local.tags, + { + Name = "cloudwatch-datasource-policy" + }, + ) +} + +resource "aws_iam_role_policy_attachment" "cloudwatch_datasource_policy_attach" { + policy_arn = aws_iam_policy.cloudwatch_datasource_policy.arn + #role = aws_iam_role.cloudwatch-datasource-role.name + role = aws_iam_role.role_stsassume_oracle_base.name + +} diff --git a/terraform/environments/ccms-ebs-upgrade/dlm.tf b/terraform/environments/ccms-ebs-upgrade/dlm.tf new file mode 100644 index 00000000000..dcee6cafbf4 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/dlm.tf @@ -0,0 +1,88 @@ +# Data Lifecycle Manager + +resource "aws_iam_role" "dlm_lifecycle_role" { + count = local.is-production ? 0 : 1 + name = "dlm-lifecycle-role" + + assume_role_policy = < sub } + security_group_id = each.value + type = "ingress" + description = "All internal traffic" + protocol = "all" + from_port = 0 + to_port = 0 + cidr_blocks = [ + data.aws_subnet.data_subnets_a.cidr_block, + data.aws_subnet.data_subnets_b.cidr_block, + data.aws_subnet.data_subnets_c.cidr_block, + data.aws_subnet.private_subnets_a.cidr_block, + data.aws_subnet.private_subnets_b.cidr_block, + data.aws_subnet.private_subnets_c.cidr_block + ] +} + +resource "aws_security_group_rule" "all_internal_egress_traffic" { + for_each = { for sub in data.aws_security_groups.all_security_groups.ids : sub => sub } + security_group_id = each.value + #security_group_id = aws_security_group.ec2_sg_oracle_base.id + type = "egress" + description = "All internal traffic" + protocol = "all" + from_port = 0 + to_port = 0 + cidr_blocks = [ + data.aws_subnet.data_subnets_a.cidr_block, + data.aws_subnet.data_subnets_b.cidr_block, + data.aws_subnet.data_subnets_c.cidr_block, + data.aws_subnet.private_subnets_a.cidr_block, + data.aws_subnet.private_subnets_b.cidr_block, + data.aws_subnet.private_subnets_c.cidr_block + ] +} + diff --git a/terraform/environments/ccms-ebs-upgrade/iam.tf b/terraform/environments/ccms-ebs-upgrade/iam.tf new file mode 100644 index 00000000000..9f5696f3711 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/iam.tf @@ -0,0 +1,246 @@ +## SSM Specific +resource "aws_iam_policy" "ec2_ssm_policy" { + name = "ssm_ec2_policy-${local.environment}" + description = "allows SSM Connect logging" + + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2::log-group:/aws/ssm/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "ssm:*" + ], + "Resource" : [ + "arn:aws:ssm:eu-west-2:767123802783:*" + ] + }, + { + "Action" : "s3:GetObject", + "Effect" : "Allow", + "Resource" : [ + "arn:aws:s3:::patch-baseline-snapshot-eu-west-2/*", + "arn:aws:s3:::eu-west-2-birdwatcher-prod/*", + "arn:aws:s3:::aws-windows-downloads-eu-west-2/*", + "arn:aws:s3:::aws-ssm-eu-west-2/*", + "arn:aws:s3:::aws-ssm-document-attachments-eu-west-2/*", + "arn:aws:s3:::aws-ssm-distributor-file-eu-west-2/*", + "arn:aws:s3:::amazon-ssm-packages-eu-west-2/*", + "arn:aws:s3:::amazon-ssm-eu-west-2/*" + ] + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "ssm_logging_oracle_base" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = aws_iam_policy.ec2_ssm_policy.arn +} + +## Oracle EC2 Policies +resource "aws_iam_role" "role_stsassume_oracle_base" { + name = "role_stsassume_oracle_base" + path = "/" + max_session_duration = "3600" + assume_role_policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "ec2.amazonaws.com" + } + "Action" : "sts:AssumeRole", + "Condition" : {} + } + ] + } + ) + tags = merge(local.tags, + { Name = lower(format("RoleSsm-%s-%s-OracleBase", local.application_name, local.environment)) } + ) +} + +resource "aws_iam_role_policy_attachment" "ssm_policy_oracle_base" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + +# Attach Secrets Manager Policy to Role +resource "aws_iam_role_policy_attachment" "secrets_manager_policy_oracle_base" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite" +} + +resource "aws_iam_instance_profile" "iam_instace_profile_ccms_base" { + name = "iam_instace_profile_ccms_base" + role = aws_iam_role.role_stsassume_oracle_base.name + path = "/" + tags = merge(local.tags, + { Name = lower(format("IamProfile-%s-%s-OracleBase", local.application_name, local.environment)) } + ) +} + +# Cloudwatch Logging +resource "aws_iam_policy" "cw_logging_policy" { + name = "cw_log_policy-${local.environment}" + description = "allows EC2 CW logging" + + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:*:*:*" + ] + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "cw_logging_policy" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = aws_iam_policy.cw_logging_policy.arn +} + +# RMAN policy +resource "aws_iam_policy" "rman_to_s3" { + name = "ec2_to_s3_policy-${local.environment}" + description = "allows EC2 to write to S3" + + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:GetBucketLocation", + "s3:ListAllMyBuckets" + ], + "Resource" : "arn:aws:s3:::*" + }, + { + "Effect" : "Allow", + "Action" : ["s3:ListBucket"], + "Resource" : [ + "arn:aws:s3:::ccms-ebs-*-dbbackup", + "arn:aws:s3:::ccms-ebs-*-dbbackup/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucket", + "s3:DeleteObject" + ], + "Resource" : [ + "arn:aws:s3:::ccms-ebs-*-dbbackup", + "arn:aws:s3:::ccms-ebs-*-dbbackup/*" + ] + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "rman_to_s3_policy" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = aws_iam_policy.rman_to_s3.arn +} + +# Oracle Licensing policy +resource "aws_iam_policy" "oracle_licensing" { + name = "oracle_licensing_policy-${local.environment}" + description = "Allows licensing metrics to be captured" + + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "s3:PutObject", + "s3:GetObject", + "s3:PutObjectAcl", + "s3:ListBucket", + "s3:DeleteObject" + ], + "Resource" : [ + "arn:aws:s3:::license-manager-artifact-bucket/*", + "arn:aws:s3:::license-manager-artifact-bucket" + ], + "Effect" : "Allow", + "Sid" : "SSMS3BucketPolicy" + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "oracle_licensing_policy" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = aws_iam_policy.oracle_licensing.arn +} + +# Access to LZ buckets. +resource "aws_iam_policy" "access_to_lz_buckets" { + name = "access_to_lz_buckets-${local.environment}" + description = "Allows licensing metrics to be captured" + + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AccessToLZBuckets", + "Effect" : "Allow", + "Action" : [ + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource" : [ + "arn:aws:s3:::laa-ccms-inbound-*", + "arn:aws:s3:::laa-ccms-outbound-*" + ] + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "access_to_lz_buckets_policy" { + role = aws_iam_role.role_stsassume_oracle_base.name + policy_arn = aws_iam_policy.access_to_lz_buckets.arn +} diff --git a/terraform/environments/ccms-ebs-upgrade/kms.tf b/terraform/environments/ccms-ebs-upgrade/kms.tf new file mode 100644 index 00000000000..f80a22405c9 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/kms.tf @@ -0,0 +1,12 @@ +resource "aws_kms_key" "oracle_ec2" { + enable_key_rotation = true + + tags = merge(local.tags, + { Name = "oracle_ec2" } + ) +} + +resource "aws_kms_alias" "oracle_ec2_alias" { + name = "alias/ec2_oracle_key" + target_key_id = aws_kms_key.oracle_ec2.arn +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/locals.tf b/terraform/environments/ccms-ebs-upgrade/locals.tf deleted file mode 100644 index a7454414911..00000000000 --- a/terraform/environments/ccms-ebs-upgrade/locals.tf +++ /dev/null @@ -1 +0,0 @@ -#### This file can be used to store locals specific to the member account #### diff --git a/terraform/environments/ccms-ebs-upgrade/member-data.tf b/terraform/environments/ccms-ebs-upgrade/member-data.tf new file mode 100644 index 00000000000..51f7c3f54f4 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/member-data.tf @@ -0,0 +1,52 @@ +#### This file can be used to store data specific to the member account #### + + +## SECRETS +data "aws_secretsmanager_secret" "support_email_account" { + name = "support_email_account" + depends_on = [ + aws_secretsmanager_secret.support_email_account + ] +} + +data "aws_secretsmanager_secret_version" "support_email_account" { + secret_id = data.aws_secretsmanager_secret.support_email_account.id + depends_on = [ + aws_secretsmanager_secret_version.support_email_account + ] +} + +## SECURITY GROUPS +data "aws_security_groups" "all_security_groups" { + filter { + name = "tag:Name" + values = ["*ccms*"] + } +} + +## S3 NOTIFICATIONS +data "aws_iam_policy_document" "s3_topic_policy" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["s3.amazonaws.com"] + } + + actions = ["SNS:Publish"] + resources = ["arn:aws:sns:*:*:s3-event-notification-topic"] + + condition { + test = "ArnLike" + variable = "aws:SourceArn" + values = [ + module.s3-bucket.bucket.arn, + module.s3-bucket-logging.bucket.arn, + module.s3-bucket-dbbackup.bucket.arn + ] + } + } +} + + diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf new file mode 100644 index 00000000000..3efe8f9b902 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -0,0 +1,31 @@ +#### This file can be used to store locals specific to the member account #### +locals { + artefact_bucket_name = "${local.application_name}-${local.environment}-artefacts" + logging_bucket_name = "${local.application_name}-${local.environment}-logging" + rsync_bucket_name = "${local.application_name}-${local.environment}-dbbackup" + lb_log_prefix_ebsapp = "ebsapps-lb" + lb_log_prefix_wgate = "wgate-lb" + lb_log_prefix_wgate_public = "wgate-lb-public" + + data_subnets = [ + data.aws_subnet.data_subnets_a.id, + data.aws_subnet.data_subnets_b.id, + data.aws_subnet.data_subnets_c.id + ] + + private_subnets = [ + data.aws_subnet.private_subnets_a.id, + data.aws_subnet.private_subnets_b.id, + data.aws_subnet.private_subnets_c.id + ] + + public_subnets = [ + data.aws_subnet.public_subnets_a.id, + data.aws_subnet.public_subnets_b.id, + data.aws_subnet.public_subnets_c.id + ] + + cert_opts = aws_acm_certificate.external[0].domain_validation_options + cert_arn = aws_acm_certificate.external[0].arn + cert_zone_id = data.aws_route53_zone.network-services.zone_id +} diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cloudwatch.tf b/terraform/environments/ccms-ebs-upgrade/modules/cloudwatch.tf new file mode 100644 index 00000000000..cc32963f152 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cloudwatch.tf @@ -0,0 +1,287 @@ +resource "aws_cloudwatch_metric_alarm" "cpu" { + alarm_name = "example" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "CPUUtilization" + namespace = "AWS/EC2" + period = "60" + statistic = "Average" + threshold = "80" + alarm_description = "Monitors ec2 cpu utilisation" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } +} +# ============================================================================== +# Alerts - LINUX +# ============================================================================== + +# Low Available Memory Alarm +resource "aws_cloudwatch_metric_alarm" "low_available_memory" { + alarm_name = "low_available_memory" + comparison_operator = "LessThanOrEqualToThreshold" + evaluation_periods = "2" + datapoints_to_alarm = "2" + metric_name = "mem_available_percent" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "10" + alarm_description = "This metric monitors the amount of available memory. If the amount of available memory is less than 10% for 2 minutes, the alarm will trigger." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + + tags = { + Name = "low_available_memory" + } +} + +# High CPU IOwait Alarm +resource "aws_cloudwatch_metric_alarm" "cpu_usage_iowait" { + alarm_name = "cpu_usage_iowait" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "6" + datapoints_to_alarm = "5" + metric_name = "cpu_usage_iowait" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "90" + alarm_description = "This metric monitors the amount of CPU time spent waiting for I/O to complete. If the average CPU time spent waiting for I/O to complete is greater than 90% for 30 minutes, the alarm will trigger." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + tags = { + Name = "cpu_usage_iowait" + } +} + +# Disk Free Alarm +resource "aws_cloudwatch_metric_alarm" "disk_free" { + alarm_name = "disk_free" + comparison_operator = "LessThanOrEqualToThreshold" + evaluation_periods = "2" + datapoints_to_alarm = "2" + metric_name = "disk_free" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "15" + alarm_description = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 15% for 2 minutes, the alarm will trigger" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + tags = { + Name = "disk_free" + } +} + +# CPU Utilization Alarm +resource "aws_cloudwatch_metric_alarm" "cpu_utilization" { + alarm_name = "cpu_utilization" # name of the alarm + comparison_operator = "GreaterThanOrEqualToThreshold" # threshold to trigger the alarm state + evaluation_periods = "15" # how many periods over which to evaluate the alarm + datapoints_to_alarm = "15" # how many datapoints must be breaching the threshold to trigger the alarm + metric_name = "CPUUtilization" # name of the alarm's associated metric + namespace = "AWS/EC2" # namespace of the alarm's associated metric + period = "60" # period in seconds over which the specified statistic is applied + statistic = "Average" # could be Average/Minimum/Maximum etc. + threshold = "95" # threshold for the alarm - see comparison_operator for usage + alarm_description = "Triggers if the average cpu remains at 95% utilization or above for 15 minutes" + alarm_actions = [aws_sns_topic.cw_alerts.arn] # SNS topic to send the alarm to + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + tags = { + Name = "cpu_utilization" + } +} + +# ============================================================================== +# EC2 Instance Statuses +# ============================================================================== + +# Instance Health Alarm +resource "aws_cloudwatch_metric_alarm" "instance_health_check" { + alarm_name = "instance_health_check_failed" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + metric_name = "StatusCheckFailed_Instance" + namespace = "AWS/EC2" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "Instance status checks monitor the software and network configuration of your individual instance. When an instance status check fails, you typically must address the problem yourself: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + tags = { + Name = "instance_health_check" + } +} + +# Status Check Alarm +resource "aws_cloudwatch_metric_alarm" "system_health_check" { + alarm_name = "system_health_check_failed" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + metric_name = "StatusCheckFailed_System" + namespace = "AWS/EC2" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "System status checks monitor the AWS systems on which your instance runs. These checks detect underlying problems with your instance that require AWS involvement to repair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + instanceId = aws_instance.ec2_oracle_ebs.id + } + tags = { + Name = "system_health_check" + } +} + +# ============================================================================== +# Load Balancer Alerts +# ============================================================================== + +resource "aws_cloudwatch_metric_alarm" "load_balancer_unhealthy_state_routing" { + alarm_name = "load_balancer_unhealthy_state_routing" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + metric_name = "UnHealthyStateRouting" + namespace = "AWS/ApplicationELB" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "This metric monitors the number of unhealthy hosts in the routing table for the load balancer. If the number of unhealthy hosts is greater than 0 for 3 minutes." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + TargetGroup = aws_lb_target_group.ebsapp_tg.arn_suffix + LoadBalancer = aws_lb.ebsapps_lb.arn_suffix + } + tags = { + Name = "load_balancer_unhealthy_state_routing" + } +} + +resource "aws_cloudwatch_metric_alarm" "load_balancer_unhealthy_state_dns" { + alarm_name = "load_balancer_unhealthy_state_dns" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + metric_name = "UnHealthyStateDNS" + namespace = "AWS/ApplicationELB" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "This metric monitors the number of unhealthy hosts in the DNS table for the load balancer. If the number of unhealthy hosts is greater than 0 for 3 minutes." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + dimensions = { + TargetGroup = aws_lb_target_group.ebsapp_tg.arn_suffix + LoadBalancer = aws_lb.ebsapps_lb.arn_suffix + } + tags = { + Name = "load_balancer_unhealthy_state_dns" + } +} +/* +# ============================================================================== +# Oracle DB Alerts +# ============================================================================== + +# Oracle db connection issue +resource "aws_cloudwatch_metric_alarm" "oracle_db_disconnected" { + alarm_name = "oracle_db_disconnected" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "5" + datapoints_to_alarm = "5" + metric_name = "collectd_exec-db_connected" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "Oracle db connection to a particular SID is not working" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + tags = { + Name = "oracle_db_disconnected" + } +} + +# Oracle batch processing issue +resource "aws_cloudwatch_metric_alarm" "oracle_batch_error" { + alarm_name = "oracle_batch_error" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "5" + datapoints_to_alarm = "5" + metric_name = "collectd_exec-batch_error" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "Oracle db is either in long-running batch or failed batch status" + alarm_actions = [aws_sns_topic.cw_alerts.arn] + tags = { + Name = "oracle_batch_error" + } +} + + +# This may be overkill as unhealthy hosts will trigger an alert themselves (or should do) independently. +resource "aws_cloudwatch_metric_alarm" "load_balancer_unhealthy_state_target" { + alarm_name = "load_balancer_unhealthy_state_target" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + metric_name = "UnHealthyStateTarget" + namespace = "AWS/ApplicationELB" + period = "60" + statistic = "Average" + threshold = "1" + alarm_description = "This metric monitors the number of unhealthy hosts in the target table for the load balancer. If the number of unhealthy hosts is greater than 0 for 3 minutes." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + tags = { + Name = "load_balancer_unhealthy_state_target" + } +} + +# ============================================================================== +# Certificate Alerts - Days to Expiry +# Certificates are managed by AWS Certificate Manager (ACM) so there shouldn't be any reason why these don't renew automatically. +# ============================================================================== + +resource "aws_cloudwatch_metric_alarm" "cert_expires_in_30_days" { + alarm_name = "cert_expires_in_30_days" + comparison_operator = "LessThanThreshold" + evaluation_periods = "1" + metric_name = "DaysToExpiry" + namespace = "AWS/ACM" + period = "60" + statistic = "Average" + threshold = "30" + alarm_description = "This metric monitors the number of days until the certificate expires. If the number of days is less than 30." