From d5a3d418b44806d88a4697a8f2c06728a432d66d Mon Sep 17 00:00:00 2001 From: Kudzai Mtoko Date: Mon, 30 Sep 2024 14:40:34 +0100 Subject: [PATCH 1/4] first commit --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 10b4cdb67..7569cb6a6 100644 --- a/README.md +++ b/README.md @@ -76,3 +76,4 @@ These modules are used by the Modernisation Platform's core infrastructure [SCA Link]: https://github.com/ministryofjustice/modernisation-platform/actions/workflows/code-scanning.yml [Terraform SCA Icon]: https://img.shields.io/github/actions/workflow/status/ministryofjustice/modernisation-platform/code-scanning.yml?branch=main&labelColor=231f20&style=for-the-badge&label=Terraform%20Static%20Code%20Analysis [Terraform SCA Link]: https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-static-analysis.yml + From 530ddca406818f98d9d760694016cfc289e20fd8 Mon Sep 17 00:00:00 2001 From: Kudzai Mtoko Date: Tue, 1 Oct 2024 09:11:46 +0100 Subject: [PATCH 2/4] second commit --- README.md | 3 +- ...core-vpc-$environment accounts.html.md.erb | 67 +++++++++++++++++++ 2 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb diff --git a/README.md b/README.md index 7569cb6a6..9701caca1 100644 --- a/README.md +++ b/README.md @@ -75,5 +75,4 @@ These modules are used by the Modernisation Platform's core infrastructure [SCA Icon]: https://img.shields.io/github/actions/workflow/status/ministryofjustice/modernisation-platform/code-scanning.yml?branch=main&labelColor=231f20&style=for-the-badge&label=Secure%20Code%20Analysis [SCA Link]: https://github.com/ministryofjustice/modernisation-platform/actions/workflows/code-scanning.yml [Terraform SCA Icon]: https://img.shields.io/github/actions/workflow/status/ministryofjustice/modernisation-platform/code-scanning.yml?branch=main&labelColor=231f20&style=for-the-badge&label=Terraform%20Static%20Code%20Analysis -[Terraform SCA Link]: https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-static-analysis.yml - +[Terraform SCA Link]: https://github.com/ministryofjustice/modernisation-platform/actions/workflows/terraform-static-analysis.yml \ No newline at end of file diff --git a/source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb b/source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb new file mode 100644 index 000000000..8cf6c9aad --- /dev/null +++ b/source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb @@ -0,0 +1,67 @@ +--- +owner_slack: "#modernisation-platform" +title: Core VPC Environment Accounts Setup +last_reviewed_on: 2024-09-30 +review_in: 6 months +--- + + + + + +# <%= current_page.data.title %> + +## Overview + +The core-logging AWS account is responsible for managing all core logging resources. + +| Resource | Description | +|----------------- |------------------------------------------------ +| VPCs| Stores logs such as cloudtrail and core logging VPC flow logs +| RAM shares, | Manages encryption keys used to securely encrypt the contents of S3 buckets +| VPC endpoints| Hosts resources used by PagerDuty +| VPC | Provides networking resources +| Transit Gateway connectivity| Service to analyze log data stored in S3 + +## Steps +## 1. Account Creation + +Please note that aliases do not have a retention period. If an alias still exists under the same organizational unit, you cannot reuse the same alias. To prevent the alias from being recreated, you need to add the environment name to the [skip alias local](https://github.com/ministryofjustice/modernisation-platform/blob/e9d5e14a25e5b0f4e544b26f0332e285e6c506a1/terraform/environments/bootstrap/member-bootstrap/locals.tf#L57). + +To initiate the account recreation process, go to the GitHub Actions page for the Modernisation Platform repository and trigger the new environment [workflow] (https://github.com/ministryofjustice/modernisation-platform/actions/workflows/new-environment.yml). +This workflow should detect that the account no longer exists and propose to recreate the account. As part of this process, it will also execute the baseline runs for the account. + +## 2. Deploy Core Logging Production Resources + +To recreate the resources run the [core-logging-deployment](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/core-logging-deployment.yml) action in GitHub. + +If a GitHub Actions deployment is not available the resources can be redeployed locally: + +- Navigate to the `modernisation-platform` repo and change to the `terraform/environments/core-logging` directory +- Using MP admin credentials, execute `terraform apply` from the `core-logging-production` workspace + +## 3. Verify Resources + +- Log into AWS Console for the `core-logging` account +- Verify that resources have been correctly provisioned: + - Do S3 buckets exist for CloudTrail logs, VPC Flow logs and R53 Resolver logs? + - Are KMS keys created with correct aliases? + - Check Athena is available to query CloudTrail logs + - Check SNS topics are associated with PagerDuty for core alerts + + +## 4. Notify Mod Platform Team +- Inform Modernisation Platform team of rebuild process +- Inform customers that account has been recreated +- Verify with the SOC that they are still able to ingest logs into their tooling + + +## References + +* [Accessing the AWS Console](https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-the-aws-console.html) +* [Disaster Recovery Process](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/dr-process.html) From df3b3991f1782118500410c945d64050c151bd20 Mon Sep 17 00:00:00 2001 From: Kudzai Mtoko Date: Tue, 1 Oct 2024 12:11:07 +0100 Subject: [PATCH 3/4] final draft --- ...ore-vpc-$environment-accounts.html.md.erb} | 39 +++++++++++-------- 1 file changed, 22 insertions(+), 17 deletions(-) rename source/runbooks/{recreate-core-vpc-$environment accounts.html.md.erb => recreate-core-vpc-$environment-accounts.html.md.erb} (56%) diff --git a/source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb b/source/runbooks/recreate-core-vpc-$environment-accounts.html.md.erb similarity index 56% rename from source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb rename to source/runbooks/recreate-core-vpc-$environment-accounts.html.md.erb index 8cf6c9aad..ea14458fa 100644 --- a/source/runbooks/recreate-core-vpc-$environment accounts.html.md.erb +++ b/source/runbooks/recreate-core-vpc-$environment-accounts.html.md.erb @@ -1,6 +1,6 @@ --- owner_slack: "#modernisation-platform" -title: Core VPC Environment Accounts Setup +title: Core VPC Environments Accounts Setup last_reviewed_on: 2024-09-30 review_in: 6 months --- @@ -18,15 +18,14 @@ review_in: 6 months ## Overview -The core-logging AWS account is responsible for managing all core logging resources. +The core-vpc AWS accounts are responsible for creating the core VPC resources in the VPC accounts. | Resource | Description | |----------------- |------------------------------------------------ -| VPCs| Stores logs such as cloudtrail and core logging VPC flow logs -| RAM shares, | Manages encryption keys used to securely encrypt the contents of S3 buckets -| VPC endpoints| Hosts resources used by PagerDuty -| VPC | Provides networking resources -| Transit Gateway connectivity| Service to analyze log data stored in S3 +| VPCs| Provides networking resources +| VPC endpoints| Enables secure access to services without internet +| RAM shares | Shares AWS resources across accounts securely +| Transit Gateway connectivity| Provides scalable and flexible networking connections ## Steps ## 1. Account Creation @@ -36,29 +35,35 @@ Please note that aliases do not have a retention period. If an alias still exist To initiate the account recreation process, go to the GitHub Actions page for the Modernisation Platform repository and trigger the new environment [workflow] (https://github.com/ministryofjustice/modernisation-platform/actions/workflows/new-environment.yml). This workflow should detect that the account no longer exists and propose to recreate the account. As part of this process, it will also execute the baseline runs for the account. -## 2. Deploy Core Logging Production Resources +## 2. Deploy The Core VPC Resources + +To recreate the resources run the actions below in Github + +- [core-vpc-test-deployment](https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/core-vpc-test-deployment.yml) +- [core-vpc-development-deployment](https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/core-vpc-development-deployment.yml) +- [core-vpc-preproduction-deployment](https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/core-vpc-preproduction-deployment.yml) +- [core-vpc-production-deployment](https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/core-vpc-production-deployment.yml) -To recreate the resources run the [core-logging-deployment](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/core-logging-deployment.yml) action in GitHub. If a GitHub Actions deployment is not available the resources can be redeployed locally: -- Navigate to the `modernisation-platform` repo and change to the `terraform/environments/core-logging` directory -- Using MP admin credentials, execute `terraform apply` from the `core-logging-production` workspace +- Navigate to the `modernisation-platform` repo and change to the `terraform/environments/core-vpc` directory +- Using MP admin credentials, execute `terraform apply` from the `core-vpc-$environment` workspace ## 3. Verify Resources -- Log into AWS Console for the `core-logging` account +- Log into AWS Console for the `core-vpc-$environment` account - Verify that resources have been correctly provisioned: - - Do S3 buckets exist for CloudTrail logs, VPC Flow logs and R53 Resolver logs? - - Are KMS keys created with correct aliases? - - Check Athena is available to query CloudTrail logs - - Check SNS topics are associated with PagerDuty for core alerts + - Do VPCs exist with the correct configurations? + - Verify that CloudTrail is configured to log API activity related to VPC changes and VPC Flow Logs. + - Are VPC endpoints created for necessary services, and are they properly configured? + - Are RAM shares properly established to share resources across accounts? + - Is Transit Gateway connectivity correctly set up and functioning for all connected VPCs? ## 4. Notify Mod Platform Team - Inform Modernisation Platform team of rebuild process - Inform customers that account has been recreated -- Verify with the SOC that they are still able to ingest logs into their tooling ## References From 13b838cd95d99b01d65e330ded9945b4a27dc40f Mon Sep 17 00:00:00 2001 From: Kudzai Mtoko Date: Tue, 1 Oct 2024 12:14:26 +0100 Subject: [PATCH 4/4] updated to index.html --- source/index.html.md.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/source/index.html.md.erb b/source/index.html.md.erb index cc855324c..60d1a7f3c 100644 --- a/source/index.html.md.erb +++ b/source/index.html.md.erb @@ -135,6 +135,7 @@ This documentation is for anyone interested in the Modernisation Platform and it - [Querying VPC flow logs](runbooks/querying-vpc-flow-logs.html) - [Recreating the core-logging-production account](runbooks/recreate-core-logging-production-account.html) - [Recreating the core-shared-services account](runbooks/recreate-core-shared-services-production.html) +- [Recreating the core-vpc-$environments accounts](runbooks/recreate-core-vpc-$environment-accounts.html.md) - [Recreating the modernisation-platform account](runbooks/recreate-modernisation-platform-account.html) - [Removing a team member from the Modernisation Platform](runbooks/removing-a-team-member.html) - [Reviewing Dependabot PRs](runbooks/reviewing-dependabot-prs.html)