From c972bdd4b7d0abd609dc8a32e9dd334e9ace845d Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Fri, 27 Dec 2024 16:49:11 +0000
Subject: [PATCH 1/6] TM-844: add maintenance mode lb rule for test

---
 .../nomis-combined-reporting/locals_test.tf   | 25 +++++++++++++++++++
 .../templates/maintenance.html.tftpl          | 17 +++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 terraform/environments/nomis-combined-reporting/templates/maintenance.html.tftpl

diff --git a/terraform/environments/nomis-combined-reporting/locals_test.tf b/terraform/environments/nomis-combined-reporting/locals_test.tf
index 0903eaaa9ec..92239c5a0b4 100644
--- a/terraform/environments/nomis-combined-reporting/locals_test.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_test.tf
@@ -1,5 +1,10 @@
 locals {
 
+  lb_maintenance_message_test = {
+    maintenance_title   = "Prison-NOMIS Reporting T1 Maintenance Window"
+    maintenance_message = "Prison-NOMIS Reporting T1 is currently unavailable due to planned maintenance or out-of-hours shutdown (7pm-7am). Please contact <a href=\"https://moj.enterprise.slack.com/archives/C6D94J81E\">#ask-digital-studio-ops</a> slack channel if environment is unexpecedly down."
+  }
+
   baseline_presets_test = {
     options = {
       sns_topics = {
@@ -200,6 +205,25 @@ locals {
                   }
                 }]
               }
+              maintenance = {
+                priority = 999
+                actions = [{
+                  type = "fixed-response"
+                  fixed_response = {
+                    content_type = "text/html"
+                    message_body = templatefile("templates/maintenance.html.tftpl", local.lb_maintenance_message_test)
+                    status_code  = "200"
+                  }
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "t1.test.reporting.nomis.service.justice.gov.uk",
+                      "maintenance.test.reporting.nomis.service.justice.gov.uk",
+                    ]
+                  }
+                }]
+              }
             }
           })
         })
@@ -212,6 +236,7 @@ locals {
           { name = "db", type = "CNAME", ttl = "3600", records = ["t1-ncr-db-1-a.nomis-combined-reporting.hmpps-test.modernisation-platform.service.justice.gov.uk"] },
         ]
         lb_alias_records = [
+          { name = "maintenance", type = "A", lbs_map_key = "public" },
           { name = "t1", type = "A", lbs_map_key = "public" },
           { name = "t1-int", type = "A", lbs_map_key = "private" },
         ]
diff --git a/terraform/environments/nomis-combined-reporting/templates/maintenance.html.tftpl b/terraform/environments/nomis-combined-reporting/templates/maintenance.html.tftpl
new file mode 100644
index 00000000000..4ed7500b850
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/templates/maintenance.html.tftpl
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>${maintenance_title}</title>
+  <meta name="description" content="">
+  <meta name="author" content="">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+  <meta http-equiv="Pragma" content="no-cache" />
+  <meta http-equiv="Expires" content="0" />
+</head>
+<body>
+  <h1>${maintenance_title}</h1>
+  <p>${maintenance_message}</p>
+</body>
+</html>

From 94af5524f1a38d799e5cea7942f27976b4b29c1c Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Fri, 27 Dec 2024 16:49:30 +0000
Subject: [PATCH 2/6] TM-844: add maintenance mode lb rule for preprod

---
 .../locals_preproduction.tf                   | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
index 75a20b6b00f..75ad37d7f9e 100644
--- a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
@@ -1,5 +1,10 @@
 locals {
 
+  lb_maintenance_message_preproduction = {
+    maintenance_title   = "Prison-NOMIS Reporting LSAST and/or Pre-Production Maintenance Window"
+    maintenance_message = "Prison-NOMIS Reporting LSAST and/or Pre-Production is currently unavailable due to planned maintenance or out-of-hours shutdown (7pm-7am). Please contact <a href=\"https://moj.enterprise.slack.com/archives/C6D94J81E\">#ask-digital-studio-ops</a> slack channel if environment is unexpecedly down."
+  }
+
   baseline_presets_preproduction = {
     options = {
       sns_topics = {
@@ -369,6 +374,25 @@ locals {
                   }
                 }]
               }
+              maintenance = {
+                priority = 999
+                actions = [{
+                  type = "fixed-response"
+                  fixed_response = {
+                    content_type = "text/html"
+                    message_body = templatefile("templates/maintenance.html.tftpl", local.lb_maintenance_message_preproduction)
+                    status_code  = "200"
+                  }
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "maintenance.preproducion.reporting.nomis.service.justice.gov.uk",
+                      "preproduction.reporting.nomis.service.justice.gov.uk",
+                    ]
+                  }
+                }]
+              }
             }
           })
         })
@@ -390,6 +414,7 @@ locals {
           { name = "", type = "A", lbs_map_key = "public" },
           { name = "admin", type = "A", lbs_map_key = "public" },
           { name = "int", type = "A", lbs_map_key = "private" },
+          { name = "maintenance", type = "A", lbs_map_key = "public" },
         ]
       }
     }