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + tags = { + Name = "cert_expires_in_30_days" + } +} + +resource "aws_cloudwatch_metric_alarm" "cert_expires_in_2_days" { + alarm_name = "cert_expires_in_2_days" + comparison_operator = "LessThanThreshold" + evaluation_periods = "1" + metric_name = "DaysToExpiry" + namespace = "AWS/ACM" + period = "60" + statistic = "Average" + threshold = "2" + alarm_description = "This metric monitors the number of days until the certificate expires. If the number of days is less than 2." + alarm_actions = [aws_sns_topic.cw_alerts.arn] + tags = { + Name = "cert_expires_in_2_days" + } +} +*/ \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/main.tf b/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/main.tf new file mode 100644 index 00000000000..435dbe5d10d --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/main.tf @@ -0,0 +1,184 @@ +locals { + topic = var.topic + name = var.name +} + +# CPU Utilization +resource "aws_cloudwatch_metric_alarm" "cpu_utilization" { + alarm_name = "${var.short_env}-${local.name}-cpu_utilization" + alarm_description = "Monitors ec2 cpu utilisation" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "CPUUtilization" + namespace = "AWS/EC2" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.cpu_eval_periods + datapoints_to_alarm = var.cpu_datapoints + period = var.cpu_period + threshold = var.cpu_threshold + alarm_actions = [local.topic] + dimensions = { + InstanceId = var.instanceId + ImageId = var.imageId + InstanceType = var.instanceType + } +} + +# Low Available Memory Alarm +resource "aws_cloudwatch_metric_alarm" "low_available_memory" { + alarm_name = "${var.short_env}-${local.name}-low_available_memory" + alarm_description = "This metric monitors the amount of available memory. If the amount of available memory is less than 10% for 2 minutes, the alarm will trigger." + comparison_operator = "LessThanOrEqualToThreshold" + metric_name = "mem_available_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.mem_eval_periods + datapoints_to_alarm = var.mem_datapoints + period = var.mem_period + threshold = var.mem_threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + ImageId = var.imageId + InstanceType = var.instanceType + } +} +/* +# Disk Free Alarm +resource "aws_cloudwatch_metric_alarm" "disk_free" { + alarm_name = "${var.short_env}-${local.name}-disk_free_root" + alarm_description = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space on root falls below 15% for 2 minutes, the alarm will trigger" + comparison_operator = "LessThanOrEqualToThreshold" + metric_name = "disk_free" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.disk_eval_periods + datapoints_to_alarm = var.disk_datapoints + period = var.disk_period + threshold = var.disk_threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + ImageId = var.imageId + InstanceType = var.instanceType + path = "/" + device = var.rootDevice + fstype = var.fileSystem + } +} +*/ + +# Disk Used % Alarm (more adapable than the Disk Free alarm, due to percentage instead of bytes) +resource "aws_cloudwatch_metric_alarm" "disk_used" { + alarm_name = "${var.short_env}-${local.name}-disk_used_root" + alarm_description = "This metric monitors the amount of used disk space on the instance. If the amount of free disk space on root exceeds 80% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.disk_eval_periods + datapoints_to_alarm = var.disk_datapoints + period = var.disk_period + threshold = var.disk_threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + ImageId = var.imageId + InstanceType = var.instanceType + path = "/" + device = var.rootDevice + fstype = var.fileSystem + } +} + +/* +# High CPU IOwait Alarm +resource "aws_cloudwatch_metric_alarm" "cpu_usage_iowait" { + alarm_name = "${local.name}-cpu_usage_iowait" + alarm_description = "This metric monitors the amount of CPU time spent waiting for I/O to complete. If the average CPU time spent waiting for I/O to complete is greater than 90% for 30 minutes, the alarm will trigger." + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "cpu_usage_iowait" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.eval_periods + datapoints_to_alarm = var.eval_periods + period = var.period + threshold = var.threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + ImageId = var.imageId + InstanceType = var.instanceType + cpu = "" + } +} +*/ + +# ============================================================================== +# EC2 Instance Statuses +# ============================================================================== + +# Instance Health Alarm +resource "aws_cloudwatch_metric_alarm" "instance_health_check" { + alarm_name = "${var.short_env}-${local.name}-instance_health_check_failed" + alarm_description = "Instance status checks monitor the software and network configuration of your individual instance. When an instance status check fails, you typically must address the problem yourself: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "StatusCheckFailed_Instance" + namespace = "AWS/EC2" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.insthc_eval_periods + period = var.insthc_period + threshold = var.insthc_threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + } +} + +# Status Check Alarm +resource "aws_cloudwatch_metric_alarm" "system_health_check" { + alarm_name = "${var.short_env}-${local.name}-system_health_check_failed" + alarm_description = "System status checks monitor the AWS systems on which your instance runs. These checks detect underlying problems with your instance that require AWS involvement to repair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "StatusCheckFailed_System" + namespace = "AWS/EC2" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = var.syshc_eval_periods + period = var.syshc_period + threshold = var.syshc_threshold + alarm_actions = [var.topic] + dimensions = { + InstanceId = var.instanceId + } +} + +resource "aws_cloudwatch_metric_alarm" "ec2_stop_alarm" { + alarm_name = "${var.short_env}-${local.name}-ec2-stopped-${var.short_env}" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = 1 + metric_name = "StatusCheckFailed" + namespace = "AWS/EC2" + period = 60 + statistic = "SampleCount" + threshold = 1 + + dimensions = { + InstanceId = var.instanceId + } + + alarm_description = "This alarm will trigger when the EC2 instance stops." + alarm_actions = [var.topic] +} diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/variables.tf b/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/variables.tf new file mode 100644 index 00000000000..322e0030ecd --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cw-ec2/variables.tf @@ -0,0 +1,105 @@ +variable "topic" { + type = string + description = "ARN of SNS topic to send alerts to" +} +variable "name" { + type = string + description = "name of the instance" +} +variable "instanceId" { + type = string + description = "the instanceId for the alarm" +} +variable "imageId" { + type = string + description = "the imageId for the alarm" +} +variable "instanceType" { + type = string + description = "the instanceType for the alarm" +} +variable "rootDevice" { + type = string + description = "the rootDevice for the alarm" +} +variable "fileSystem" { + type = string + description = "the fileSystem for the alarm" +} +variable "short_env" { + type = string + description = "Shortened environment name" +} +################### +variable "cpu_eval_periods" { + type = string + description = "how many periods over which to evaluate the alarm" +} +variable "cpu_datapoints" { + type = string + description = "how many data points over which the specified statistic is applied" +} +variable "cpu_period" { + type = string + description = "period in seconds over which the specified statistic is applied" +} +variable "cpu_threshold" { + type = string + description = "threshold for the alarm" +} +variable "mem_eval_periods" { + type = string + description = "how many periods over which to evaluate the alarm" +} +variable "mem_datapoints" { + type = string + description = "how many data points over which the specified statistic is applied" +} +variable "mem_period" { + type = string + description = "period in seconds over which the specified statistic is applied" +} +variable "mem_threshold" { + type = string + description = "threshold for the alarm" +} +variable "disk_eval_periods" { + type = string + description = "how many periods over which to evaluate the alarm" +} +variable "disk_datapoints" { + type = string + description = "how many data points over which the specified statistic is applied" +} +variable "disk_period" { + type = string + description = "period in seconds over which the specified statistic is applied" +} +variable "disk_threshold" { + type = string + description = "threshold for the alarm" +} +variable "insthc_eval_periods" { + type = string + description = "how many periods over which to evaluate the alarm" +} +variable "insthc_period" { + type = string + description = "period in seconds over which the specified statistic is applied" +} +variable "insthc_threshold" { + type = string + description = "threshold for the alarm" +} +variable "syshc_eval_periods" { + type = string + description = "how many periods over which to evaluate the alarm" +} +variable "syshc_period" { + type = string + description = "period in seconds over which the specified statistic is applied" +} +variable "syshc_threshold" { + type = string + description = "threshold for the alarm" +} diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/main.tf b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/main.tf new file mode 100644 index 00000000000..9eb12e1437a --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/main.tf @@ -0,0 +1,10 @@ +resource "aws_cloudwatch_log_group" "this" { + count = var.create ? 1 : 0 + + name = var.name + name_prefix = var.name_prefix + retention_in_days = var.retention_in_days + kms_key_id = var.kms_key_id + + tags = var.tags +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/output.tf b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/output.tf new file mode 100644 index 00000000000..1b45d4d5381 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/output.tf @@ -0,0 +1,9 @@ +output "cloudwatch_log_group_name" { + description = "Name of Cloudwatch log group" + value = try(aws_cloudwatch_log_group.this[0].name, "") +} + +output "cloudwatch_log_group_arn" { + description = "ARN of Cloudwatch log group" + value = try(aws_cloudwatch_log_group.this[0].arn, "") +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/variables.tf b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/variables.tf new file mode 100644 index 00000000000..7068522d778 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/modules/cw-logs/variables.tf @@ -0,0 +1,40 @@ +variable "create" { + description = "Whether to create the Cloudwatch log group" + type = bool + default = true +} + +variable "name" { + description = "A name for the log group" + type = string + default = null +} + +variable "name_prefix" { + description = "A name prefix for the log group" + type = string + default = null +} + +variable "retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653." + type = number + default = null + + validation { + condition = var.retention_in_days == null ? true : contains([0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653], var.retention_in_days) + error_message = "Must be 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 or 0 (zero indicates never expire logs)." + } +} + +variable "kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting logs" + type = string + default = null +} + +variable "tags" { + description = "A map of tags to add to Cloudwatch log group" + type = map(string) + default = {} +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf new file mode 100644 index 00000000000..d2e77776771 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -0,0 +1,9 @@ +# ## EBSDB +# resource "aws_route53_record" "ebsdb" { +# provider = aws.core-vpc +# zone_id = data.aws_route53_zone.external.zone_id +# name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" +# type = "A" +# ttl = 300 +# records = [aws_instance.ec2_oracle_ebs.private_ip] +# } diff --git a/terraform/environments/ccms-ebs-upgrade/s3.tf b/terraform/environments/ccms-ebs-upgrade/s3.tf new file mode 100644 index 00000000000..2f9b329e2c4 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/s3.tf @@ -0,0 +1,278 @@ +# S3 Bucket - Artefacts +module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + + bucket_name = local.artefact_bucket_name + # bucket_prefix = "s3-bucket-example" + versioning_enabled = false + bucket_policy = [data.aws_iam_policy_document.artefacts_s3_policy.json] + + log_bucket = local.logging_bucket_name + log_prefix = "s3access/${local.artefact_bucket_name}" + + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true + replication_region = "eu-west-2" + # replication_role_arn = module.s3-bucket-replication-role.role.arn + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = merge(local.tags, + { Name = lower(format("s3-bucket-%s-%s", local.application_name, local.environment)) } + ) +} + +resource "aws_s3_bucket_notification" "artefact_bucket_notification" { + bucket = module.s3-bucket.bucket.id + + topic { + topic_arn = aws_sns_topic.s3_topic.arn + events = ["s3:ObjectCreated:*"] + filter_suffix = ".log" + } +} + +data "aws_iam_policy_document" "artefacts_s3_policy" { + statement { + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/developer", + "arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:root" + ] + } + actions = ["s3:GetObject"] + resources = ["arn:aws:s3:::${local.artefact_bucket_name}/*"] + } +} + +# S3 Bucket - Logging +module "s3-bucket-logging" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + + bucket_name = local.logging_bucket_name + versioning_enabled = false + bucket_policy = [data.aws_iam_policy_document.logging_s3_policy.json] + + log_bucket = local.logging_bucket_name + log_prefix = "s3access/${local.logging_bucket_name}" + + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true + replication_region = "eu-west-2" + # replication_role_arn = module.s3-bucket-replication-role.role.arn + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = merge(local.tags, + { Name = lower(format("s3-%s-%s-logging", local.application_name, local.environment)) } + ) +} + +resource "aws_s3_bucket_notification" "logging_bucket_notification" { + bucket = module.s3-bucket-logging.bucket.id + + topic { + topic_arn = aws_sns_topic.s3_topic.arn + events = ["s3:ObjectCreated:*"] + filter_suffix = ".log" + } +} + +data "aws_iam_policy_document" "logging_s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::652711504416:root"] + } + actions = ["s3:PutObject"] + resources = ["${module.s3-bucket-logging.bucket.arn}/*"] + } +} + +# S3 Bucket - R-sync +module "s3-bucket-dbbackup" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + + bucket_name = local.rsync_bucket_name + versioning_enabled = false + bucket_policy = [data.aws_iam_policy_document.dbbackup_s3_policy.json] + + log_bucket = local.logging_bucket_name + log_prefix = "s3access/${local.rsync_bucket_name}" + + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true + replication_region = "eu-west-2" + # replication_role_arn = module.s3-bucket-replication-role.role.arn + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = merge(local.tags, + { Name = lower(format("s3-%s-%s-dbbackup", local.application_name, local.environment)) } + ) +} + +resource "aws_s3_bucket_notification" "dbbackup_bucket_notification" { + bucket = module.s3-bucket-dbbackup.bucket.id + + topic { + topic_arn = aws_sns_topic.s3_topic.arn + events = ["s3:ObjectCreated:*"] + filter_suffix = ".log" + } +} + +data "aws_iam_policy_document" "dbbackup_s3_policy" { + statement { + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:root", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/developer" + ] + } + actions = [ + "s3:PutObject" + ] + resources = ["${module.s3-bucket-dbbackup.bucket.arn}/*"] + } +} diff --git a/terraform/environments/ccms-ebs-upgrade/ses.tf b/terraform/environments/ccms-ebs-upgrade/ses.tf new file mode 100644 index 00000000000..7b5e5b2c9aa --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ses.tf @@ -0,0 +1,69 @@ +resource "aws_ses_domain_identity" "domain_identity" { + domain = local.application_data.accounts[local.environment].ses_domain_identity +} + +resource "aws_ses_domain_dkim" "domain_identity" { + domain = aws_ses_domain_identity.domain_identity.domain +} + +data "aws_iam_policy_document" "ses_identity_policy" { + statement { + sid = "2023052401" + principals { + identifiers = ["*"] + type = "AWS" + } + actions = ["SES:SendEmail", "SES:SendRawEmail"] + resources = [aws_ses_domain_identity.domain_identity.arn] + condition { + test = "StringLike" + variable = "ses:Recipients" + values = [ + "ashok.turamari@digital.justice.gov.uk", + "maciej.matysiak@digital.justice.gov.uk" + ] + } + } +} + +resource "aws_ses_identity_policy" "identity_policy" { + identity = aws_ses_domain_identity.domain_identity.arn + name = "default-policy" + policy = data.aws_iam_policy_document.ses_identity_policy.json +} + +resource "aws_ses_configuration_set" "default_configuration_set" { + name = "default-configuration-set" + + delivery_options { + tls_policy = "Optional" + } + reputation_metrics_enabled = true + sending_enabled = true +} + +# TO DO: Kinesis configuration (including S3 bucket, IAM role and policy, ...). +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream +# +# resource "aws_ses_event_destination" "kinesis" { +# name = "ses-reputation-events-firehose" +# configuration_set_name = aws_ses_configuration_set.default_configuration_set.name +# enabled = true +# matching_types = [ "bounce", "click", "complaint", "delivery", "open", "reject", "renderingFailure", "send" ] +# +# kinesis_destination { +# stream_arn = aws_kinesis_firehose_delivery_stream.example.arn +# role_arn = aws_iam_role.example.arn +# } +# } + +# Moved to ccms-ses-outputs.tf +# output "ses_verification_token" { +# description = "SES verification token" +# value = aws_ses_domain_identity.domain_identity.verification_token +# } +# +# output "ses_domain_dkim" { +# description = "SES domain DKIM" +# value = aws_ses_domain_dkim.domain_identity.dkim_tokens +# } diff --git a/terraform/environments/ccms-ebs-upgrade/sns.tf b/terraform/environments/ccms-ebs-upgrade/sns.tf new file mode 100644 index 00000000000..3f084614f66 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/sns.tf @@ -0,0 +1,65 @@ +#### Secret for support email address ### +resource "aws_secretsmanager_secret" "support_email_account" { + name = "support_email_account" + description = "email address of the support account for cw alerts" +} + +# Use a default dummy address just for creation. Will require to be populated manually. +resource "aws_secretsmanager_secret_version" "support_email_account" { + secret_id = aws_secretsmanager_secret.support_email_account.id + secret_string = "default@email.com" + lifecycle { + ignore_changes = [secret_string, ] + } +} + +#### CW #### +resource "aws_sns_topic" "cw_alerts" { + name = "ccms-ebs-ec2-alerts" + #kms_master_key_id = "alias/aws/sns" +} + +# resource "aws_sns_topic_policy" "sns_policy" { +# arn = aws_sns_topic.cw_alerts.arn +# policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw.json +# } + +resource "aws_sns_topic_subscription" "cw_subscription" { + topic_arn = aws_sns_topic.cw_alerts.arn + protocol = "email" + endpoint = aws_secretsmanager_secret_version.support_email_account.secret_string +} + +#### S3 #### +resource "aws_sns_topic" "s3_topic" { + name = "s3-event-notification-topic" + policy = data.aws_iam_policy_document.s3_topic_policy.json +} + +# resource "aws_sns_topic_policy" "s3_policy" { +# arn = aws_sns_topic.s3_topic.arn +# policy = data.aws_iam_policy_document.sns_topic_policy_s3.json +# } + +resource "aws_sns_topic_subscription" "s3_subscription" { + topic_arn = aws_sns_topic.s3_topic.arn + protocol = "email" + endpoint = aws_secretsmanager_secret_version.support_email_account.secret_string +} + +#### DDoS #### +resource "aws_sns_topic" "ddos_alarm" { + name = format("%s_ddos_alarm", local.application_name) + #kms_master_key_id = "alias/aws/sns" +} + +# resource "aws_sns_topic_policy" "ddos_policy" { +# arn = aws_sns_topic.ddos_alarm.arn +# policy = data.aws_iam_policy_document.sns_topic_policy_ddos.json +# } + +resource "aws_sns_topic_subscription" "ddos_subscription" { + topic_arn = aws_sns_topic.ddos_alarm.arn + protocol = "email" + endpoint = aws_secretsmanager_secret_version.support_email_account.secret_string +} diff --git a/terraform/environments/ccms-ebs-upgrade/templates/create_table.sql b/terraform/environments/ccms-ebs-upgrade/templates/create_table.sql new file mode 100644 index 00000000000..e5fff372a37 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/create_table.sql @@ -0,0 +1,54 @@ +CREATE EXTERNAL TABLE IF NOT EXISTS alb_logs ( + type string, + time string, + elb string, + client_ip string, + client_port int, + target_ip string, + target_port int, + request_processing_time double, + target_processing_time double, + response_processing_time double, + elb_status_code int, + target_status_code string, + received_bytes bigint, + sent_bytes bigint, + request_verb string, + request_url string, + request_proto string, + user_agent string, + ssl_cipher string, + ssl_protocol string, + target_group_arn string, + trace_id string, + domain_name string, + chosen_cert_arn string, + matched_rule_priority string, + request_creation_time string, + actions_executed string, + redirect_url string, + lambda_error_reason string, + target_port_list string, + target_status_code_list string, + classification string, + classification_reason string + ) + PARTITIONED BY + ( + day STRING + ) + ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe' + WITH SERDEPROPERTIES ( + 'serialization.format' = '1', + 'input.regex' = '([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*):([0-9]*) ([^ ]*)[:-]([0-9]*) ([-.0-9]*) ([-.0-9]*) ([-.0-9]*) (|[-0-9]*) (-|[-0-9]*) ([-0-9]*) ([-0-9]*) \"([^ ]*) (.