ministryofjustice · dms1981 · Jul 4, 2024 · Jul 4, 2024 · Jul 4, 2024 · Jul 4, 2024
@@ -154,7 +154,9 @@ body:
       value: "Valid business-unit values | HQ,HMPPS,OPG,LAA,HMCTS,CICA,Platforms,CJSE | The infrastructure-support tag should be an email address which will receive AWS Health Operations emails."
   - type: markdown
     attributes:
-      value: "## Networking options"
+      value: |
+        ## Networking options
+        If your application requires supplementary AWS VPC Endpoints please see our guidance [here](https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/adding-vpc-endpoints.)
   - type: checkboxes
     id: subnet-sets
     attributes:

@@ -49,6 +49,7 @@ This documentation is for anyone interested in the Modernisation Platform and it
 - [Running Terraform plan locally](user-guide/running-terraform-plan-locally.html)
 - [Accessing EC2s](user-guide/accessing-ec2s.html)
 - [Wider MoJ Connectivity](user-guide/wider-moj-connectivity.html)
+- [How to add VPC endpoints](user-guide/adding-vpc-endpoints.html.md.erb)
 - [How to configure DNS for public services](user-guide/how-to-configure-dns.html)
 - [How to import a public SSL certificate into AWS Certificate Manager](user-guide/certificate-import.html)
 - [How to view core account/shared resources as a Member Developer](user-guide/member-read-only-core-accounts.html)

@@ -16,7 +16,7 @@ review_in: 6 month
 
 # <%= current_page.data.title %>
 
-Along with the standard [leavers form](https://leavers.form.service.justice.gov.uk/), there are a few things to do when a team member leaves to remove their access:
+Along with the standard [leavers form](hhttps://forms.office.com/Pages/ResponsePage.aspx?id=KEeHxuZx_kGp4S6MNndq2NsIsGyXy6NMmHp0qtTe-ONURDFGT0s5NldDRFRJRDk0T1M4Q0M1QVY3WCQlQCN0PWcu), there are a few things to do when a team member leaves to remove their access:
 
 1. Remove them from the team page [source/team/team.html.md.erb](https://github.com/ministryofjustice/modernisation-platform/blob/main/source/team/team.html.md.erb)
 1. Remove them from our GitHub team [terraform/github/locals.tf](https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/github/locals.tf)

@@ -0,0 +1,57 @@
+---
+owner_slack: "#modernisation-platform"
+title: Adding VPC endpoints
+last_reviewed_on: 2024-07-04
+review_in: 6 months
+---
+
+<!-- Google tag (gtag.js) -->
+<script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script>
+<script>
+  window.dataLayer = window.dataLayer || [];
+  function gtag(){dataLayer.push(arguments);}
+  gtag('js', new Date());
+  gtag('config', 'G-NXTCMQ7ZX6');
+</script>
+
+# <%= current_page.data.title %>
+
+## Overview
+
+A selection of [AWS VPC Endpoints](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) are supplied by default to member VPCs.
+
+Modernisation Platform customers can raise pull requests to add further VPC endpoints as they require them.
+
+## Default AWS VPC Endpoints
+
+Modernisation Platform `core-vpc-*` accounts contain per-business-unit VPCs which each have the following endpoints provisioned in their `protected` subnets:
+```
+"com.amazonaws.eu-west-2.ec2",
+"com.amazonaws.eu-west-2.ec2messages",
+"com.amazonaws.eu-west-2.ssm",
+"com.amazonaws.eu-west-2.ssmmessages",
+```
+No action is required to make use of these. 
+
+## Adding supplementary AWS VPC Endpoints
+
+Additional VPC endpoints should be defined in the relevant `$business_unit-$environment.json` file in our [environments-networks](https://github.com/ministryofjustice/modernisation-platform/tree/main/environments-networks) directory.
+You can raise a pull request similar to [this example](https://github.com/ministryofjustice/modernisation-platform/pull/7408) for any additions you require.
+```
+{  
+  ...
+  "options": {
+    ...
+    "additional_endpoints": [
+      "com.amazonaws.eu-west-2.$endpoint"
+    ],
+    ...
+  }
+}
+```
+
+## Validating the creation of supplementary AWS VPC Endpoints
+
+Changes to VPC endpoints will be made through GitHub Actions. You can track the relevant `core-vpc-*` workflow [here](https://github.com/ministryofjustice/modernisation-platform/actions).
+
+You can also follow our guidance on [Viewing Core Account resources as a Member Account Developer](./member-read-only-core-accounts.html) to review the VPC endpoints in the relevant `core-vpc-*` account.
@@ -0,0 +1,49 @@
+---
+owner_slack: "#modernisation-platform"
+title: `environments-networks` json explained
+last_reviewed_on: 2024-07-04
+review_in: 6 months
+---
+
+<!-- Google tag (gtag.js) -->
+<script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script>
+<script>
+  window.dataLayer = window.dataLayer || [];
+  function gtag(){dataLayer.push(arguments);}
+  gtag('js', new Date());
+  gtag('config', 'G-NXTCMQ7ZX6');
+</script>
+
+# <%= current_page.data.title %>
+
+## Overview
+
+Our `core-vpc` terraform consumes the contents of our `environments-networks/*.json` files to populate local values used in the creation of resources.
+
+This page explains how the options are used, with links to the relevant Terraform where possible.
+
+## Template example
+
+We maintain a template of the `environments-networks/*.json` files [here](https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments-networks/template-only.txt).
+
+## The `cidr` key
+
+The `cidr` key defines values used in the creation of networking resources:
+* `transit_gateway` has been deprecated as of [this pull request](https://github.com/ministryofjustice/modernisation-platform/pull/1345).
+* `protected` has likewise been deprecated as of [this pull request](https://github.com/ministryofjustice/modernisation-platform/pull/1345).
+* `subnet_sets` key contains its own nested keys to define additional networking values.
+  * Nested keys such as `general` provide further values that are consumed by the ["vpc"](https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-vpc/vpc.tf#L85) module in `terraform/environments/core-vpc`.
+    * `cidr` defines the network address to be used to create a VPC. This network address is further subdivided to create subnets in the VPC
+    * `accounts` defines member account names associated with the relevant business unit.
+
+## The `options` key
+
+The `options` key defines values used in the creation of supplementary configuration items:
+* `bastion_linux` is a boolean which determines if a business-unit bastion instance should be created
+* `additional_cidrs` is used by the [vpc-nacls](https://github.com/ministryofjustice/modernisation-platform/tree/main/terraform/modules/vpc-nacls) module to allow access from external CIDRs such as PSN address ranges.
+* `aditional_endpoints` is used by the ["vpc"](https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-vpc/vpc.tf#L85) module in `terraform/environments/core-vpc` to supply VPC endpoint names.
+* `additional_private_zones` is used by the [dns-zone-extend-private](https://github.com/ministryofjustice/modernisation-platform/tree/main/terraform/modules/dns-zone-extend-private) to create additional private DNS zones.
+> In practice, `additional_private_zones` are created directly by customers, leveraging the `core-vpc` provider rather than defining them here.
+* `additional_vpcs` is used by the [vpc-nacls](https://github.com/ministryofjustice/modernisation-platform/tree/main/terraform/modules/vpc-nacls) module to allow access from internal CIDRs such as other Modernisation Platform address ranges.
+> In practice, the use of `additional_vpcs` is something we want to avoid as we want to restrict the possibility of east/west traffic movement inside the Modernisation Platform.
+