From 4d355902270f6ad0150a6ff00f913e57aa31e359 Mon Sep 17 00:00:00 2001
From: robertsweetman <robert.sweetman@digital.justice.gov.uk>
Date: Wed, 8 Jan 2025 16:19:31 +0000
Subject: [PATCH 1/2] add more security groups cause of limits

---
 .../locals_security_groups.tf                 | 68 ++++++++++++++-----
 1 file changed, 51 insertions(+), 17 deletions(-)

diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
index 965602e839e..5a6c64f0894 100644
--- a/terraform/environments/oasys-national-reporting/locals_security_groups.tf
+++ b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
@@ -6,12 +6,15 @@ locals {
     enduserclient_internal = flatten([
       "10.0.0.0/8",
     ])
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-      module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    ])
-    noms_core = module.ip_addresses.azure_fixngo_cidrs.devtest_core
+    # enduserclient_public = flatten([
+    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    # ])
+    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
+    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
+    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.devtest_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.devtest_oasys_db,
@@ -28,12 +31,15 @@ locals {
     enduserclient_internal = [
       "10.0.0.0/8"
     ]
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-      module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    ])
-    noms_core = module.ip_addresses.azure_fixngo_cidrs.prod_core
+    # enduserclient_public = flatten([
+    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    # ])
+    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
+    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
+    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.prod_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.prod_oasys_db,
@@ -63,19 +69,47 @@ locals {
           protocol    = -1
           self        = true
         }
-        http_lb = {
-          description = "Allow http ingress"
+        http_lb_staff_public = {
+          description = "Allow http ingress from trusted_moj_digital_staff_public"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
+        }
+        http_lb_internet_egress = {
+          description = "Allow http ingress from azure internet egress"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
+        }
+        http_lb_live_eu_west_nat = {
+          description = "Allow http ingress from public live eu west nat"
           from_port   = 80
           to_port     = 80
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
         }
-        https_lb = {
+        https_lb_staff_public = {
           description = "Allow enduserclient https ingress"
           from_port   = 443
           to_port     = 443
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
+        }
+        https_lb_internet_egress = {
+          description = "Allow http ingress from azure internet egress"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
+        }
+        https_lb_live_eu_west_nat = {
+          description = "Allow http ingress from public live eu west nat"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
         }
       }
       egress = {

From d558136f84b6817639420d77f155319dab827c60 Mon Sep 17 00:00:00 2001
From: robertsweetman <robert.sweetman@digital.justice.gov.uk>
Date: Wed, 8 Jan 2025 16:42:42 +0000
Subject: [PATCH 2/2] change fix to follow ncr approach

---
 .../oasys-national-reporting/locals_lbs.tf    |   2 +-
 .../locals_security_groups.tf                 | 110 +++++++++---------
 2 files changed, 59 insertions(+), 53 deletions(-)

diff --git a/terraform/environments/oasys-national-reporting/locals_lbs.tf b/terraform/environments/oasys-national-reporting/locals_lbs.tf
index d1bd4e9025a..8844cc4bea4 100644
--- a/terraform/environments/oasys-national-reporting/locals_lbs.tf
+++ b/terraform/environments/oasys-national-reporting/locals_lbs.tf
@@ -10,7 +10,7 @@ locals {
       force_destroy_bucket             = true
       internal_lb                      = false
       load_balancer_type               = "application"
-      security_groups                  = ["public-lb"]
+      security_groups                  = ["public-lb", "public-lb-2"]
       subnets                          = module.environment.subnets["public"].ids
 
       listeners = {
diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
index 5a6c64f0894..3881b00d050 100644
--- a/terraform/environments/oasys-national-reporting/locals_security_groups.tf
+++ b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
@@ -6,15 +6,14 @@ locals {
     enduserclient_internal = flatten([
       "10.0.0.0/8",
     ])
-    # enduserclient_public = flatten([
-    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    # ])
-    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
-    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
-    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
-    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.devtest_core
+    enduserclient_public1 = flatten([
+      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    ])
+    enduserclient_public2 = flatten([
+      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+      module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    ])
+    noms_core = module.ip_addresses.azure_fixngo_cidrs.devtest_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.devtest_oasys_db,
@@ -31,15 +30,14 @@ locals {
     enduserclient_internal = [
       "10.0.0.0/8"
     ]
-    # enduserclient_public = flatten([
-    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    # ])
-    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
-    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
-    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
-    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.prod_core
+    enduserclient_public1 = flatten([
+      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    ])
+    enduserclient_public2 = flatten([
+      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+      module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    ])
+    noms_core = module.ip_addresses.azure_fixngo_cidrs.prod_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.prod_oasys_db,
@@ -69,47 +67,19 @@ locals {
           protocol    = -1
           self        = true
         }
-        http_lb_staff_public = {
-          description = "Allow http ingress from trusted_moj_digital_staff_public"
-          from_port   = 80
-          to_port     = 80
-          protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
-        }
-        http_lb_internet_egress = {
-          description = "Allow http ingress from azure internet egress"
-          from_port   = 80
-          to_port     = 80
-          protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
-        }
-        http_lb_live_eu_west_nat = {
-          description = "Allow http ingress from public live eu west nat"
+        http = {
+          description = "Allow http ingress"
           from_port   = 80
           to_port     = 80
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
+          cidr_blocks = local.security_group_cidrs.enduserclient_public1
         }
-        https_lb_staff_public = {
-          description = "Allow enduserclient https ingress"
-          from_port   = 443
-          to_port     = 443
-          protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
-        }
-        https_lb_internet_egress = {
-          description = "Allow http ingress from azure internet egress"
-          from_port   = 443
-          to_port     = 443
-          protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
-        }
-        https_lb_live_eu_west_nat = {
-          description = "Allow http ingress from public live eu west nat"
+        https = {
+          description = "Allow https ingress"
           from_port   = 443
           to_port     = 443
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
+          cidr_blocks = local.security_group_cidrs.enduserclient_public1
         }
       }
       egress = {
@@ -122,6 +92,42 @@ locals {
         }
       }
     }
+    public-lb-2 = {
+      description = "Security group for public load balancer part 2"
+      ingress = {
+        all-within-subnet = {
+          description = "Allow all ingress to self"
+          from_port   = 0
+          to_port     = 0
+          protocol    = -1
+          self        = true
+        }
+        http = {
+          description = "Allow http ingress"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "tcp"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public2
+        }
+        https = {
+          description = "Allow https ingress"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "tcp"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public2
+        }
+      }
+      egress = {
+        all = {
+          description     = "Allow all egress"
+          from_port       = 0
+          to_port         = 0
+          protocol        = "-1"
+          cidr_blocks     = ["0.0.0.0/0"]
+          security_groups = []
+        }
+      }
+    }
     lb = {
       description = "Security group for public subnet"
       ingress = {