*) (- |[^ ]*)\" \"([^\"]*)\" ([A-Z0-9-_]+) ([A-Za-z0-9.-]*) ([^ ]*) \"([^\"]*)\" \"([^\"]*)\" \"([^\"]*)\" ([-.0-9]*) ([^ ]*) \"([^\"]*)\" \"([^\"]*)\" \"([^ ]*)\" \"([^\s]+?)\" \"([^\s]+)\" \"([^ ]*)\" \"([^ ]*)\"') + LOCATION 's3://${bucket}/${key}/AWSLogs/${account_id}/elasticloadbalancing/${region}/' + TBLPROPERTIES + ( + "projection.enabled" = "true", + "projection.day.type" = "date", + "projection.day.range" = "2023/02/14,NOW", + "projection.day.format" = "yyyy/MM/dd", + "projection.day.interval" = "1", + "projection.day.interval.unit" = "DAYS", + "storage.location.template" = "s3://${bucket}/${key}/AWSLogs/${account_id}/elasticloadbalancing/${region}/$${day}" + ) \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/cw_agent_config.json b/terraform/environments/ccms-ebs-upgrade/templates/cw_agent_config.json new file mode 100644 index 00000000000..f2ae240082f --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/cw_agent_config.json @@ -0,0 +1,65 @@ +{ + "agent": { + "metrics_collection_interval": 60, + "logfile": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log", + "run_as_user": "root" + }, + "metrics": { + "append_dimensions": { + "ImageId": "${aws:ImageId}", + "InstanceId": "${aws:InstanceId}", + "InstanceType": "${aws:InstanceType}" + }, + "metrics_collected": { + "cpu": { + "resources": ["*"], + "measurement": [ + "cpu_usage_idle", + "cpu_usage_iowait", + "cpu_usage_user", + "cpu_usage_system" + ], + "metrics_collection_interval": 60, + "totalcpu": false + }, + "disk": { + "measurement": ["used_percent", "inodes_free", "disk_free"], + "metrics_collection_interval": 60, + "resources": ["*"] + }, + "diskio": { + "measurement": ["io_time"], + "metrics_collection_interval": 60, + "resources": ["*"] + }, + "mem": { + "measurement": ["mem_used_percent", "mem_available_percent"], + "metrics_collection_interval": 60, + "resources": ["*"] + }, + "swap": { + "measurement": ["swap_used_percent"], + "metrics_collection_interval": 60, + "resources": ["*"] + } + } + }, + "logs": { + "logs_collected": { + "files": { + "collect_list": [ + { + "file_path": "/var/log/messages", + "log_group_name": "cwagent-var-log-messages", + "log_stream_name": "{instance_id}" + }, + { + "file_path": "/var/log/secure", + "log_group_name": "cwagent-var-log-secure", + "log_stream_name": "{instance_id}" + } + ] + } + } + } +} diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_accessgate.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_accessgate.sh new file mode 100644 index 00000000000..cfb13d20801 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_accessgate.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +exec > /tmp/userdata.log 2>&1 +yum update -y +yum install -y wget unzip +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm + +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +mount -a \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_clamav.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_clamav.sh new file mode 100644 index 00000000000..32b4d1c350e --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_clamav.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +exec > /tmp/userdata.log 2>&1 + +yum install -y wget unzip vsftpd jq s3fs-fuse + +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm +amazon-linux-extras install -y epel + +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +yum install -y clamav clamav-update clamd +freshclam + +systemctl enable clamd@scan.service +systemctl start clamd@scan.service \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs.sh new file mode 100644 index 00000000000..8f9df408908 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +exec > /tmp/userdata.log 2>&1 +yum update -y +yum install -y wget unzip automake fuse fuse-devel gcc-c++ git libcurl-devel libxml2-devel make openssl-devel + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +git clone https://github.com/s3fs-fuse/s3fs-fuse.git +cd s3fs-fuse/ +./autogen.sh +./configure +make +make install + +cd / +mkdir /rman +s3fs -o iam_role="role_stsassume_oracle_base" -o url="https://s3.eu-west-2.amazonaws.com" -o endpoint=eu-west-2 -o dbglevel=info -o curldbg -o allow_other ccms-ebs-${environment}-dbbackup /rman +echo "ccms-ebs-${environment}-dbbackup /rman fuse.s3fs _netdev,allow_other,url=https://s3.eu-west-2.amazonaws.com,iam_role=role_stsassume_oracle_base 0 0" >> /etc/fstab \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs_apps.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs_apps.sh new file mode 100644 index 00000000000..cfb13d20801 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ebs_apps.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +exec > /tmp/userdata.log 2>&1 +yum update -y +yum install -y wget unzip +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm + +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +mount -a \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ftp.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ftp.sh new file mode 100644 index 00000000000..5da0f393b16 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_ftp.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +exec > /tmp/userdata.log 2>&1 + +amazon-linux-extras install -y epel +yum install -y wget unzip vsftpd jq s3fs-fuse +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm + +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm + +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +useradd -m s3xfer + +echo "pasv_enable=YES" >> /etc/vsftpd/vsftpd.conf +echo "pasv_min_port=3000" >> /etc/vsftpd/vsftpd.conf +echo "pasv_max_port=3010" >> /etc/vsftpd/vsftpd.conf + +systemctl restart vsftpd.service + +cat > /etc/mount_s3.sh <<- EOM +#!/bin/bash + +B=(laa-ccms-inbound-${lz_ftp_bucket_environment} laa-ccms-outbound-${lz_ftp_bucket_environment} laa-cis-outbound-${lz_ftp_bucket_environment} laa-cis-inbound-${lz_ftp_bucket_environment} bacway-${lz_ftp_bucket_environment}-eu-west-2-${lz_aws_account_id_env}) + +C=\$(aws secretsmanager get-secret-value --secret-id ftp-s3-${environment}-aws-key --region eu-west-2) +K=\$(jq -r '.SecretString' <<< \$${C} |cut -d'"' -f2) +S=\$(jq -r '.SecretString' <<< \$${C} |cut -d'"' -f4) +U=\$(id -u s3xfer) +G=\$(id -g s3xfer) +F=/etc/passwd-s3fs +echo "\$${K}:\$${S}" > "\$${F}" +chmod 600 \$${F} + +for b in "\$${B[@]}"; do + D=/s3xfer/S3/\$${b} + + if [[ -d \$${D} ]]; then + echo "\$${D} exists." + else + mkdir -p \$${D} + fi + + chown -R s3xfer:users \$${D} + chmod 755 \$${D} + + s3fs \$${b} \$${D} -o passwd_file=\$${F} -o _netdev,allow_other,use_cache=/tmp,url=https://s3-eu-west-2.amazonaws.com,endpoint=eu-west-2,umask=022,uid=\$${U},gid=\$${G} + if [[ \$? -eq 0 ]]; then + s3fs \$${b} \$${D} -o passwd_file=\$${F} + echo "\$${b} has been mounted in \$${D}" + else + echo "\$${b} has not been mounted! Please investigate." + fi +done + +ln -s /s3xfer/S3/laa-ccms-inbound-${lz_ftp_bucket_environment}/CCMS_PRD_TDX/Inbound /home/s3xfer/CCMS_PRD_TDX_Inbound +ln -s /s3xfer/S3/laa-ccms-outbound-${lz_ftp_bucket_environment}/CCMS_PRD_TDX/Outbound /home/s3xfer/CCMS_PRD_TDX_Outbound + +chown -h s3xfer:s3xfer /home/s3xfer/CCMS_PRD_TDX_Inbound +chown -h s3xfer:s3xfer /home/s3xfer/CCMS_PRD_TDX_Outbound + +rm \$${F} +EOM + +chmod +x /etc/mount_s3.sh + +chmod +x /etc/rc.d/rc.local +echo "/etc/mount_s3.sh" >> /etc/rc.local +systemctl start rc-local.service \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_mailrelay.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_mailrelay.sh new file mode 100644 index 00000000000..171c758554e --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_mailrelay.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +EHOSTS=/etc/hosts +ERCONF=/etc/resolv.conf + +cloudwatch_agent_setup() { + amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config +} + +etc_hosts() { + H=$(ec2-metadata --local-ipv4 |cut -d' ' -f2) + echo "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" > $${EHOSTS}.new + echo "$${H} ${hostname} ${hostname}.${mp_fqdn} ${hostname}.${smtp_fqdn}" >> $${EHOSTS}.new + mv $${EHOSTS}.new $${EHOSTS} +} + +etc_resolv_conf() { + sed -i "s/^search .*/search ${mp_fqdn} ${smtp_fqdn}/" $${ERCONF} +} + +hostname_setup() { + hostnamectl set-hostname mailrelay +} + +postfix_setup() { + R=$(ec2-metadata --local-hostname |cut -d'.' -f2) + S=$(aws secretsmanager get-secret-value --secret-id ses-smtp-credentials --region eu-west-2 |jq '.SecretString') + U=$(cut -d'"' -f 3 <<< $${S} |tr -d \\134) + P=$(cut -d'"' -f 5 <<< $${S} |tr -d \\134) + + if [[ $${#U} -eq 20 ]] && [[ $${#P} -eq 44 ]]; then + echo "$${FUNCNAME[0]}: Setting up credentials in /etc/postfix/sasl_passwd" + echo "[email-smtp.$${R}.amazonaws.com]:587 $${U}:$${P}" > /etc/postfix/sasl_passwd + postmap hash:/etc/postfix/sasl_passwd + chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db + echo -e "\n# Configuration for SES:\n" >> /etc/postfix/main.cf + + echo "$${FUNCNAME[0]}: Running postconf with additional options." + postconf -e \ + "inet_interfaces = all" \ + "inet_protocols = ipv4" \ + "myhostname = mailrelay.${smtp_fqdn}" \ + "mynetworks_style = class" \ + "relayhost = [email-smtp.$${R}.amazonaws.com]:587" \ + "smtp_sasl_auth_enable = yes" \ + "smtp_sasl_security_options = noanonymous" \ + "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \ + "smtp_tls_security_level = encrypt" \ + "smtp_tls_note_starttls_offer = yes" \ + "smtp_use_tls = yes" + + echo "$${FUNCNAME[0]}: Enabling the Postfix service." + systemctl enable postfix + echo "$${FUNCNAME[0]}: Starting the Postfix service." + systemctl restart postfix + else + echo "Error: incorrect length of credentials. Please investigate." + fi +} + +yum_install() { + yum install -y amazon-cloudwatch-agent cyrus-sasl-plain jq nc postfix telnet +} + +hostname_setup +etc_hosts +etc_resolv_conf +yum_install +postfix_setup +cloudwatch_agent_setup \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_webgate.sh b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_webgate.sh new file mode 100644 index 00000000000..cfb13d20801 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/ec2_user_data_webgate.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +exec > /tmp/userdata.log 2>&1 +yum update -y +yum install -y wget unzip +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm + +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install + +wget https://s3.amazonaws.com/amazoncloudwatch-agent/oracle_linux/amd64/latest/amazon-cloudwatch-agent.rpm +rpm -U ./amazon-cloudwatch-agent.rpm +/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:cloud-watch-config + +systemctl stop amazon-ssm-agent +rm -rf /var/lib/amazon/ssm/ipc/ +systemctl start amazon-ssm-agent + +mount -a \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/templates/install-and-manage-cwagent.yaml b/terraform/environments/ccms-ebs-upgrade/templates/install-and-manage-cwagent.yaml new file mode 100644 index 00000000000..b842ef7b001 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/install-and-manage-cwagent.yaml @@ -0,0 +1,27 @@ +--- +schemaVersion: "2.2" +description: A composite document for installing and configuring the CloudWatch Agent. +parameters: + optionalConfigurationLocation: + description: name of ssm parameter that contains the CW Agent config + type: String +mainSteps: + - name: installCWAgent + action: aws:runDocument + inputs: + documentType: SSMDocument + documentPath: AWS-ConfigureAWSPackage + documentParameters: + action: Install + name: AmazonCloudWatchAgent + - name: configureCWAgent + action: aws:runDocument + inputs: + documentType: SSMDocument + documentPath: AmazonCloudWatch-ManageAgent + documentParameters: + action: configure + mode: ec2 + optionalConfigurationSource: ssm + optionalConfigurationLocation: "{{ optionalConfigurationLocation }}" + optionalRestart: "yes" diff --git a/terraform/environments/ccms-ebs-upgrade/templates/lb_http_gets.sql b/terraform/environments/ccms-ebs-upgrade/templates/lb_http_gets.sql new file mode 100644 index 00000000000..4dc29ecf8b0 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/templates/lb_http_gets.sql @@ -0,0 +1,9 @@ +-- The following query counts the number of HTTP GET requests received by the load balancer grouped by the client IP address + +SELECT COUNT(request_verb) AS + count, + request_verb, + client_ip +FROM alb_logs +GROUP BY request_verb, client_ip +LIMIT 100; \ No newline at end of file From 4d46f3ff3a206270e71330e9a8bbf36560ed8c70 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 12:24:29 +0100 Subject: [PATCH 19/46] CC-2147: Update certs --- .../ccms-ebs-upgrade/certificates.tf | 58 +++++++++---------- 1 file changed, 26 insertions(+), 32 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 674bc41f6fd..f05c121afce 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -3,17 +3,25 @@ # *.laa-test.modernisation-platform.service.justice.gov.uk # *.laa-preproduction.modernisation-platform.service.justice.gov.uk -resource "aws_acm_certificate" "external" { - count = local.is-production ? 0 : 1 - +resource "aws_acm_certificate" "laa_cert" { + domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) validation_method = "DNS" - domain_name = "modernisation-platform.service.justice.gov.uk" + subject_alternative_names = [ - "*.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) ] tags = merge(local.tags, - { Environment = local.environment } + { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) } ) lifecycle { @@ -21,42 +29,28 @@ resource "aws_acm_certificate" "external" { } } +resource "aws_acm_certificate_validation" "laa_cert" { + certificate_arn = aws_acm_certificate.laa_cert.arn + validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn] + timeouts { + create = "10m" + } +} - -## Validation -resource "aws_route53_record" "external_validation" { - depends_on = [ -// aws_instance.ec2_oracle_ebs - ] - - provider = aws.core-network-services - +resource "aws_route53_record" "laa_cert_validation" { + provider = aws.core-vpc for_each = { - for dvo in local.cert_opts : dvo.domain_name => { + for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } + allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type - zone_id = local.cert_zone_id -} - -resource "aws_acm_certificate_validation" "external" { - count = local.is-production ? 1 : 1 - - depends_on = [ - aws_route53_record.external_validation - ] - - certificate_arn = local.cert_arn - validation_record_fqdns = [for record in aws_route53_record.external_validation : record.fqdn] - - timeouts { - create = "10m" - } + zone_id = data.aws_route53_zone.external.zone_id } From 8a74b7f1adb51ba7e0a357f9184ca3a51dd22c52 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 12:27:31 +0100 Subject: [PATCH 20/46] CC-2147: Update certs --- terraform/environments/ccms-ebs-upgrade/member-locals.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf index 3efe8f9b902..41b9cbb8846 100644 --- a/terraform/environments/ccms-ebs-upgrade/member-locals.tf +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -25,7 +25,5 @@ locals { data.aws_subnet.public_subnets_c.id ] - cert_opts = aws_acm_certificate.external[0].domain_validation_options - cert_arn = aws_acm_certificate.external[0].arn cert_zone_id = data.aws_route53_zone.network-services.zone_id } From 71897e21b117f6bb682f4f6b8cd82c278f8585b6 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 14:51:54 +0100 Subject: [PATCH 21/46] CC-2147: Update certs --- terraform/environments/ccms-ebs-upgrade/certificates.tf | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index f05c121afce..1c5c8e97d10 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -8,16 +8,13 @@ resource "aws_acm_certificate" "laa_cert" { validation_method = "DNS" subject_alternative_names = [ - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev*-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app*-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev*-upgrade", var.networking[0].business-unit, local.environment) ] tags = merge(local.tags, From 33e329b7672fe48365f100d8670e5fb27800c7a2 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 15:00:05 +0100 Subject: [PATCH 22/46] CC-2147: Update certs --- .../ccms-ebs-upgrade/certificates.tf | 9 +- .../ec2-oracle_ebs_db-cloudwatch.tf | 598 +++++++------- .../ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf | 728 +++++++++--------- .