From 36967bfa27bb15460d498e332a1a0e04b46b7f50 Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Mon, 30 Dec 2024 09:25:22 +0000
Subject: [PATCH 3/6] -

---
 .../nomis-combined-reporting/locals_test.tf   | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/terraform/environments/nomis-combined-reporting/locals_test.tf b/terraform/environments/nomis-combined-reporting/locals_test.tf
index 92239c5a0b4..6ccfae73f03 100644
--- a/terraform/environments/nomis-combined-reporting/locals_test.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_test.tf
@@ -174,6 +174,25 @@ locals {
                   }
                 }]
               }
+              maintenance = {
+                priority = 999
+                actions = [{
+                  type = "fixed-response"
+                  fixed_response = {
+                    content_type = "text/html"
+                    message_body = templatefile("templates/maintenance.html.tftpl", local.lb_maintenance_message_test)
+                    status_code  = "200"
+                  }
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "t1-int.test.reporting.nomis.service.justice.gov.uk",
+                      "maintenance-int.test.reporting.nomis.service.justice.gov.uk",
+                    ]
+                  }
+                }]
+              }
             }
           })
         })
@@ -237,6 +256,7 @@ locals {
         ]
         lb_alias_records = [
           { name = "maintenance", type = "A", lbs_map_key = "public" },
+          { name = "maintenance-int", type = "A", lbs_map_key = "private" },
           { name = "t1", type = "A", lbs_map_key = "public" },
           { name = "t1-int", type = "A", lbs_map_key = "private" },
         ]

From 771f8bac4acb3b8718bca02de717600b5ef6febe Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Mon, 30 Dec 2024 10:34:42 +0000
Subject: [PATCH 4/6] -

---
 .../nomis-combined-reporting/locals_test.tf     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/terraform/environments/nomis-combined-reporting/locals_test.tf b/terraform/environments/nomis-combined-reporting/locals_test.tf
index 6ccfae73f03..0de4aafd429 100644
--- a/terraform/environments/nomis-combined-reporting/locals_test.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_test.tf
@@ -142,6 +142,23 @@ locals {
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/*T1/*",
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/T1*/*",
             ]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:Describe*",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:SetRulePriorities",
+            ]
+            resources = [
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/private-lb/*",
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/public-lb/*",
+            ]
           }
         ]
       }

From 76f4076e2cb662fbd4722d28f61af0f0a000e320 Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Thu, 2 Jan 2025 10:57:50 +0000
Subject: [PATCH 5/6] add preprod internal maintenance

---
 .../locals_preproduction.tf                   | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
index 75ad37d7f9e..edd7036944f 100644
--- a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
@@ -324,6 +324,25 @@ locals {
                   }
                 }]
               }
+              maintenance = {
+                priority = 999
+                actions = [{
+                  type = "fixed-response"
+                  fixed_response = {
+                    content_type = "text/html"
+                    message_body = templatefile("templates/maintenance.html.tftpl", local.lb_maintenance_message_preproduction)
+                    status_code  = "200"
+                  }
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "int.preproduction.reporting.nomis.service.justice.gov.uk",
+                      "maintenance-int.preproduction.reporting.nomis.service.justice.gov.uk",
+                    ]
+                  }
+                }]
+              }
             }
           })
         })
@@ -415,6 +434,7 @@ locals {
           { name = "admin", type = "A", lbs_map_key = "public" },
           { name = "int", type = "A", lbs_map_key = "private" },
           { name = "maintenance", type = "A", lbs_map_key = "public" },
+          { name = "maintenance-int", type = "A", lbs_map_key = "private" },
         ]
       }
     }

From 244d5fc213cfc30f46bb0983a01b6f2d01baf169 Mon Sep 17 00:00:00 2001
From: Dominic Robinson <dominic.robinson@digital.justice.gov.uk>
Date: Thu, 2 Jan 2025 11:03:01 +0000
Subject: [PATCH 6/6] update policy

---
 .../locals_preproduction.tf                     | 17 +++++++++++++++++
 .../locals_production.tf                        | 17 +++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
index edd7036944f..b6163478124 100644
--- a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
@@ -256,6 +256,23 @@ locals {
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/*LS/*",
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/LS*/*",
             ]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:Describe*",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:SetRulePriorities",
+            ]
+            resources = [
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/private-lb/*",
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/public-lb/*",
+            ]
           }
         ]
       }
diff --git a/terraform/environments/nomis-combined-reporting/locals_production.tf b/terraform/environments/nomis-combined-reporting/locals_production.tf
index 0e5ebee949d..8a37433ae87 100644
--- a/terraform/environments/nomis-combined-reporting/locals_production.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_production.tf
@@ -111,6 +111,23 @@ locals {
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/*PD/*",
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/PD*/*",
             ]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:Describe*",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "elasticloadbalancing:SetRulePriorities",
+            ]
+            resources = [
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/private-lb/*",
+              "arn:aws:elasticloadbalancing:*:*:listener-rule/app/public-lb/*",
+            ]
           }
         ]
       }