ministryofjustice · IjazMoJ · Nov 6, 2023 · Nov 6, 2023 · Nov 6, 2023 · Nov 6, 2023
@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@d10362aac526e5664795463df08c39ca503c9b5d # v12.2556.0
+        uses: bridgecrewio/checkov-action@3b830838fec7a285493826a2272e65b1879fbc3c # v12.2561.0
         with:
           directory: ./
           framework: terraform

@@ -1,7 +1,145 @@
 {
   "accounts": {
     "development": {
-      "example_var": "dev-data"
+      "short_env": "dev",
+      "dns": "laa-development",
+      "ses_domain_identity": "dev.legalservices.gov.uk",
+      "instance-scheduling": "skip-scheduling",
+      "ec2_oracle_instance_type_ebsdb_test": "x2iedn.8xlarge",
+      "ec2_oracle_instance_type_ebsdb": "m5d.4xlarge",
+      "ec2_oracle_instance_cores_ebsdb": "8",
+      "ec2_oracle_instance_threads_ebsdb": "2",
+      "ec2_oracle_instance_type_ebsconc": "m5d.4xlarge",
+      "ec2_oracle_instance_cores_ebsconc": "8",
+      "ec2_oracle_instance_threads_ebsconc": "2",
+      "ec2_oracle_instance_type_ebsapps": "m5d.2xlarge",
+      "ec2_oracle_instance_cores_ebsapps": "4",
+      "ec2_oracle_instance_threads_ebsapps": "2",
+      "ec2_oracle_instance_type_webgate": "m5d.large",
+      "ec2_oracle_instance_cores_webgate": "1",
+      "ec2_oracle_instance_threads_webgate": "2",
+      "ec2_oracle_instance_type_accessgate": "m5d.xlarge",
+      "ec2_oracle_instance_cores_accessgate": "2",
+      "ec2_oracle_instance_threads_accessgate": "2",
+      "ami_owner": "self",
+      "ec2_instance_type_ftp": "c5d.large",
+      "ftp_ami_id": "ami-0d8e665f120c20253",
+      "ec2_instance_type_clamav": "c5d.large",
+      "clamav_ami_id": "ami-0965b5afb3ac7174e",
+      "ebsdb_ami_id": "ami-0d4b266f7ae87bbfc",
+      "ebsconc_ami_id": "ami-0d4b266f7ae87bbfc",
+      "ebsapps_ami_id-1": "ami-0d4b266f7ae87bbfc",
+      "ebsapps_ami_id-2": "ami-0d4b266f7ae87bbfc",
+      "accessgate_ami_id-1": "ami-0695726199c3e30e5",
+      "accessgate_ami_id-2": "ami-0695726199c3e30e5",
+      "webgate_ami_id-1": "ami-0e398cd57c81356a7",
+      "webgate_ami_id-2": "ami-0e398cd57c81356a7",
+      "restored_db_image": "ami-0df5f31cae1c86635",
+      "orace_base_prereqs_ami_name": "Oracle79-prereqs-v2_0",
+      "orace_db_ami_name": "Oracle79-prereqs-v1_8",
+      "orace_db_dr_ami_name": "EBSDB-DR-test",
+      "webgate_ami_name": "ebs-webgate-v2_0",
+      "accessgate_ami_name": "ebs-accessgate-v2_0",
+      "ec2_instance_type_mailrelay": "c4.large",
+      "mailrelay_ami_id": "ami-0e183a740dfc54442",
+      "key_name": "",
+      "lz_aws_account_id_env": "411213865113",
+      "lz_aws_subnet_env": "10.202.0.0/20",
+      "lz_aws_workspace_nonprod_subnet_env": "10.200.0.0/20",
+      "lz_aws_workspace_prod_subnet_env": "10.200.16.0/20",
+      "lz_aws_workspace_nonprod_prod": "10.200.0.0/19",
+      "lz_aws_appstream_subnet_a_b": "10.200.32.0/23",
+      "cloud_platform_subnet": "172.20.0.0/16",
+      "lz_ftp_bucket_environment": "development",
+      "lz_domain_name": "*.dev.legalservices.gov.uk",
+      "mp_aws_subnet_env": "10.200.0.0/20",
+      "ebs_default_iops": 12000,
+      "webgate_no_instances": 2,
+      "webgate_default_iops": 3000,
+      "webgate_u01_size": 100,
+      "webgate_dns_prefix": "wgatedev",
+      "accessgate_no_instances": 2,
+      "accessgate_default_iops": 3000,
+      "accessgate_u01_size": 150,
+      "accessgate_dns_prefix": "agatedev",
+      "ebsapps_no_instances": 2,