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 588 +++++++------- .../environments/ccms-ebs-upgrade/r53.tf | 18 +- 5 files changed, 972 insertions(+), 969 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 1c5c8e97d10..f05c121afce 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -8,13 +8,16 @@ resource "aws_acm_certificate" "laa_cert" { validation_method = "DNS" subject_alternative_names = [ - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev*-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app*-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev*-upgrade", var.networking[0].business-unit, local.environment) + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) ] tags = merge(local.tags, diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf index a8d2c527393..d39ffd69a29 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf @@ -1,299 +1,299 @@ -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redoa" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redoa" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoA mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/redoA" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme2n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold_dbf -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_arch" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_arch" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/arch mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/arch" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme4n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup" -# alarm_description = "This metric monitors the amount of free disk space on /backup mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/backup" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme5n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_temp" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-temp" -# alarm_description = "This metric monitors the amount of free disk space on /temp mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/temp" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme6n1" # "/dev/sdc" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_diag" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_diag" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/diag mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/diag" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme7n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redob" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redob" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoB mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/redoB" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme8n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_home" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-home" -# alarm_description = "This metric monitors the amount of free disk space on /home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/home" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme9n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup_prod" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup_prod" -# alarm_description = "This metric monitors the amount of free disk space on /backup_prod mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/backup_prod" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme10n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_u01" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-u01" -# alarm_description = "This metric monitors the amount of free disk space on /u01 mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/u01" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme11n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_export_home" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-export_home" -# alarm_description = "This metric monitors the amount of free disk space on /export/home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/export/home" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme12n1" -# } -# } - -# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_techst" { -# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_techst" -# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/techst mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" -# comparison_operator = "GreaterThanOrEqualToThreshold" -# metric_name = "disk_used_percent" -# namespace = "CWAgent" -# statistic = "Average" -# insufficient_data_actions = [] - -# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods -# period = local.application_data.cloudwatch_ec2.disk.period -# threshold = local.application_data.cloudwatch_ec2.disk.threshold -# alarm_actions = [aws_sns_topic.cw_alerts.arn] - -# dimensions = { -# ImageId = aws_instance.ec2_oracle_ebs.ami -# path = "/CCMS/EBS/techst" -# InstanceType = aws_instance.ec2_oracle_ebs.instance_type -# InstanceId = aws_instance.ec2_oracle_ebs.id -# fstype = "ext4" -# device = "nvme13n1" -# } -# } \ No newline at end of file +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redoa" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redoa" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoA mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/redoA" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme2n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold_dbf + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_arch" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_arch" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/arch mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/arch" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme4n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup" + alarm_description = "This metric monitors the amount of free disk space on /backup mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/backup" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme5n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_temp" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-temp" + alarm_description = "This metric monitors the amount of free disk space on /temp mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/temp" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme6n1" # "/dev/sdc" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_diag" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_diag" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/diag mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/diag" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme7n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redob" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redob" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoB mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/redoB" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme8n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_home" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-home" + alarm_description = "This metric monitors the amount of free disk space on /home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/home" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme9n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup_prod" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup_prod" + alarm_description = "This metric monitors the amount of free disk space on /backup_prod mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/backup_prod" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme10n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_u01" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-u01" + alarm_description = "This metric monitors the amount of free disk space on /u01 mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/u01" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme11n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_export_home" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-export_home" + alarm_description = "This metric monitors the amount of free disk space on /export/home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/export/home" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme12n1" + } +} + +resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_techst" { + alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_techst" + alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/techst mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" + comparison_operator = "GreaterThanOrEqualToThreshold" + metric_name = "disk_used_percent" + namespace = "CWAgent" + statistic = "Average" + insufficient_data_actions = [] + + evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods + period = local.application_data.cloudwatch_ec2.disk.period + threshold = local.application_data.cloudwatch_ec2.disk.threshold + alarm_actions = [aws_sns_topic.cw_alerts.arn] + + dimensions = { + ImageId = aws_instance.ec2_oracle_ebs.ami + path = "/CCMS/EBS/techst" + InstanceType = aws_instance.ec2_oracle_ebs.instance_type + InstanceId = aws_instance.ec2_oracle_ebs.id + fstype = "ext4" + device = "nvme13n1" + } +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf index ac9fd4277cf..ec1f7d9700f 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-sg.tf @@ -1,365 +1,365 @@ -# # Security Group for EBSDB - -# resource "aws_security_group" "ec2_sg_ebsdb" { -# name = "ec2_sg_ebsdb" -# description = "SG traffic control for EBSDB" -# vpc_id = data.aws_vpc.shared.id -# tags = merge(local.tags, -# { Name = lower(format("sg-%s-%s-ebsdb", local.application_name, local.environment)) } -# ) -# } - -# # INGRESS Rules - -# ### HTTP - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_80" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "HTTP" -# protocol = "TCP" -# from_port = 80 -# to_port = 80 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### HTTPS - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_443" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "HTTPS" -# protocol = "TCP" -# from_port = 443 -# to_port = 443 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### SSH - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_22" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "SSH" -# protocol = "TCP" -# from_port = 22 -# to_port = 22 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle LDAP - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_1389" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle LDAP" -# protocol = "TCP" -# from_port = 1389 -# to_port = 1389 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle Listerner Port - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_152x" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle Net Listener" -# protocol = "TCP" -# from_port = 1521 -# to_port = 1522 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b, -# local.application_data.accounts[local.environment].cloud_platform_subnet] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_5101" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5101 -# to_port = 5101 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_5401" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5401 -# to_port = 5401 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_5575" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5575 -# to_port = 5575 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle LDAP SSL - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_1636" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle LDAP SSL" -# protocol = "TCP" -# from_port = 1636 -# to_port = 1636 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_10401" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 10401 -# to_port = 10401 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle HTTP - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_800x" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle HTTP" -# protocol = "TCP" -# from_port = 8000 -# to_port = 8005 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - -# ### Oracle HTTPS - -# resource "aws_security_group_rule" "ingress_traffic_ebsdb_4443" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "ingress" -# description = "Oracle HTTPS" -# protocol = "TCP" -# from_port = 4443 -# to_port = 4444 -# cidr_blocks = [data.aws_vpc.shared.cidr_block, -# local.application_data.accounts[local.environment].lz_aws_subnet_env, -# local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, -# local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] -# } - - -# # EGRESS Rules - -# ### HTTP - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_80" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle HTTPs" -# protocol = "TCP" -# from_port = 80 -# to_port = 80 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### HTTPS - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_443" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "HTTPS" -# protocol = "TCP" -# from_port = 443 -# to_port = 443 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### FTP - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_2x" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "FTP" -# protocol = "TCP" -# from_port = 20 -# to_port = 21 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### SSH - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_22" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "SSH" -# protocol = "TCP" -# from_port = 22 -# to_port = 22 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### ORACLE LDAP - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_1389" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "ORACLE LDAP" -# protocol = "TCP" -# from_port = 1389 -# to_port = 1389 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### ORACLE Net Listener - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_152x" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "ORACLE Net Listener" -# protocol = "TCP" -# from_port = 1521 -# to_port = 1522 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_5101" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5101 -# to_port = 5101 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_5401" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5401 -# to_port = 5401 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_5575" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 5575 -# to_port = 5575 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle LDAP SSL - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_1636" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle LDAP SSL" -# protocol = "TCP" -# from_port = 1636 -# to_port = 1636 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_10401" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 10401 -# to_port = 10401 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Lloyds FTP - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_50000" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle" -# protocol = "TCP" -# from_port = 50000 -# to_port = 51000 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle HTTP - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_800x" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle HTTP" -# protocol = "TCP" -# from_port = 8000 -# to_port = 8005 -# cidr_blocks = ["0.0.0.0/0"] -# } - -# ### Oracle HTTPS - -# resource "aws_security_group_rule" "egress_traffic_ebsdb_4443" { -# security_group_id = aws_security_group.ec2_sg_ebsdb.id -# type = "egress" -# description = "Oracle HTTPS" -# protocol = "TCP" -# from_port = 4443 -# to_port = 4444 -# cidr_blocks = ["0.0.0.0/0"] -# } +# Security Group for EBSDB + +resource "aws_security_group" "ec2_sg_ebsdb" { + name = "ec2_sg_ebsdb" + description = "SG traffic control for EBSDB" + vpc_id = data.aws_vpc.shared.id + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-ebsdb", local.application_name, local.environment)) } + ) +} + +# INGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_80" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_443" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### SSH + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_22" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle LDAP + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_1389" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle Listerner Port + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_152x" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b, + local.application_data.accounts[local.environment].cloud_platform_subnet] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_5101" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_5401" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_5575" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_1636" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_10401" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_800x" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsdb_4443" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "ingress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + + +# EGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsdb_80" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle HTTPs" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] +} + +### HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsdb_443" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] +} + +### FTP + +resource "aws_security_group_rule" "egress_traffic_ebsdb_2x" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "FTP" + protocol = "TCP" + from_port = 20 + to_port = 21 + cidr_blocks = ["0.0.0.0/0"] +} + +### SSH + +resource "aws_security_group_rule" "egress_traffic_ebsdb_22" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE LDAP + +resource "aws_security_group_rule" "egress_traffic_ebsdb_1389" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "ORACLE LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE Net Listener + +resource "aws_security_group_rule" "egress_traffic_ebsdb_152x" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "ORACLE Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsdb_5101" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsdb_5401" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsdb_5575" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "egress_traffic_ebsdb_1636" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsdb_10401" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Lloyds FTP + +resource "aws_security_group_rule" "egress_traffic_ebsdb_50000" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 50000 + to_port = 51000 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsdb_800x" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsdb_4443" { + security_group_id = aws_security_group.ec2_sg_ebsdb.id + type = "egress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = ["0.0.0.0/0"] +} diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index c30bfd087a3..9c71d46a005 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -1,325 +1,325 @@ -# resource "aws_instance" "ec2_oracle_ebs" { -# instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb -# #ami = data.aws_ami.oracle_db.id -# ami = local.application_data.accounts[local.environment].ebsdb_ami_id -# key_name = local.application_data.accounts[local.environment].key_name -# vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] -# subnet_id = data.aws_subnet.data_subnets_a.id -# monitoring = true -# ebs_optimized = false -# associate_public_ip_address = false -# iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name +resource "aws_instance" "ec2_oracle_ebs" { + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb + #ami = data.aws_ami.oracle_db.id + ami = local.application_data.accounts[local.environment].ebsdb_ami_id + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] + subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name -# cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb -# cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb -# # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. -# #lifecycle { -# # ignore_changes = [ebs_block_device] -# #} -# lifecycle { -# ignore_changes = [ -# cpu_core_count, -# ebs_block_device, -# ebs_optimized, -# user_data, -# user_data_replace_on_change -# ] -# } -# user_data_replace_on_change = false -# user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { -# environment = "${local.environment}" -# hostname = "ebs" -# })) + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + #lifecycle { + # ignore_changes = [ebs_block_device] + #} + lifecycle { + ignore_changes = [ + cpu_core_count, + ebs_block_device, + ebs_optimized, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { + environment = "${local.environment}" + hostname = "ebs" + })) -# metadata_options { -# http_endpoint = "enabled" -# http_tokens = "required" -# } -# /* -# # Increase the volume size of the root volume -# root_block_device { -# volume_type = "gp3" -# volume_size = 50 -# encrypted = true -# tags = merge(local.tags, -# { Name = "root-block" } -# ) -# } -# ebs_block_device { -# device_name = "/dev/sdc" -# volume_type = "gp3" -# volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp -# encrypted = true -# tags = merge(local.tags, -# { Name = "temp" } -# ) -# } -# */ + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + /* + # Increase the volume size of the root volume + root_block_device { + volume_type = "gp3" + volume_size = 50 + encrypted = true + tags = merge(local.tags, + { Name = "root-block" } + ) + } + ebs_block_device { + device_name = "/dev/sdc" + volume_type = "gp3" + volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp + encrypted = true + tags = merge(local.tags, + { Name = "temp" } + ) + } + */ -# tags = merge(local.tags, -# { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, -# { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, -# { backup = "true" }, -# { OracleDbLTS-ManagedInstance = "true" } -# ) -# depends_on = [aws_security_group.ec2_sg_ebsdb] -# } + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" }, + { OracleDbLTS-ManagedInstance = "true" } + ) + depends_on = [aws_security_group.ec2_sg_ebsdb] +} -# resource "aws_ebs_volume" "export_home" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "export/home" } -# ) -# } +resource "aws_ebs_volume" "export_home" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "export/home" } + ) +} -# resource "aws_volume_attachment" "export_home_att" { -# device_name = "/dev/sdh" -# volume_id = aws_ebs_volume.export_home.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "export_home_att" { + device_name = "/dev/sdh" + volume_id = aws_ebs_volume.export_home.