From cfd45774674dc1d01f8a4d5b077d154d45bc17da Mon Sep 17 00:00:00 2001
From: Jaskaran Sarkaria <jaskaran.sarkaria@digital.justice.gov.uk>
Date: Tue, 10 Oct 2023 14:02:01 +0100
Subject: [PATCH] =?UTF-8?q?chore:=20=F0=9F=A4=96=20turn=20on=20psa=20audit?=
 =?UTF-8?q?=20for=20system=20namespaces=20(#2491)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../vpc/eks/components/components.tf          | 20 +++++++++----------
 .../vpc/eks/components/main.tf                |  3 ++-
 .../vpc/eks/components/networking.tf          |  2 +-
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/components.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/components.tf
index 96b8f937f..dc50d5329 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/components.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/components.tf
@@ -1,6 +1,6 @@
 module "concourse" {
   count  = lookup(local.manager_workspace, terraform.workspace, false) ? 1 : 0
-  source = "github.com/ministryofjustice/cloud-platform-terraform-concourse?ref=1.18.3"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-concourse?ref=1.18.4"
 
   concourse_hostname                                = data.terraform_remote_state.cluster.outputs.cluster_domain_name
   github_auth_client_id                             = var.github_auth_client_id
@@ -59,7 +59,7 @@ module "descheduler" {
   ]
 }
 module "cert_manager" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-certmanager?ref=1.7.0"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-certmanager?ref=1.7.1"
 
   cluster_domain_name = data.terraform_remote_state.cluster.outputs.cluster_domain_name
   hostzone            = lookup(local.hostzones, terraform.workspace, local.hostzones["default"])
@@ -90,7 +90,7 @@ module "external_secrets_operator" {
   secrets_prefix              = terraform.workspace
 }
 module "ingress_controllers_v1" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.2"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.3"
 
   replica_count       = "12"
   controller_name     = "default"
@@ -108,7 +108,7 @@ module "ingress_controllers_v1" {
 }
 
 module "modsec_ingress_controllers_v1" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.2"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.3"
 
   replica_count                = "12"
   controller_name              = "modsec"
@@ -126,7 +126,7 @@ module "modsec_ingress_controllers_v1" {
 }
 
 module "kuberos" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-kuberos?ref=0.5.2"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-kuberos?ref=0.5.3"
 
   cluster_domain_name           = data.terraform_remote_state.cluster.outputs.cluster_domain_name
   oidc_kubernetes_client_id     = data.terraform_remote_state.cluster.outputs.oidc_kubernetes_client_id
@@ -141,7 +141,7 @@ module "kuberos" {
 }
 
 module "logging" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-logging?ref=1.9.15"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-logging?ref=1.9.16"
 
   elasticsearch_host              = lookup(var.elasticsearch_hosts_maps, terraform.workspace, "placeholder-elasticsearch")
   elasticsearch_modsec_audit_host = lookup(var.elasticsearch_modsec_audit_hosts_maps, terraform.workspace, "placeholder-elasticsearch")
@@ -149,7 +149,7 @@ module "logging" {
 }
 
 module "monitoring" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-monitoring?ref=2.10.1"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-monitoring?ref=2.10.2"
 
   alertmanager_slack_receivers               = local.enable_alerts ? var.alertmanager_slack_receivers : [{ severity = "dummy", webhook = "https://dummy.slack.com", channel = "#dummy-alarms" }]
   pagerduty_config                           = local.enable_alerts ? var.pagerduty_config : "dummy"
@@ -175,7 +175,7 @@ module "monitoring" {
 }
 
 module "gatekeeper" {
-  source     = "github.com/ministryofjustice/cloud-platform-terraform-gatekeeper?ref=1.6.1"
+  source     = "github.com/ministryofjustice/cloud-platform-terraform-gatekeeper?ref=1.6.2"
   depends_on = [module.monitoring, module.modsec_ingress_controllers_v1, module.cert_manager]
 
   dryrun_map = {
@@ -218,7 +218,7 @@ module "starter_pack" {
 }
 
 module "velero" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-velero?ref=2.0.0"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-velero?ref=2.0.1"
 
   enable_velero               = lookup(local.prod_2_workspace, terraform.workspace, false)
   dependence_prometheus       = module.monitoring.prometheus_operator_crds_status
@@ -234,7 +234,7 @@ module "kuberhealthy" {
 }
 
 module "trivy-operator" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-trivy-operator?ref=0.7.2"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-trivy-operator?ref=0.7.3"
 
   depends_on = [
     module.monitoring.prometheus_operator_crds_status
diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/main.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/main.tf
index fab24c7e7..10cff18b4 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/main.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/main.tf
@@ -161,8 +161,9 @@ resource "null_resource" "kube_system_default_annotations" {
     command = "kubectl annotate --overwrite namespace kube-system 'cloud-platform.justice.gov.uk/business-unit=Platforms', 'cloud-platform.justice.gov.uk/application=Cloud Platform', 'cloud-platform.justice.gov.uk/owner=Cloud Platform: platforms@digital.justice.gov.uk', 'cloud-platform.justice.gov.uk/source-code= https://github.com/ministryofjustice/cloud-platform-infrastructure', 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform-out-of-hours-alert=true'"
   }
 }
+
 resource "null_resource" "kube_system_default_labels" {
   provisioner "local-exec" {
-    command = "kubectl label --overwrite namespace kube-system 'component=kube-system' 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform.justice.gov.uk/is-production=true' 'cloud-platform.justice.gov.uk/environment-name=production'"
+    command = "kubectl label --overwrite namespace kube-system 'component=kube-system' 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform.justice.gov.uk/is-production=true' 'cloud-platform.justice.gov.uk/environment-name=production' 'pod-security.kubernetes.io/audit=privileged'"
   }
 }
diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/networking.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/networking.tf
index 58145ceda..816b09d70 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/networking.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/networking.tf
@@ -41,7 +41,7 @@ resource "kubectl_manifest" "calico_crds" {
 }
 
 module "tigera_calico" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-tigera-calico?ref=0.1.1"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-tigera-calico?ref=0.1.2"
 
   depends_on = [
     kubectl_manifest.calico_crds