+      "ebsapps_default_iops": 3000,
+      "ebsapps_exhome_size": 100,
+      "ebsapps_u01_size": 200,
+      "ebsapps_u03_size": 200,
+      "ebsapps_stage_size": 100,
+      "tg_apps_port": 8000,
+      "ebs_size_ebsdb_home": 100,
+      "ebs_size_ebsdb_temp": 100,
+      "ebs_size_ebsdb_exhome": 100,
+      "ebs_size_ebsdb_u01": 300,
+      "ebs_size_ebsdb_arch": 500,
+      "ebs_size_ebsdb_dbf": 11000,
+      "ebs_size_ebsdb_dbf_dr": 8000,
+      "ebs_size_ebsdb_redoA": 100,
+      "ebs_size_ebsdb_redoB": 50,
+      "ebs_size_ebsdb_techst": 100,
+      "ebs_size_ebsdb_backup": 8000,
+      "ebs_size_ebsdb_diag": 50,
+      "ebs_size_ebsdb_appshare": 100,
+      "ebs_default_iops_test": 9000,
+      "dbf_device": "nvme5n1",
+      "dbf_path": "/CCMS/EBS/dbf",
+      "ebs_type_ebsdb_backup": "gp3",
+      "ebs_size_ebsconc_exhome": 100,
+      "ebs_size_ebsconc_u01": 200,
+      "ebs_size_ebsconc_u03": 200,
+      "ebs_size_ebsconc_home": 100,
+      "ebs_size_ebsconc_stage": 100,
+      "ebs_size_ebsconc_temp": 100
+    }
+  },
+  "webgate_ebs": {
+    "u01": {
+      "mapping": "u01",
+      "type": "io2",
+      "device_name": "/dev/sdh"
+    }
+  },
+  "cloudwatch_ec2": {
+    "cpu": {
+      "eval_periods": 1,
+      "period": 60,
+      "threshold": 80
+    },
+    "mem": {
+      "eval_periods": 2,
+      "period": 60,
+      "threshold": 10
+    },
+    "disk": {
+      "eval_periods": 2,
+      "period": 60,
+      "threshold": 80,
+      "threshold_dbf": 90
+    },
+    "iowait": {
+      "eval_periods": 6,
+      "period": 60,
+      "threshold": 90
+    },
+    "insthc": {
+      "eval_periods": 3,
+      "period": 60,
+      "threshold": 1
+    },
+    "syshc": {
+      "eval_periods": 3,
+      "period": 60,
+      "threshold": 1
+    }
+  },
+  "cw_log_groups": {
+    "cwagent-var-log-messages": {
+      "retention_days": 30
+    },
+    "cwagent-var-log-secure": {
+      "retention_days": 90
     }
   }
 }
@@ -0,0 +1,56 @@
+## Certificates
+#   *.laa-development.modernisation-platform.service.justice.gov.uk
+#   *.laa-test.modernisation-platform.service.justice.gov.uk
+#   *.laa-preproduction.modernisation-platform.service.justice.gov.uk
+
+# resource "aws_acm_certificate" "laa_cert" {
+#   domain_name       = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment)
+#   validation_method = "DNS"
+
+#   subject_alternative_names = [
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment),
+#     format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment)
+#   ]
+
+#   tags = merge(local.tags,
+#     { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) }
+#   )
+
+#   lifecycle {
+#     create_before_destroy = true
+#   }
+# }
+
+# resource "aws_acm_certificate_validation" "laa_cert" {
+#   certificate_arn         = aws_acm_certificate.laa_cert.arn
+#   validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn]
+#   timeouts {
+#     create = "10m"
+#   }
+# }
+
+# resource "aws_route53_record" "laa_cert_validation" {
+#   provider = aws.core-vpc
+#   for_each = {
+#     for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => {
+#       name   = dvo.resource_record_name
+#       record = dvo.resource_record_value
+#       type   = dvo.resource_record_type
+#     }
+#   }
+
+#   allow_overwrite = true
+#   name            = each.value.name
+#   records         = [each.value.record]
+#   ttl             = 60
+#   type            = each.value.type