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "u01" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "u01" } -# ) -# } +resource "aws_ebs_volume" "u01" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "u01" } + ) +} -# resource "aws_volume_attachment" "u01_att" { -# device_name = "/dev/sdi" -# volume_id = aws_ebs_volume.u01.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "u01_att" { + device_name = "/dev/sdi" + volume_id = aws_ebs_volume.u01.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "arch" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "arch" } -# ) -# } +resource "aws_ebs_volume" "arch" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "arch" } + ) +} -# resource "aws_volume_attachment" "arch_att" { -# device_name = "/dev/sdj" -# volume_id = aws_ebs_volume.arch.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "arch_att" { + device_name = "/dev/sdj" + volume_id = aws_ebs_volume.arch.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "dbf" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf -# type = "io2" -# iops = local.application_data.accounts[local.environment].ebs_default_iops -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "dbf" } -# ) -# } +resource "aws_ebs_volume" "dbf" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf" } + ) +} -# resource "aws_volume_attachment" "dbf_att" { -# device_name = "/dev/sdk" -# volume_id = aws_ebs_volume.dbf.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "dbf_att" { + device_name = "/dev/sdk" + volume_id = aws_ebs_volume.dbf.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "redoA" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "redoA" } -# ) -# } +resource "aws_ebs_volume" "redoA" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "redoA" } + ) +} -# resource "aws_volume_attachment" "redoA_att" { -# device_name = "/dev/sdl" -# volume_id = aws_ebs_volume.redoA.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "redoA_att" { + device_name = "/dev/sdl" + volume_id = aws_ebs_volume.redoA.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "techst" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "techst" } -# ) -# } +resource "aws_ebs_volume" "techst" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "techst" } + ) +} -# resource "aws_volume_attachment" "techst_att" { -# device_name = "/dev/sdm" -# volume_id = aws_ebs_volume.techst.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "techst_att" { + device_name = "/dev/sdm" + volume_id = aws_ebs_volume.techst.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "backup" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup -# type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "backup" } -# ) -# } +resource "aws_ebs_volume" "backup" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup + type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "backup" } + ) +} -# resource "aws_volume_attachment" "backup_att" { -# device_name = "/dev/sdn" -# volume_id = aws_ebs_volume.backup.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "backup_att" { + device_name = "/dev/sdn" + volume_id = aws_ebs_volume.backup.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "redoB" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "redoB" } -# ) -# } +resource "aws_ebs_volume" "redoB" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "redoB" } + ) +} -# resource "aws_volume_attachment" "redoB_att" { -# depends_on = [ -# aws_ebs_volume.redoB -# ] -# device_name = "/dev/sdo" -# volume_id = aws_ebs_volume.redoB.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "redoB_att" { + depends_on = [ + aws_ebs_volume.redoB + ] + device_name = "/dev/sdo" + volume_id = aws_ebs_volume.redoB.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "diag" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "diag" } -# ) -# } +resource "aws_ebs_volume" "diag" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "diag" } + ) +} -# resource "aws_volume_attachment" "diag_att" { -# depends_on = [ -# aws_ebs_volume.diag -# ] -# device_name = "/dev/sdp" -# volume_id = aws_ebs_volume.diag.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } -# /* -# #### This mount was required for golive incident -# #### Just commenting out, rather than remove - just in case +resource "aws_volume_attachment" "diag_att" { + depends_on = [ + aws_ebs_volume.diag + ] + device_name = "/dev/sdp" + volume_id = aws_ebs_volume.diag.id + instance_id = aws_instance.ec2_oracle_ebs.id +} +/* +#### This mount was required for golive incident +#### Just commenting out, rather than remove - just in case -# resource "aws_ebs_volume" "dbf2" { -# count = local.is-production ? 1 : 0 -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 -# type = "io2" -# iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "dbf2" } -# ) -# } +resource "aws_ebs_volume" "dbf2" { + count = local.is-production ? 1 : 0 + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf2" } + ) +} -# resource "aws_volume_attachment" "dbf2_att" { -# count = local.is-production ? 1 : 0 -# device_name = "/dev/sdo" -# volume_id = aws_ebs_volume.dbf2[0].id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } -# */ +resource "aws_volume_attachment" "dbf2_att" { + count = local.is-production ? 1 : 0 + device_name = "/dev/sdo" + volume_id = aws_ebs_volume.dbf2[0].id + instance_id = aws_instance.ec2_oracle_ebs.id +} +*/ -# module "cw-ebs-ec2" { -# source = "./modules/cw-ec2" +module "cw-ebs-ec2" { + source = "./modules/cw-ec2" -# short_env = local.application_data.accounts[local.environment].short_env -# name = "ec2-ebs" -# topic = aws_sns_topic.cw_alerts.arn -# instanceId = aws_instance.ec2_oracle_ebs.id -# imageId = local.application_data.accounts[local.environment].ebsdb_ami_id -# instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb -# fileSystem = "xfs" # Linux root filesystem -# rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-ebs" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_oracle_ebs.id + imageId = local.application_data.accounts[local.environment].ebsdb_ami_id + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images -# cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods -# cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods -# cpu_period = local.application_data.cloudwatch_ec2.cpu.period -# cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold -# mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods -# mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods -# mem_period = local.application_data.cloudwatch_ec2.mem.period -# mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold -# disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods -# disk_period = local.application_data.cloudwatch_ec2.disk.period -# disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold -# insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods -# insthc_period = local.application_data.cloudwatch_ec2.insthc.period -# insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold -# syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods -# syshc_period = local.application_data.cloudwatch_ec2.syshc.period -# syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold -# } + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index d2e77776771..cc10c02bc38 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -1,9 +1,9 @@ -# ## EBSDB -# resource "aws_route53_record" "ebsdb" { -# provider = aws.core-vpc -# zone_id = data.aws_route53_zone.external.zone_id -# name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" -# type = "A" -# ttl = 300 -# records = [aws_instance.ec2_oracle_ebs.private_ip] -# } +## EBSDB +resource "aws_route53_record" "ebsdb" { + provider = aws.core-vpc + zone_id = data.aws_route53_zone.external.zone_id + name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_oracle_ebs.private_ip] +} From 861dd093d6c0569f912c226288d1ffbf92fead5f Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 24 Oct 2023 15:20:00 +0100 Subject: [PATCH 23/46] CC-2147: Update certs --- .../ccms-ebs-upgrade/certificates.tf | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index f05c121afce..2badd180af6 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -29,28 +29,28 @@ resource "aws_acm_certificate" "laa_cert" { } } -resource "aws_acm_certificate_validation" "laa_cert" { - certificate_arn = aws_acm_certificate.laa_cert.arn - validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn] - timeouts { - create = "10m" - } -} +# resource "aws_acm_certificate_validation" "laa_cert" { +# certificate_arn = aws_acm_certificate.laa_cert.arn +# validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn] +# timeouts { +# create = "10m" +# } +# } -resource "aws_route53_record" "laa_cert_validation" { - provider = aws.core-vpc - for_each = { - for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type - } - } +# resource "aws_route53_record" "laa_cert_validation" { +# provider = aws.core-vpc +# for_each = { +# for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => { +# name = dvo.resource_record_name +# record = dvo.resource_record_value +# type = dvo.resource_record_type +# } +# } - allow_overwrite = true - name = each.value.name - records = [each.value.record] - ttl = 60 - type = each.value.type - zone_id = data.aws_route53_zone.external.zone_id -} +# allow_overwrite = true +# name = each.value.name +# records = [each.value.record] +# ttl = 60 +# type = each.value.type +# zone_id = data.aws_route53_zone.external.zone_id +# } From 8752d1d7521c9024504e7e085336d451be0ffc67 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Wed, 25 Oct 2023 15:04:59 +0100 Subject: [PATCH 24/46] CC-2147: Update certs --- .../application_variables.json | 2 +- .../ccms-ebs-upgrade/certificates.tf | 44 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 04744c1ccaf..c6e00241174 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -23,7 +23,7 @@ "ftp_ami_id": "ami-0d8e665f120c20253", "ec2_instance_type_clamav": "c5d.large", "clamav_ami_id": "ami-0965b5afb3ac7174e", - "ebsdb_ami_id": "ami-07b8dc1b66c170400", + "ebsdb_ami_id": "ami-0d4b266f7ae87bbfc", "ebsapps_ami_id-1": "ami-0d4b266f7ae87bbfc", "ebsapps_ami_id-2": "ami-0d4b266f7ae87bbfc", "accessgate_ami_id-1": "ami-0695726199c3e30e5", diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 2badd180af6..34d00637c02 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -3,31 +3,31 @@ # *.laa-test.modernisation-platform.service.justice.gov.uk # *.laa-preproduction.modernisation-platform.service.justice.gov.uk -resource "aws_acm_certificate" "laa_cert" { - domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) - validation_method = "DNS" +# resource "aws_acm_certificate" "laa_cert" { +# domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) +# validation_method = "DNS" - subject_alternative_names = [ - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) - ] +# subject_alternative_names = [ +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) +# ] - tags = merge(local.tags, - { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) } - ) +# tags = merge(local.tags, +# { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) } +# ) - lifecycle { - create_before_destroy = true - } -} +# lifecycle { +# create_before_destroy = true +# } +# } # resource "aws_acm_certificate_validation" "laa_cert" { # certificate_arn = aws_acm_certificate.laa_cert.arn From 34a08945bb77871a4e0c5f463759629fa5a5be2e Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Wed, 25 Oct 2023 15:12:37 +0100 Subject: [PATCH 25/46] CC-2147: Update certs --- .../environments/ccms-ebs-upgrade/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index c6e00241174..bb25490995c 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -38,7 +38,7 @@ "accessgate_ami_name": "ebs-accessgate-v2_0", "ec2_instance_type_mailrelay": "c4.large", "mailrelay_ami_id": "ami-0e183a740dfc54442", - "key_name": "oracle-base-dev", + "key_name": "", "lz_aws_account_id_env": "411213865113", "lz_aws_subnet_env": "10.202.0.0/20", "lz_aws_workspace_nonprod_subnet_env": "10.200.0.0/20", From cb01c305dc81992ebc3b1e9134769449fce71d9d Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Wed, 25 Oct 2023 15:26:02 +0100 Subject: [PATCH 26/46] CC-2147: Update certs --- .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 588 +++++++++--------- .../environments/ccms-ebs-upgrade/r53.tf | 18 +- 2 files changed, 303 insertions(+), 303 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 9c71d46a005..c30bfd087a3 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -1,325 +1,325 @@ -resource "aws_instance" "ec2_oracle_ebs" { - instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb - #ami = data.aws_ami.oracle_db.id - ami = local.application_data.accounts[local.environment].ebsdb_ami_id - key_name = local.application_data.accounts[local.environment].key_name - vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] - subnet_id = data.aws_subnet.data_subnets_a.id - monitoring = true - ebs_optimized = false - associate_public_ip_address = false - iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name +# resource "aws_instance" "ec2_oracle_ebs" { +# instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb +# #ami = data.aws_ami.oracle_db.id +# ami = local.application_data.accounts[local.environment].ebsdb_ami_id +# key_name = local.application_data.accounts[local.environment].key_name +# vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] +# subnet_id = data.aws_subnet.data_subnets_a.id +# monitoring = true +# ebs_optimized = false +# associate_public_ip_address = false +# iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name - cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb - cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb +# cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb +# cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb - # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. - #lifecycle { - # ignore_changes = [ebs_block_device] - #} - lifecycle { - ignore_changes = [ - cpu_core_count, - ebs_block_device, - ebs_optimized, - user_data, - user_data_replace_on_change - ] - } - user_data_replace_on_change = false - user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { - environment = "${local.environment}" - hostname = "ebs" - })) +# # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. +# #lifecycle { +# # ignore_changes = [ebs_block_device] +# #} +# lifecycle { +# ignore_changes = [ +# cpu_core_count, +# ebs_block_device, +# ebs_optimized, +# user_data, +# user_data_replace_on_change +# ] +# } +# user_data_replace_on_change = false +# user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { +# environment = "${local.environment}" +# hostname = "ebs" +# })) - metadata_options { - http_endpoint = "enabled" - http_tokens = "required" - } - /* - # Increase the volume size of the root volume - root_block_device { - volume_type = "gp3" - volume_size = 50 - encrypted = true - tags = merge(local.tags, - { Name = "root-block" } - ) - } - ebs_block_device { - device_name = "/dev/sdc" - volume_type = "gp3" - volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp - encrypted = true - tags = merge(local.tags, - { Name = "temp" } - ) - } - */ +# metadata_options { +# http_endpoint = "enabled" +# http_tokens = "required" +# } +# /* +# # Increase the volume size of the root volume +# root_block_device { +# volume_type = "gp3" +# volume_size = 50 +# encrypted = true +# tags = merge(local.tags, +# { Name = "root-block" } +# ) +# } +# ebs_block_device { +# device_name = "/dev/sdc" +# volume_type = "gp3" +# volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp +# encrypted = true +# tags = merge(local.tags, +# { Name = "temp" } +# ) +# } +# */ - tags = merge(local.tags, - { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, - { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, - { backup = "true" }, - { OracleDbLTS-ManagedInstance = "true" } - ) - depends_on = [aws_security_group.ec2_sg_ebsdb] -} +# tags = merge(local.tags, +# { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, +# { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, +# { backup = "true" }, +# { OracleDbLTS-ManagedInstance = "true" } +# ) +# depends_on = [aws_security_group.ec2_sg_ebsdb] +# } -resource "aws_ebs_volume" "export_home" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "export/home" } - ) -} +# resource "aws_ebs_volume" "export_home" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "export/home" } +# ) +# } -resource "aws_volume_attachment" "export_home_att" { - device_name = "/dev/sdh" - volume_id = aws_ebs_volume.export_home.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "export_home_att" { +# device_name = "/dev/sdh" +# volume_id = aws_ebs_volume.export_home.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "u01" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "u01" } - ) -} +# resource "aws_ebs_volume" "u01" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "u01" } +# ) +# } -resource "aws_volume_attachment" "u01_att" { - device_name = "/dev/sdi" - volume_id = aws_ebs_volume.u01.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "u01_att" { +# device_name = "/dev/sdi" +# volume_id = aws_ebs_volume.u01.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "arch" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "arch" } - ) -} +# resource "aws_ebs_volume" "arch" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "arch" } +# ) +# } -resource "aws_volume_attachment" "arch_att" { - device_name = "/dev/sdj" - volume_id = aws_ebs_volume.arch.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "arch_att" { +# device_name = "/dev/sdj" +# volume_id = aws_ebs_volume.arch.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "dbf" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf - type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "dbf" } - ) -} +# resource "aws_ebs_volume" "dbf" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf +# type = "io2" +# iops = local.application_data.accounts[local.environment].ebs_default_iops +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "dbf" } +# ) +# } -resource "aws_volume_attachment" "dbf_att" { - device_name = "/dev/sdk" - volume_id = aws_ebs_volume.dbf.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "dbf_att" { +# device_name = "/dev/sdk" +# volume_id = aws_ebs_volume.dbf.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "redoA" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "redoA" } - ) -} +# resource "aws_ebs_volume" "redoA" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "redoA" } +# ) +# } -resource "aws_volume_attachment" "redoA_att" { - device_name = "/dev/sdl" - volume_id = aws_ebs_volume.redoA.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "redoA_att" { +# device_name = "/dev/sdl" +# volume_id = aws_ebs_volume.redoA.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "techst" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "techst" } - ) -} +# resource "aws_ebs_volume" "techst" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "techst" } +# ) +# } -resource "aws_volume_attachment" "techst_att" { - device_name = "/dev/sdm" - volume_id = aws_ebs_volume.techst.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "techst_att" { +# device_name = "/dev/sdm" +# volume_id = aws_ebs_volume.techst.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "backup" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup - type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "backup" } - ) -} +# resource "aws_ebs_volume" "backup" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup +# type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "backup" } +# ) +# } -resource "aws_volume_attachment" "backup_att" { - device_name = "/dev/sdn" - volume_id = aws_ebs_volume.backup.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "backup_att" { +# device_name = "/dev/sdn" +# volume_id = aws_ebs_volume.backup.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "redoB" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "redoB" } - ) -} +# resource "aws_ebs_volume" "redoB" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "redoB" } +# ) +# } -resource "aws_volume_attachment" "redoB_att" { - depends_on = [ - aws_ebs_volume.redoB - ] - device_name = "/dev/sdo" - volume_id = aws_ebs_volume.redoB.id - instance_id = aws_instance.ec2_oracle_ebs.id -} +# resource "aws_volume_attachment" "redoB_att" { +# depends_on = [ +# aws_ebs_volume.redoB +# ] +# device_name = "/dev/sdo" +# volume_id = aws_ebs_volume.redoB.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } -resource "aws_ebs_volume" "diag" { - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "diag" } - ) -} +# resource "aws_ebs_volume" "diag" { +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag +# type = "io2" +# iops = 3000 +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "diag" } +# ) +# } -resource "aws_volume_attachment" "diag_att" { - depends_on = [ - aws_ebs_volume.diag - ] - device_name = "/dev/sdp" - volume_id = aws_ebs_volume.diag.id - instance_id = aws_instance.ec2_oracle_ebs.id -} -/* -#### This mount was required for golive incident -#### Just commenting out, rather than remove - just in case +# resource "aws_volume_attachment" "diag_att" { +# depends_on = [ +# aws_ebs_volume.diag +# ] +# device_name = "/dev/sdp" +# volume_id = aws_ebs_volume.diag.id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } +# /* +# #### This mount was required for golive incident +# #### Just commenting out, rather than remove - just in case -resource "aws_ebs_volume" "dbf2" { - count = local.is-production ? 1 : 0 - lifecycle { - ignore_changes = [kms_key_id] - } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 - type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id - tags = merge(local.tags, - { Name = "dbf2" } - ) -} +# resource "aws_ebs_volume" "dbf2" { +# count = local.is-production ? 1 : 0 +# lifecycle { +# ignore_changes = [kms_key_id] +# } +# availability_zone = "eu-west-2a" +# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 +# type = "io2" +# iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops +# encrypted = true +# kms_key_id = data.aws_kms_key.ebs_shared.key_id +# tags = merge(local.tags, +# { Name = "dbf2" } +# ) +# } -resource "aws_volume_attachment" "dbf2_att" { - count = local.is-production ? 1 : 0 - device_name = "/dev/sdo" - volume_id = aws_ebs_volume.dbf2[0].id - instance_id = aws_instance.ec2_oracle_ebs.id -} -*/ +# resource "aws_volume_attachment" "dbf2_att" { +# count = local.is-production ? 1 : 0 +# device_name = "/dev/sdo" +# volume_id = aws_ebs_volume.dbf2[0].id +# instance_id = aws_instance.ec2_oracle_ebs.id +# } +# */ -module "cw-ebs-ec2" { - source = "./modules/cw-ec2" +# module "cw-ebs-ec2" { +# source = "./modules/cw-ec2" - short_env = local.application_data.accounts[local.environment].short_env - name = "ec2-ebs" - topic = aws_sns_topic.cw_alerts.arn - instanceId = aws_instance.ec2_oracle_ebs.id - imageId = local.application_data.accounts[local.environment].ebsdb_ami_id - instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb - fileSystem = "xfs" # Linux root filesystem - rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images +# short_env = local.application_data.accounts[local.environment].short_env +# name = "ec2-ebs" +# topic = aws_sns_topic.cw_alerts.arn +# instanceId = aws_instance.ec2_oracle_ebs.id +# imageId = local.application_data.accounts[local.environment].ebsdb_ami_id +# instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb +# fileSystem = "xfs" # Linux root filesystem +# rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images - cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods - cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods - cpu_period = local.application_data.cloudwatch_ec2.cpu.period - cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold +# cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods +# cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods +# cpu_period = local.application_data.cloudwatch_ec2.cpu.period +# cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold - mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods - mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods - mem_period = local.application_data.cloudwatch_ec2.mem.period - mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold +# mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods +# mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods +# mem_period = local.application_data.cloudwatch_ec2.mem.period +# mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold - disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods - disk_period = local.application_data.cloudwatch_ec2.disk.period - disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold +# disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods +# disk_period = local.application_data.cloudwatch_ec2.disk.period +# disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold - insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods - insthc_period = local.application_data.cloudwatch_ec2.insthc.period - insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold +# insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods +# insthc_period = local.application_data.cloudwatch_ec2.insthc.period +# insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold - syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods - syshc_period = local.application_data.cloudwatch_ec2.syshc.period - syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold -} +# syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods +# syshc_period = local.application_data.cloudwatch_ec2.syshc.period +# syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +# } diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index cc10c02bc38..d2e77776771 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -1,9 +1,9 @@ -## EBSDB -resource "aws_route53_record" "ebsdb" { - provider = aws.core-vpc - zone_id = data.aws_route53_zone.external.zone_id - name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" - type = "A" - ttl = 300 - records = [aws_instance.ec2_oracle_ebs.private_ip] -} +# ## EBSDB +# resource "aws_route53_record" "ebsdb" { +# provider = aws.core-vpc +# zone_id = data.aws_route53_zone.external.zone_id +# name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" +# type = "A" +# ttl = 300 +# records = [aws_instance.ec2_oracle_ebs.private_ip] +# } From fab05ee6932925cb9457e6fc970b17b6decd8398 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Wed, 25 Oct 2023 15:27:53 +0100 Subject: [PATCH 27/46] CC-2147: Update certs --- .../ec2-oracle_ebs_db-cloudwatch.tf | 598 +++++++++--------- 1 file changed, 299 insertions(+), 299 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf index d39ffd69a29..a8d2c527393 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db-cloudwatch.tf @@ -1,299 +1,299 @@ -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redoa" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redoa" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoA mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/redoA" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme2n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold_dbf - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_arch" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_arch" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/arch mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/arch" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme4n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup" - alarm_description = "This metric monitors the amount of free disk space on /backup mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/backup" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme5n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_temp" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-temp" - alarm_description = "This metric monitors the amount of free disk space on /temp mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/temp" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme6n1" # "/dev/sdc" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_diag" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_diag" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/diag mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/diag" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme7n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redob" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redob" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoB mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/redoB" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme8n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_home" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-home" - alarm_description = "This metric monitors the amount of free disk space on /home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/home" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme9n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup_prod" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup_prod" - alarm_description = "This metric monitors the amount of free disk space on /backup_prod mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/backup_prod" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme10n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_u01" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-u01" - alarm_description = "This metric monitors the amount of free disk space on /u01 mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/u01" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme11n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_export_home" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-export_home" - alarm_description = "This metric monitors the amount of free disk space on /export/home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/export/home" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme12n1" - } -} - -resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_techst" { - alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_techst" - alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/techst mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" - comparison_operator = "GreaterThanOrEqualToThreshold" - metric_name = "disk_used_percent" - namespace = "CWAgent" - statistic = "Average" - insufficient_data_actions = [] - - evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods - datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods - period = local.application_data.cloudwatch_ec2.disk.period - threshold = local.application_data.cloudwatch_ec2.disk.threshold - alarm_actions = [aws_sns_topic.cw_alerts.arn] - - dimensions = { - ImageId = aws_instance.ec2_oracle_ebs.ami - path = "/CCMS/EBS/techst" - InstanceType = aws_instance.ec2_oracle_ebs.instance_type - InstanceId = aws_instance.ec2_oracle_ebs.id - fstype = "ext4" - device = "nvme13n1" - } -} \ No newline at end of file +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redoa" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redoa" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoA mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/redoA" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme2n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold_dbf +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_arch" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_arch" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/arch mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/arch" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme4n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup" +# alarm_description = "This metric monitors the amount of free disk space on /backup mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/backup" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme5n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_temp" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-temp" +# alarm_description = "This metric monitors the amount of free disk space on /temp mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/temp" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme6n1" # "/dev/sdc" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_diag" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_diag" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/diag mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/diag" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme7n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redob" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_redob" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/redoB mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/redoB" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme8n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_home" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-home" +# alarm_description = "This metric monitors the amount of free disk space on /home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/home" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme9n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_backup_prod" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-backup_prod" +# alarm_description = "This metric monitors the amount of free disk space on /backup_prod mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/backup_prod" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme10n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_u01" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-u01" +# alarm_description = "This metric monitors the amount of free disk space on /u01 mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/u01" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme11n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_export_home" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-export_home" +# alarm_description = "This metric monitors the amount of free disk space on /export/home mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/export/home" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme12n1" +# } +# } + +# resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_techst" { +# alarm_name = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_techst" +# alarm_description = "This metric monitors the amount of free disk space on /CCMS/EBS/techst mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger" +# comparison_operator = "GreaterThanOrEqualToThreshold" +# metric_name = "disk_used_percent" +# namespace = "CWAgent" +# statistic = "Average" +# insufficient_data_actions = [] + +# evaluation_periods = local.application_data.cloudwatch_ec2.disk.eval_periods +# datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods +# period = local.application_data.cloudwatch_ec2.disk.period +# threshold = local.application_data.cloudwatch_ec2.disk.threshold +# alarm_actions = [aws_sns_topic.cw_alerts.arn] + +# dimensions = { +# ImageId = aws_instance.ec2_oracle_ebs.ami +# path = "/CCMS/EBS/techst" +# InstanceType = aws_instance.ec2_oracle_ebs.instance_type +# InstanceId = aws_instance.ec2_oracle_ebs.id +# fstype = "ext4" +# device = "nvme13n1" +# } +# } \ No newline at end of file From 2b1612f7e9ddb57e251b85b4c4ff528d31ec0498 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Thu, 26 Oct 2023 09:43:31 +0100 Subject: [PATCH 28/46] CC-2147: Update certs --- .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 588 +++++++++--------- .../environments/ccms-ebs-upgrade/r53.tf | 18 +- 2 files changed, 303 insertions(+), 303 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index c30bfd087a3..9c71d46a005 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -1,325 +1,325 @@ -# resource "aws_instance" "ec2_oracle_ebs" { -# instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb -# #ami = data.aws_ami.oracle_db.id -# ami = local.application_data.accounts[local.environment].ebsdb_ami_id -# key_name = local.application_data.accounts[local.environment].key_name -# vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] -# subnet_id = data.aws_subnet.data_subnets_a.id -# monitoring = true -# ebs_optimized = false -# associate_public_ip_address = false -# iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name +resource "aws_instance" "ec2_oracle_ebs" { + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb + #ami = data.aws_ami.oracle_db.id + ami = local.application_data.accounts[local.environment].ebsdb_ami_id + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id] + subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name -# cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb -# cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb -# # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. -# #lifecycle { -# # ignore_changes = [ebs_block_device] -# #} -# lifecycle { -# ignore_changes = [ -# cpu_core_count, -# ebs_block_device, -# ebs_optimized, -# user_data, -# user_data_replace_on_change -# ] -# } -# user_data_replace_on_change = false -# user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { -# environment = "${local.environment}" -# hostname = "ebs" -# })) + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + #lifecycle { + # ignore_changes = [ebs_block_device] + #} + lifecycle { + ignore_changes = [ + cpu_core_count, + ebs_block_device, + ebs_optimized, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { + environment = "${local.environment}" + hostname = "ebs" + })) -# metadata_options { -# http_endpoint = "enabled" -# http_tokens = "required" -# } -# /* -# # Increase the volume size of the root volume -# root_block_device { -# volume_type = "gp3" -# volume_size = 50 -# encrypted = true -# tags = merge(local.tags, -# { Name = "root-block" } -# ) -# } -# ebs_block_device { -# device_name = "/dev/sdc" -# volume_type = "gp3" -# volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp -# encrypted = true -# tags = merge(local.tags, -# { Name = "temp" } -# ) -# } -# */ + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + /* + # Increase the volume size of the root volume + root_block_device { + volume_type = "gp3" + volume_size = 50 + encrypted = true + tags = merge(local.tags, + { Name = "root-block" } + ) + } + ebs_block_device { + device_name = "/dev/sdc" + volume_type = "gp3" + volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp + encrypted = true + tags = merge(local.tags, + { Name = "temp" } + ) + } + */ -# tags = merge(local.tags, -# { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, -# { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, -# { backup = "true" }, -# { OracleDbLTS-ManagedInstance = "true" } -# ) -# depends_on = [aws_security_group.ec2_sg_ebsdb] -# } + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" }, + { OracleDbLTS-ManagedInstance = "true" } + ) + depends_on = [aws_security_group.ec2_sg_ebsdb] +} -# resource "aws_ebs_volume" "export_home" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "export/home" } -# ) -# } +resource "aws_ebs_volume" "export_home" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_exhome + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "export/home" } + ) +} -# resource "aws_volume_attachment" "export_home_att" { -# device_name = "/dev/sdh" -# volume_id = aws_ebs_volume.export_home.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "export_home_att" { + device_name = "/dev/sdh" + volume_id = aws_ebs_volume.export_home.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "u01" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "u01" } -# ) -# } +resource "aws_ebs_volume" "u01" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_u01 + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "u01" } + ) +} -# resource "aws_volume_attachment" "u01_att" { -# device_name = "/dev/sdi" -# volume_id = aws_ebs_volume.u01.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "u01_att" { + device_name = "/dev/sdi" + volume_id = aws_ebs_volume.u01.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "arch" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "arch" } -# ) -# } +resource "aws_ebs_volume" "arch" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_arch + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "arch" } + ) +} -# resource "aws_volume_attachment" "arch_att" { -# device_name = "/dev/sdj" -# volume_id = aws_ebs_volume.arch.