+#   zone_id         = data.aws_route53_zone.external.zone_id
+# }
@@ -0,0 +1,126 @@
+resource "aws_ssm_document" "cloud_watch_agent" {
+  name            = "InstallAndManageCloudWatchAgent"
+  document_type   = "Command"
+  document_format = "YAML"
+  content         = file("./templates/install-and-manage-cwagent.yaml")
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "install-and-manage-cloud-watch-agent"
+    },
+  )
+}
+
+resource "aws_cloudwatch_log_group" "groups" {
+  for_each          = local.application_data.cw_log_groups
+  name              = each.key
+  retention_in_days = each.value.retention_days
+
+  tags = merge(
+    local.tags,
+    {
+      Name = each.key
+    },
+  )
+}
+
+resource "aws_ssm_parameter" "cw_agent_config" {
+  description = "cloud watch agent config"
+  name        = "cloud-watch-config"
+  type        = "String"
+  value       = file("./templates/cw_agent_config.json")
+
+  tags = merge(local.tags,
+    { Name = "cw-config" }
+  )
+}
+
+resource "aws_ssm_association" "update_ssm_agent" {
+  name             = "AWS-UpdateSSMAgent"
+  association_name = "update-ssm-agent"
+  parameters = {
+    allowDowngrade = "false"
+  }
+  targets {
+    # we could just target all instances, but this would also include the bastion, which gets rebuilt everyday
+    key    = "tag:name"
+    values = [lower(format("ec2-%s-%s-*", local.application_name, local.environment))]
+  }
+  apply_only_at_cron_interval = false
+  schedule_expression         = "cron(30 7 ? * MON *)"
+}
+
+data "aws_iam_policy_document" "cloudwatch_datasource" {
+  statement {
+    sid    = "AllowReadWriteForCloudWatch"
+    effect = "Allow"
+    actions = [
+      "cloudwatch:PutMetricData",
+      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarmHistory",
+      "cloudwatch:DescribeAlarms",
+      "cloudwatch:ListMetrics",
+      "cloudwatch:GetMetricData",
+      "cloudwatch:GetInsightRuleReport"
+    ]
+    #tfsec:ignore:aws-iam-no-policy-wildcards
+    resources = ["*"]
+  }
+  statement {
+    sid    = "AllowReadingLogsFromCloudWatch"
+    effect = "Allow"
+    actions = [
+      "logs:DescribeLogGroups",
+      "logs:GetLogGroupFields",
+      "logs:StartQuery",
+      "logs:StopQuery",
+      "logs:GetQueryResults",
+      "logs:GetQueryResults",
+      "logs:GetLogEvents"
+    ]
+    #tfsec:ignore:aws-iam-no-policy-wildcards
+    resources = ["*"]
+  }
+  statement {
+    sid    = "AllowReadingTagsInstancesRegionsFromEC2"
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeRegions",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeTags",
+      "ec2:DescribeInstances",
+      "ec2:DescribeRegions"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "AllowReadingResourcesForTags"
+    effect = "Allow"
+    actions = [
+      "tag:GetResources"
+    ]
+    resources = ["*"]
+  }
+
+}
+
+resource "aws_iam_policy" "cloudwatch_datasource_policy" {
+  name        = "cloudwatch-datasource-policy"
+  path        = "/"
+  description = "Policy for the Monitoring Cloudwatch Datasource"
+  policy      = data.aws_iam_policy_document.cloudwatch_datasource.json
+  tags = merge(
+    local.tags,
+    {
+      Name = "cloudwatch-datasource-policy"
+    },
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_datasource_policy_attach" {
+  policy_arn = aws_iam_policy.cloudwatch_datasource_policy.arn
+  #role       = aws_iam_role.cloudwatch-datasource-role.name
+  role = aws_iam_role.role_stsassume_oracle_base.name
+
+}