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "arch_att" { + device_name = "/dev/sdj" + volume_id = aws_ebs_volume.arch.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "dbf" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf -# type = "io2" -# iops = local.application_data.accounts[local.environment].ebs_default_iops -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "dbf" } -# ) -# } +resource "aws_ebs_volume" "dbf" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf" } + ) +} -# resource "aws_volume_attachment" "dbf_att" { -# device_name = "/dev/sdk" -# volume_id = aws_ebs_volume.dbf.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "dbf_att" { + device_name = "/dev/sdk" + volume_id = aws_ebs_volume.dbf.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "redoA" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "redoA" } -# ) -# } +resource "aws_ebs_volume" "redoA" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoA + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "redoA" } + ) +} -# resource "aws_volume_attachment" "redoA_att" { -# device_name = "/dev/sdl" -# volume_id = aws_ebs_volume.redoA.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "redoA_att" { + device_name = "/dev/sdl" + volume_id = aws_ebs_volume.redoA.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "techst" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "techst" } -# ) -# } +resource "aws_ebs_volume" "techst" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_techst + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "techst" } + ) +} -# resource "aws_volume_attachment" "techst_att" { -# device_name = "/dev/sdm" -# volume_id = aws_ebs_volume.techst.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "techst_att" { + device_name = "/dev/sdm" + volume_id = aws_ebs_volume.techst.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "backup" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup -# type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "backup" } -# ) -# } +resource "aws_ebs_volume" "backup" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup + type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "backup" } + ) +} -# resource "aws_volume_attachment" "backup_att" { -# device_name = "/dev/sdn" -# volume_id = aws_ebs_volume.backup.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "backup_att" { + device_name = "/dev/sdn" + volume_id = aws_ebs_volume.backup.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "redoB" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "redoB" } -# ) -# } +resource "aws_ebs_volume" "redoB" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_redoB + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "redoB" } + ) +} -# resource "aws_volume_attachment" "redoB_att" { -# depends_on = [ -# aws_ebs_volume.redoB -# ] -# device_name = "/dev/sdo" -# volume_id = aws_ebs_volume.redoB.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } +resource "aws_volume_attachment" "redoB_att" { + depends_on = [ + aws_ebs_volume.redoB + ] + device_name = "/dev/sdo" + volume_id = aws_ebs_volume.redoB.id + instance_id = aws_instance.ec2_oracle_ebs.id +} -# resource "aws_ebs_volume" "diag" { -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag -# type = "io2" -# iops = 3000 -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "diag" } -# ) -# } +resource "aws_ebs_volume" "diag" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_diag + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "diag" } + ) +} -# resource "aws_volume_attachment" "diag_att" { -# depends_on = [ -# aws_ebs_volume.diag -# ] -# device_name = "/dev/sdp" -# volume_id = aws_ebs_volume.diag.id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } -# /* -# #### This mount was required for golive incident -# #### Just commenting out, rather than remove - just in case +resource "aws_volume_attachment" "diag_att" { + depends_on = [ + aws_ebs_volume.diag + ] + device_name = "/dev/sdp" + volume_id = aws_ebs_volume.diag.id + instance_id = aws_instance.ec2_oracle_ebs.id +} +/* +#### This mount was required for golive incident +#### Just commenting out, rather than remove - just in case -# resource "aws_ebs_volume" "dbf2" { -# count = local.is-production ? 1 : 0 -# lifecycle { -# ignore_changes = [kms_key_id] -# } -# availability_zone = "eu-west-2a" -# size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 -# type = "io2" -# iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops -# encrypted = true -# kms_key_id = data.aws_kms_key.ebs_shared.key_id -# tags = merge(local.tags, -# { Name = "dbf2" } -# ) -# } +resource "aws_ebs_volume" "dbf2" { + count = local.is-production ? 1 : 0 + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf2 + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_dbf2_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf2" } + ) +} -# resource "aws_volume_attachment" "dbf2_att" { -# count = local.is-production ? 1 : 0 -# device_name = "/dev/sdo" -# volume_id = aws_ebs_volume.dbf2[0].id -# instance_id = aws_instance.ec2_oracle_ebs.id -# } -# */ +resource "aws_volume_attachment" "dbf2_att" { + count = local.is-production ? 1 : 0 + device_name = "/dev/sdo" + volume_id = aws_ebs_volume.dbf2[0].id + instance_id = aws_instance.ec2_oracle_ebs.id +} +*/ -# module "cw-ebs-ec2" { -# source = "./modules/cw-ec2" +module "cw-ebs-ec2" { + source = "./modules/cw-ec2" -# short_env = local.application_data.accounts[local.environment].short_env -# name = "ec2-ebs" -# topic = aws_sns_topic.cw_alerts.arn -# instanceId = aws_instance.ec2_oracle_ebs.id -# imageId = local.application_data.accounts[local.environment].ebsdb_ami_id -# instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb -# fileSystem = "xfs" # Linux root filesystem -# rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-ebs" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_oracle_ebs.id + imageId = local.application_data.accounts[local.environment].ebsdb_ami_id + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images -# cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods -# cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods -# cpu_period = local.application_data.cloudwatch_ec2.cpu.period -# cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold -# mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods -# mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods -# mem_period = local.application_data.cloudwatch_ec2.mem.period -# mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold -# disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods -# disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods -# disk_period = local.application_data.cloudwatch_ec2.disk.period -# disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold -# insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods -# insthc_period = local.application_data.cloudwatch_ec2.insthc.period -# insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold -# syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods -# syshc_period = local.application_data.cloudwatch_ec2.syshc.period -# syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold -# } + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index d2e77776771..cc10c02bc38 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -1,9 +1,9 @@ -# ## EBSDB -# resource "aws_route53_record" "ebsdb" { -# provider = aws.core-vpc -# zone_id = data.aws_route53_zone.external.zone_id -# name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" -# type = "A" -# ttl = 300 -# records = [aws_instance.ec2_oracle_ebs.private_ip] -# } +## EBSDB +resource "aws_route53_record" "ebsdb" { + provider = aws.core-vpc + zone_id = data.aws_route53_zone.external.zone_id + name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_oracle_ebs.private_ip] +} From 3e4fab17fcd233f21f1b305fc23d0e49e26b50a5 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Thu, 26 Oct 2023 10:56:24 +0100 Subject: [PATCH 29/46] CC-2147: Update certs --- terraform/environments/ccms-ebs-upgrade/r53.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index cc10c02bc38..a2aad489114 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -2,7 +2,7 @@ resource "aws_route53_record" "ebsdb" { provider = aws.core-vpc zone_id = data.aws_route53_zone.external.zone_id - name = "ccms-ebs-db.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + name = "ccms-ebs-db-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" type = "A" ttl = 300 records = [aws_instance.ec2_oracle_ebs.private_ip] From ff515eff8bcd00fe12caf8493fcad1d417aa94e2 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Fri, 27 Oct 2023 10:46:41 +0100 Subject: [PATCH 30/46] CC-2147: add appshare volume --- .../application_variables.json | 1 + .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index bb25490995c..69345b850cd 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -75,6 +75,7 @@ "ebs_size_ebsdb_techst": 100, "ebs_size_ebsdb_backup": 8000, "ebs_size_ebsdb_diag": 50, + "ebs_size_ebsdb_appshare": 100, "ebs_default_iops_test": 9000, "dbf_device": "nvme5n1", "dbf_path": "/CCMS/EBS/dbf", diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 9c71d46a005..d54c103668f 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -260,6 +260,31 @@ resource "aws_volume_attachment" "diag_att" { volume_id = aws_ebs_volume.diag.id instance_id = aws_instance.ec2_oracle_ebs.id } + + +resource "aws_ebs_volume" "appshare" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_appshare + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "appshare" } + ) +} + +resource "aws_volume_attachment" "appshare_att" { + depends_on = [ + aws_ebs_volume.appshare + ] + device_name = "/dev/sdq" + volume_id = aws_ebs_volume.appshare.id + instance_id = aws_instance.ec2_oracle_ebs.id +} /* #### This mount was required for golive incident #### Just commenting out, rather than remove - just in case From 11a5ef32c8da0901b2479e47c24968c8a3891313 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Fri, 27 Oct 2023 10:48:54 +0100 Subject: [PATCH 31/46] CC-2147: add appshare volume --- .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index d54c103668f..7073024f7dc 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -266,12 +266,13 @@ resource "aws_ebs_volume" "appshare" { lifecycle { ignore_changes = [kms_key_id] } - availability_zone = "eu-west-2a" - size = local.application_data.accounts[local.environment].ebs_size_ebsdb_appshare - type = "io2" - iops = 3000 - encrypted = true - kms_key_id = data.aws_kms_key.ebs_shared.key_id + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_appshare + type = "io2" + iops = 3000 + multi_attach_enabled = true + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, { Name = "appshare" } ) From 858f3f3148d9b4754ee24b161fd87472c87b6bd5 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 30 Oct 2023 10:49:24 +0000 Subject: [PATCH 32/46] CC-2147: Added Conc Tier Instance and SG --- .../application_variables.json | 12 +- .../ec2-oracle_ebs_conc-sg.tf | 365 ++++++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf | 220 +++++++++++ .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 62 ++- 4 files changed, 638 insertions(+), 21 deletions(-) create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 69345b850cd..5e4261923d3 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -9,6 +9,9 @@ "ec2_oracle_instance_type_ebsdb": "m5d.4xlarge", "ec2_oracle_instance_cores_ebsdb": "8", "ec2_oracle_instance_threads_ebsdb": "2", + "ec2_oracle_instance_type_ebsconc": "m5d.4xlarge", + "ec2_oracle_instance_cores_ebsconc": "8", + "ec2_oracle_instance_threads_ebsconc": "2", "ec2_oracle_instance_type_ebsapps": "m5d.2xlarge", "ec2_oracle_instance_cores_ebsapps": "4", "ec2_oracle_instance_threads_ebsapps": "2", @@ -24,6 +27,7 @@ "ec2_instance_type_clamav": "c5d.large", "clamav_ami_id": "ami-0965b5afb3ac7174e", "ebsdb_ami_id": "ami-0d4b266f7ae87bbfc", + "ebsconc_ami_id": "ami-0d4b266f7ae87bbfc", "ebsapps_ami_id-1": "ami-0d4b266f7ae87bbfc", "ebsapps_ami_id-2": "ami-0d4b266f7ae87bbfc", "accessgate_ami_id-1": "ami-0695726199c3e30e5", @@ -79,7 +83,13 @@ "ebs_default_iops_test": 9000, "dbf_device": "nvme5n1", "dbf_path": "/CCMS/EBS/dbf", - "ebs_type_ebsdb_backup": "gp3" + "ebs_type_ebsdb_backup": "gp3", + "ebs_size_ebsconc_exhome": 100, + "ebs_size_ebsconc_u01": 200, + "ebs_size_ebsconc_u03": 200, + "ebs_size_ebsconc_home": 100, + "ebs_size_ebsconc_stage": 100, + "ebs_size_ebsconc_temp": 100 } }, "webgate_ebs": { diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc-sg.tf new file mode 100644 index 00000000000..e795b63fe44 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc-sg.tf @@ -0,0 +1,365 @@ +# Security Group for EBSconc + +resource "aws_security_group" "ec2_sg_ebsconc" { + name = "ec2_sg_ebsconc" + description = "SG traffic control for EBSCONC" + vpc_id = data.aws_vpc.shared.id + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-ebsconc", local.application_name, local.environment)) } + ) +} + +# INGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_80" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_443" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### SSH + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_22" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle LDAP + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_1389" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle Listerner Port + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_152x" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b, + local.application_data.accounts[local.environment].cloud_platform_subnet] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_5101" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_5401" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_5575" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_1636" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_10401" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_800x" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsconc_4443" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "ingress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, + local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b] +} + + +# EGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsconc_80" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle HTTPs" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] +} + +### HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsconc_443" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] +} + +### FTP + +resource "aws_security_group_rule" "egress_traffic_ebsconc_2x" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "FTP" + protocol = "TCP" + from_port = 20 + to_port = 21 + cidr_blocks = ["0.0.0.0/0"] +} + +### SSH + +resource "aws_security_group_rule" "egress_traffic_ebsconc_22" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE LDAP + +resource "aws_security_group_rule" "egress_traffic_ebsconc_1389" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "ORACLE LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE Net Listener + +resource "aws_security_group_rule" "egress_traffic_ebsconc_152x" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "ORACLE Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsconc_5101" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsconc_5401" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsconc_5575" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "egress_traffic_ebsconc_1636" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsconc_10401" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Lloyds FTP + +resource "aws_security_group_rule" "egress_traffic_ebsconc_50000" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 50000 + to_port = 51000 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsconc_800x" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsconc_4443" { + security_group_id = aws_security_group.ec2_sg_ebsconc.id + type = "egress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = ["0.0.0.0/0"] +} + diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf new file mode 100644 index 00000000000..d9c2e15e175 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf @@ -0,0 +1,220 @@ +resource "aws_instance" "ec2_oracle_conc" { + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc + ami = local.application_data.accounts[local.environment].ebsconc_ami_id + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_ebsconc.id] + subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name + + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsconc + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsconc + + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + #lifecycle { + # ignore_changes = [ebs_block_device] + #} + lifecycle { + ignore_changes = [ + cpu_core_count, + ebs_block_device, + ebs_optimized, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", { + environment = "${local.environment}" + hostname = "ebs" + })) + + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-ebsconc", local.application_name, local.environment)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" }, + { OracleDbLTS-ManagedInstance = "true" } + ) + depends_on = [aws_security_group.ec2_sg_ebsconc] +} + +resource "aws_ebs_volume" "conc_export_home" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_exhome + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc export/home" } + ) +} + +resource "aws_volume_attachment" "conc_export_home_att" { + device_name = "/dev/sdh" + volume_id = aws_ebs_volume.conc_export_home.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +resource "aws_ebs_volume" "conc_u01" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_u01 + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc u01" } + ) +} + +resource "aws_volume_attachment" "conc_u01_att" { + device_name = "/dev/sdi" + volume_id = aws_ebs_volume.conc_u01.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +resource "aws_ebs_volume" "conc_u03" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_u03 + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc u03" } + ) +} + +resource "aws_volume_attachment" "conc_u03_att" { + device_name = "/dev/sdj" + volume_id = aws_ebs_volume.conc_u01.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +resource "aws_ebs_volume" "conc_home" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_home + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc home" } + ) +} + +resource "aws_volume_attachment" "conc_home_att" { + device_name = "/dev/sdk" + volume_id = aws_ebs_volume.conc_home.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +resource "aws_ebs_volume" "conc_stage" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_stage + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc stage" } + ) +} + +resource "aws_volume_attachment" "conc_stage_att" { + device_name = "/dev/sdl" + volume_id = aws_ebs_volume.conc_stage.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +resource "aws_ebs_volume" "conc_temp" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsconc_temp + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "conc temp" } + ) +} + +resource "aws_volume_attachment" "conc_temp_att" { + device_name = "/dev/sdm" + volume_id = aws_ebs_volume.conc_temp.id + instance_id = aws_instance.ec2_oracle_conc.id +} + + +# AppShare created for EBSDB and attached also on Conc instance + +resource "aws_volume_attachment" "appshare_conc_att" { + depends_on = [ + aws_ebs_volume.appshare + ] + device_name = "/dev/sdq" + volume_id = aws_ebs_volume.appshare.id + instance_id = aws_instance.ec2_oracle_conc.id +} + +module "cw-ebs-ec2" { + source = "./modules/cw-ec2" + + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-ebs" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_oracle_ebs.id + imageId = local.application_data.accounts[local.environment].ebsconc_ami_id + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 7073024f7dc..98917d7087d 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -36,26 +36,6 @@ resource "aws_instance" "ec2_oracle_ebs" { http_endpoint = "enabled" http_tokens = "required" } - /* - # Increase the volume size of the root volume - root_block_device { - volume_type = "gp3" - volume_size = 50 - encrypted = true - tags = merge(local.tags, - { Name = "root-block" } - ) - } - ebs_block_device { - device_name = "/dev/sdc" - volume_type = "gp3" - volume_size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp - encrypted = true - tags = merge(local.tags, - { Name = "temp" } - ) - } - */ tags = merge(local.tags, { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) }, @@ -286,6 +266,48 @@ resource "aws_volume_attachment" "appshare_att" { volume_id = aws_ebs_volume.appshare.id instance_id = aws_instance.ec2_oracle_ebs.id } + +resource "aws_ebs_volume" "db_home" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_home + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "db home" } + ) +} + +resource "aws_volume_attachment" "db_home_att" { + device_name = "/dev/sdr" + volume_id = aws_ebs_volume.db_home.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + +resource "aws_ebs_volume" "db_temp" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "db temp" } + ) +} + +resource "aws_volume_attachment" "db_temp_att" { + device_name = "/dev/sds" + volume_id = aws_ebs_volume.db_temp.id + instance_id = aws_instance.ec2_oracle_ebs.id +} /* #### This mount was required for golive incident #### Just commenting out, rather than remove - just in case From a46c107ce143827b7a9fc18d4d531e4e3aa1709d Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 30 Oct 2023 11:32:46 +0000 Subject: [PATCH 33/46] CC-2147: Added Conc Tier Instance and SG --- .../environments/ccms-ebs-upgrade/application_variables.json | 2 ++ terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 5e4261923d3..1415462e83a 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -69,6 +69,8 @@ "ebsapps_u03_size": 200, "ebsapps_stage_size": 100, "tg_apps_port": 8000, + "ebs_size_ebsdb_home": 100, + "ebs_size_ebsdb_temp": 100, "ebs_size_ebsdb_exhome": 100, "ebs_size_ebsdb_u01": 300, "ebs_size_ebsdb_arch": 500, diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf index d9c2e15e175..fb36e8e7c39 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf @@ -183,7 +183,7 @@ resource "aws_volume_attachment" "appshare_conc_att" { instance_id = aws_instance.ec2_oracle_conc.id } -module "cw-ebs-ec2" { +module "cw-conc-ec2" { source = "./modules/cw-ec2" short_env = local.application_data.accounts[local.environment].short_env From 817927ae4871ff7e0cf609ddf6050ed4b0be34e7 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 30 Oct 2023 11:37:38 +0000 Subject: [PATCH 34/46] CC-2147: Added Conc Tier Instance and SG --- .../ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf | 6 +++--- terraform/environments/ccms-ebs-upgrade/r53.tf | 11 +++++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf index fb36e8e7c39..7f478cb51eb 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf @@ -115,7 +115,7 @@ resource "aws_ebs_volume" "conc_home" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsconc_home type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops + iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, @@ -136,7 +136,7 @@ resource "aws_ebs_volume" "conc_stage" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsconc_stage type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops + iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, @@ -157,7 +157,7 @@ resource "aws_ebs_volume" "conc_temp" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsconc_temp type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops + iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index a2aad489114..99206516d72 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -7,3 +7,14 @@ resource "aws_route53_record" "ebsdb" { ttl = 300 records = [aws_instance.ec2_oracle_ebs.private_ip] } + + +## EBS Conc +resource "aws_route53_record" "ebsconc" { + provider = aws.core-vpc + zone_id = data.aws_route53_zone.external.zone_id + name = "ccms-ebs-conc-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_oracle_ebs.private_ip] +} From a51b5805f855c1d39fc4a53b2411409a537590f5 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 30 Oct 2023 11:53:59 +0000 Subject: [PATCH 35/46] CC-2147: Added Conc Tier Instance and SG --- terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 4 ++-- terraform/environments/ccms-ebs-upgrade/r53.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 98917d7087d..877295fcab4 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -274,7 +274,7 @@ resource "aws_ebs_volume" "db_home" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsdb_home type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops + iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, @@ -295,7 +295,7 @@ resource "aws_ebs_volume" "db_temp" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsdb_temp type = "io2" - iops = local.application_data.accounts[local.environment].ebs_default_iops + iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id tags = merge(local.tags, diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index 99206516d72..e14f8c19f30 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -16,5 +16,5 @@ resource "aws_route53_record" "ebsconc" { name = "ccms-ebs-conc-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" type = "A" ttl = 300 - records = [aws_instance.ec2_oracle_ebs.private_ip] + records = [aws_instance.ec2_oracle_conc.private_ip] } From 03485277dcb593891cb392dc64f95bf4762c341a Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 30 Oct 2023 13:39:46 +0000 Subject: [PATCH 36/46] CC-2147: Added Conc Tier Instance and SG --- terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf index 7f478cb51eb..9f6a01ef5d2 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf @@ -104,7 +104,7 @@ resource "aws_ebs_volume" "conc_u03" { resource "aws_volume_attachment" "conc_u03_att" { device_name = "/dev/sdj" - volume_id = aws_ebs_volume.conc_u01.id + volume_id = aws_ebs_volume.conc_u03.id instance_id = aws_instance.ec2_oracle_conc.id } From 81d21b631606fee7b1cb0f9c4f816c922c67b28f Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 31 Oct 2023 10:07:58 +0000 Subject: [PATCH 37/46] CC-2147: Added EFS --- .../environments/ccms-ebs-upgrade/efs.tf | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 terraform/environments/ccms-ebs-upgrade/efs.tf diff --git a/terraform/environments/ccms-ebs-upgrade/efs.tf b/terraform/environments/ccms-ebs-upgrade/efs.tf new file mode 100644 index 00000000000..ba0738e4099 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/efs.tf @@ -0,0 +1,23 @@ +resource "aws_efs_file_system" "appshare" { + encrypted = true + throughput_mode = "bursting" + performance_mode = "maxIO" + tags = merge(local.tags, + { Name = "appshare" } + ) +} + +resource "aws_efs_mount_target" "mount_a" { + file_system_id = aws_efs_file_system.appshare.id + subnet_id = data.aws_subnet.data_subnets_a.id +} + +resource "aws_efs_mount_target" "mount_b" { + file_system_id = aws_efs_file_system.appshare.id + subnet_id = data.aws_subnet.data_subnets_b.id +} + +resource "aws_efs_mount_target" "mount_c" { + file_system_id = aws_efs_file_system.appshare.id + subnet_id = data.aws_subnet.data_subnets_c.id +} \ No newline at end of file From 212b9f4b013cce2c9096bf69534f6c9b2fe86365 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 31 Oct 2023 10:52:17 +0000 Subject: [PATCH 38/46] CC-2147: Added EFS --- .../environments/ccms-ebs-upgrade/efs.tf | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/efs.tf b/terraform/environments/ccms-ebs-upgrade/efs.tf index ba0738e4099..d817eb828fe 100644 --- a/terraform/environments/ccms-ebs-upgrade/efs.tf +++ b/terraform/environments/ccms-ebs-upgrade/efs.tf @@ -10,14 +10,54 @@ resource "aws_efs_file_system" "appshare" { resource "aws_efs_mount_target" "mount_a" { file_system_id = aws_efs_file_system.appshare.id subnet_id = data.aws_subnet.data_subnets_a.id + security_groups = [ + aws_security_group.efs-security-group.id + ] } resource "aws_efs_mount_target" "mount_b" { file_system_id = aws_efs_file_system.appshare.id subnet_id = data.aws_subnet.data_subnets_b.id + security_groups = [ + aws_security_group.efs-security-group.id + ] } resource "aws_efs_mount_target" "mount_c" { file_system_id = aws_efs_file_system.appshare.id subnet_id = data.aws_subnet.data_subnets_c.id -} \ No newline at end of file + security_groups = [ + aws_security_group.efs-security-group.id + ] +} + +resource "aws_security_group" "efs-security-group" { + name_prefix = "efs-security-group" + description = "allow inbound access from ebsdb and ebsconc" + vpc_id = data.aws_vpc.shared.id + + # Allow inbound access from container instances + ingress { + protocol = "tcp" + from_port = 2049 + to_port = 2049 + cidr_blocks = [ + data.aws_subnet.data_subnets_a.cidr_block, + data.aws_subnet.data_subnets_b.cidr_block, + data.aws_subnet.data_subnets_c.cidr_block, + ] + } + + egress { + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = [ + "0.0.0.0/0", + ] + } + + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-efs", local.application_name, local.environment)) } + ) +} From 4a2c6f4c886bcf6c84c4bb14ab1c7fd98ab1dd5d Mon Sep 17 00:00:00 2001 From: Mitch Dawson Date: Mon, 6 Nov 2023 16:08:37 +0000 Subject: [PATCH 39/46] :fire: Remove reference to get_schema version gpp --- terraform/environments/data-platform/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/data-platform/lambda.tf b/terraform/environments/data-platform/lambda.tf index 45381f3f65f..597ff3034bc 100644 --- a/terraform/environments/data-platform/lambda.tf +++ b/terraform/environments/data-platform/lambda.tf @@ -414,7 +414,7 @@ module "delete_table_for_data_product_lambda" { create_role = true reserved_concurrent_executions = 1 - image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-delete-table-for-data-product-lambda-ecr-repo:${local.get_schema_version}" + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-delete-table-for-data-product-lambda-ecr-repo:${local.delete_table_for_data_product_version}" timeout = 600 tracing_mode = "Active" memory_size = 128 From 07f53c00da0cf6af5f8657909e5f786ca8dda1ad Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Tue, 24 Oct 2023 12:33:45 +0100 Subject: [PATCH 40/46] CC-2154: New volumes for EBS DB. --- .../ccms-ebs/application_variables.json | 3 + .../ccms-ebs/ccms-ec2-oracle_ebs_db.tf | 75 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index 464ac8e17b7..591f86b8f14 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -69,6 +69,9 @@ "ebs_size_ebsdb_u01": 300, "ebs_size_ebsdb_arch": 500, "ebs_size_ebsdb_dbf": 11000, + "ebs_size_ebsdb_dbf01": 4000, + "ebs_size_ebsdb_dbf02": 4000, + "ebs_size_ebsdb_dbf03": 3000, "ebs_size_ebsdb_dbf_dr": 8000, "ebs_size_ebsdb_redoA": 100, "ebs_size_ebsdb_redoB": 50, diff --git a/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf index adab628967e..dcda298bc84 100644 --- a/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf @@ -260,6 +260,81 @@ resource "aws_volume_attachment" "diag_att" { volume_id = aws_ebs_volume.diag.id instance_id = aws_instance.ec2_oracle_ebs.id } + +resource "aws_ebs_volume" "dbf01" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf01 + type = "io2" + iops = 12000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf01" } + ) +} + +resource "aws_volume_attachment" "dbf01_att" { + depends_on = [ + aws_ebs_volume.dbf01 + ] + device_name = "/dev/sdq" + volume_id = aws_ebs_volume.dbf01.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + + +resource "aws_ebs_volume" "dbf02" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf02 + type = "io2" + iops = 12000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf02" } + ) +} + +resource "aws_volume_attachment" "dbf02_att" { + depends_on = [ + aws_ebs_volume.dbf02 + ] + device_name = "/dev/sdr" + volume_id = aws_ebs_volume.dbf02.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + + +resource "aws_ebs_volume" "dbf03" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf03 + type = "io2" + iops = 12000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf03" } + ) +} + +resource "aws_volume_attachment" "dbf03_att" { + depends_on = [ + aws_ebs_volume.dbf03 + ] + device_name = "/dev/sds" + volume_id = aws_ebs_volume.dbf03.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + /* #### This mount was required for golive incident #### Just commenting out, rather than remove - just in case From 6f83f59e2d8de6fcf9292739a66a860ff42ee9dd Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Tue, 24 Oct 2023 12:38:57 +0100 Subject: [PATCH 41/46] CC-2154: Added the ebs_size_ebsdb_dbf0x variable to all environments. --- .../environments/ccms-ebs/application_variables.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index 591f86b8f14..c5b04b67b3b 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -150,6 +150,9 @@ "ebs_size_ebsdb_u01": 300, "ebs_size_ebsdb_arch": 500, "ebs_size_ebsdb_dbf": 11000, + "ebs_size_ebsdb_dbf01": 4000, + "ebs_size_ebsdb_dbf02": 4000, + "ebs_size_ebsdb_dbf03": 3000, "ebs_size_ebsdb_redoA": 100, "ebs_size_ebsdb_redoB": 50, "ebs_size_ebsdb_techst": 50, @@ -226,6 +229,9 @@ "ebs_size_ebsdb_u01": 300, "ebs_size_ebsdb_arch": 500, "ebs_size_ebsdb_dbf": 11000, + "ebs_size_ebsdb_dbf01": 4000, + "ebs_size_ebsdb_dbf02": 4000, + "ebs_size_ebsdb_dbf03": 3000, "ebs_size_ebsdb_redoA": 100, "ebs_size_ebsdb_redoB": 50, "ebs_size_ebsdb_techst": 50, @@ -302,6 +308,9 @@ "ebs_size_ebsdb_u01": 300, "ebs_size_ebsdb_arch": 500, "ebs_size_ebsdb_dbf": 11000, + "ebs_size_ebsdb_dbf01": 4000, + "ebs_size_ebsdb_dbf02": 4000, + "ebs_size_ebsdb_dbf03": 3000, "ebs_size_ebsdb_redoA": 100, "ebs_size_ebsdb_redoB": 50, "ebs_size_ebsdb_techst": 50, From 85491eb2950d40914d6e87b74a4bce763bef6e57 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Tue, 24 Oct 2023 12:44:19 +0100 Subject: [PATCH 42/46] CC-2154: Added the 'is-development' condition. --- .../environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf index dcda298bc84..de4380f191c 100644 --- a/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf @@ -262,6 +262,7 @@ resource "aws_volume_attachment" "diag_att" { } resource "aws_ebs_volume" "dbf01" { + count = local.is-development ? 1 : 0 lifecycle { ignore_changes = [kms_key_id] } @@ -277,16 +278,18 @@ resource "aws_ebs_volume" "dbf01" { } resource "aws_volume_attachment" "dbf01_att" { + count = local.is-development ? 1 : 0 depends_on = [ aws_ebs_volume.dbf01 ] device_name = "/dev/sdq" - volume_id = aws_ebs_volume.dbf01.id + volume_id = aws_ebs_volume.dbf01[0].id instance_id = aws_instance.ec2_oracle_ebs.id } resource "aws_ebs_volume" "dbf02" { + count = local.is-development ? 1 : 0 lifecycle { ignore_changes = [kms_key_id] } @@ -302,16 +305,18 @@ resource "aws_ebs_volume" "dbf02" { } resource "aws_volume_attachment" "dbf02_att" { + count = local.is-development ? 1 : 0 depends_on = [ aws_ebs_volume.dbf02 ] device_name = "/dev/sdr" - volume_id = aws_ebs_volume.dbf02.id + volume_id = aws_ebs_volume.dbf02[0].id instance_id = aws_instance.ec2_oracle_ebs.id } resource "aws_ebs_volume" "dbf03" { + count = local.is-development ? 1 : 0 lifecycle { ignore_changes = [kms_key_id] } @@ -327,11 +332,12 @@ resource "aws_ebs_volume" "dbf03" { } resource "aws_volume_attachment" "dbf03_att" { + count = local.is-development ? 1 : 0 depends_on = [ aws_ebs_volume.dbf03 ] device_name = "/dev/sds" - volume_id = aws_ebs_volume.dbf03.id + volume_id = aws_ebs_volume.dbf03[0].id instance_id = aws_instance.ec2_oracle_ebs.id } From fc873c897fb399cb3ed009d36c8e10269fc6621b Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Tue, 7 Nov 2023 07:12:47 +0000 Subject: [PATCH 43/46] ncas: recreate dev env, migrate prod DB (#3897) --- terraform/environments/ncas/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ncas/README.md b/terraform/environments/ncas/README.md index 99a1f2792b5..2ac926509e1 100644 --- a/terraform/environments/ncas/README.md +++ b/terraform/environments/ncas/README.md @@ -9,7 +9,7 @@ _If you have any questions surrounding this page please post in the `#team-name` ### **Last review date:** -15/08/23 +06/11/23 ### **Description:** From 2b89bc51eaae366593227d91135c7f9dd8aa310c Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Tue, 7 Nov 2023 10:08:47 +0000 Subject: [PATCH 44/46] Fix KMS permissions for datasync role --- .../ldap_datasync.tf | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 39bd16ef13b..1eaf4a90767 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -56,19 +56,24 @@ data "aws_iam_policy_document" "ldap_datasync_role_access" { "ec2:CreateNetworkInterface", "ec2:AttachNetworkInterface", "ec2:DescribeNetworkInterfaces", - "ec2:DeleteNetworkInterface", + "ec2:DeleteNetworkInterface" + ] + resources = ["*"] + } + statement { + effect = "Allow" + actions = [ + "kms:ListGrants", + "kms:GenerateDataKey", "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", "kms:DescribeKey", - "kms:GetPublicKey", - "kms:ReEncrypt*", - "kms:GenerateDataKey", + "kms:Decrypt", "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" + "kms:ReEncryptTo", + "kms:ReEncryptFrom", + "kms:GenerateDataKeyWithoutPlaintext" ] - resources = ["*"] + resources = [var.account_config.general_shared_kms_key_arn] } statement { sid = "allowAccessForDataSync" From b36db574b6bcc3b6305db80a03dc6bbc71ec66d6 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Tue, 7 Nov 2023 11:36:56 +0000 Subject: [PATCH 45/46] add prod entries to preprod lb rules (#3903) --- .../corporate-staff-rostering/locals_preproduction.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf index d9d1344e5bc..b557754cf9b 100644 --- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf +++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf @@ -1088,6 +1088,7 @@ locals { host_header = { values = [ "traina.pp.csr.service.justice.gov.uk", + "traina.csr.service.justice.gov.uk", ] } }] @@ -1145,6 +1146,7 @@ locals { host_header = { values = [ "trainb.pp.csr.service.justice.gov.uk", + "trainb.csr.service.justice.gov.uk", ] } }] @@ -1218,6 +1220,7 @@ locals { host_header = { values = [ "traina.pp.csr.service.justice.gov.uk", + "traina.csr.service.justice.gov.uk", ] } }] @@ -1292,6 +1295,7 @@ locals { host_header = { values = [ "trainb.pp.csr.service.justice.gov.uk", + "trainb.csr.service.justice.gov.uk", ] } }] From ca878e6d5b59282a335df756a650ae839f399504 Mon Sep 17 00:00:00 2001 From: Ijaz Sultan Date: Tue, 7 Nov 2023 12:04:57 +0000 Subject: [PATCH 46/46] ami build command ssm updated --- .../ssm-documents/ami-build-command.yaml | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml index dfe464f3d59..4cacf20ef9d 100644 --- a/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml +++ b/terraform/environments/corporate-staff-rostering/ssm-documents/ami-build-command.yaml @@ -2,6 +2,26 @@ schemaVersion: "2.2" description: "Powershell doc for MGN-replicated Azure VMs." mainSteps: + + - name: NewHostName + action: aws:runPowerShellScript + onFailure: Abort + inputs: + runCommand: + - | + $currentHostName = hostname + if ($currentHostName -like '*t*') { + Write-Output $currentHostName + $newHostName = $currentHostName -replace 't', '' + Rename-Computer -NewName $newHostname -Force + exit 3010 + Write-Host "INFO: Hostname has been succesfully changed to $newHostname" + $currentHostName = $newHostname + } else { + Write-Host "Hostname looks good, continue" + } + hostname + - name: activeDirectoryModulePresent action: aws:runPowerShellScript inputs: @@ -57,17 +77,3 @@ mainSteps: inputs: name: AWSEC2Launch-Agent action: Install - - - name: NewHostName - action: aws:runPowerShellScript - onFailure: Abort - inputs: - runCommand: - - | - $currentHostName = (Get-WmiObject -Class Win32_ComputerSystem).Name - if ($currentName -like '*t*') { Write-Output $currentHostName } - $newHostName = $currentHostName -replace 't', '' - Rename-Computer -NewName $newHostName -Restart - exit 3010 - Write-Host "INFO: Hostname has been succesfully changed to $newHostname" - $hostname = $newHostname \ No newline at end of file