From ee72133e442e0326852743bde95e5717709d5806 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 17 Sep 2024 17:01:08 +0100 Subject: [PATCH 1/3] Add encryption wallet for DB connections --- .../delius-core/files/empty_wallet_base64.txt | 1 + .../components/dms/dms_db_source_endpoints.tf | 14 ++++++++++++++ .../components/dms/dms_db_target_endpoints.tf | 14 ++++++++++++++ .../modules/components/dms/oracle_wallet.tf | 11 +++++++++++ 4 files changed, 40 insertions(+) create mode 100644 terraform/environments/delius-core/files/empty_wallet_base64.txt create mode 100644 terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf diff --git a/terraform/environments/delius-core/files/empty_wallet_base64.txt b/terraform/environments/delius-core/files/empty_wallet_base64.txt new file mode 100644 index 00000000000..c1eaddda9f8 --- /dev/null +++ b/terraform/environments/delius-core/files/empty_wallet_base64.txt @@ -0,0 +1 @@ +ofhOOAAAAAYAAAAhBovVR3tCkeTQVESXrVAx4Qjmloo7sVObLZ4oUNbdXeVHMIIQHAIBAzCCD+IGCSqGSIb3DQEHAaCCD9MEgg/PMIIPyzCCD8cGCSqGSIb3DQEHBqCCD7gwgg+0AgEAMIIPrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIOv33eL7mvx8CAicQgIIPgFMOJQKA61dZdO1hqZy19EMisWknCnVGYYX/y4cmiO7PNHimv1naVeh/QPdWO/IHICPQguNnoKi4Xj/CW9Jd0Co1LL2BYt4RHibOAtOyIZF6UFBms9T+8favSwSFnaown4iw31IiIgM7j/hSsqmdVO8mNGZ6dpIi2KAMrc41889ml2RBSwkKdjadi8hRQGZsSmd/Is0fBOcymp/60AQxJw9I2C9cshhLlqzUUCXyJSeg8Zg874O+DGjxXWk9X+Lw1Co0Vk2jYoEOyhnLL2X/bWgTTGK5RhS4SqsNgasCEAz6hnRoIaz4FBpaZ4RVZ8Samozk3lMxuakKonqH1KhQBR0eCUF3NrBOzjY0j5tw9I3ox/0cgeHZFYplBzK9N4HbNOyHMTZNml8tQAHHqrrae5NiLOPL3KhmgFe56Pq/tP+Zu5z0c05T+KRa9iK6yEGCHnxWweNDWpYvz5IcHo9VQdHsamVuqRV7WbLcmJR+ctBYpkoGs69y6F2W+wtvhHOUv48WePt0HAhAohi9H2NEMTzC6sECHRyaYmRv0xKhs+RXvf9ZVtTzzb7Yv+HS/QJgFUqqHCI1I9NmzyNgwHH0BqqlM17CnMaSnJDdznNfEJRmwqrjO19L53TfwTllkKHJxwdM/o2G7WDQrUL/2dDMBHAmuRaMOGwokirpaRXHv4HOHWvRtGSjgqSG2rrnMb71vQdTin5VgToDhZV0RVPYKx0Pq8fz9EQifhljzlglYU1zhAs71cEMQagbmUwr/CD+LxdWO06wVLk7s1AhnbjJ4whH/3+dBaAggNwKkfRq3GjoU6JAf1IlSf4zECICK6/3293O43HbVuOFsY8xh1RWOQZoAA48V41Me/zRKYk4yAb3vwEOjLAye5ordb1gLkQV6Qpbh42Eupx5XhI61nk5Zx635hqpbAOWcLmaWZU/Lw47KtgkHR+BBXM3BQQ3dQFa4TaUII7CpNzotXuOl1AAhHHeutltw40LQWBjkjwS9/E/vIa3o5PMDwIUAH1vRv3xtrkNqgdXSejgvkZt0eMavkFl04RBN4EZss+krOFhkRRXPUM9ymvDjY5mPxt6n8Zb1j22NuftDF6ig+bmeKRICedOjLHyIfV5Aknl/70QHWbBvWu29Q3wDgtUNAW9WSrKQQ10SiZ1pQfDwZgoA+qhPyakN9d86jPwVAVwmlYAWiYInk0+Nw82DKWIS8hkYndohY20Emm1gCSyM0fjevuVwwbR9kPzy2OYDrRnZmZewj79QtctIEK+cZzCzpRUpz6LQgkhaISzWeDF3Ev5GH3shY8lAofyj3CU1+LQjXSyv4WG+/2N7qLFR4iE9+tZNu3n9aJyB6YcQS3u8cpq0lxXkdLFs2t+qgMP4HvISXVibXJApoZ4K5iTwKmLnxDUuX8ueBW2TBzkRKpPicbIODrBKVBq/K8faQMlxpyYvXKIWrJjoLxjMaYuOzyRmYpCNsNCtbm2CERZOUScKQTNhMd9p629Psxnq2E9P9jpCbE4PxI6oDssC8LDko5Jg5tLLOv8yw9iGf3zGtUa9SuXIesyRzDvmBEbDnjgM8Mkeg/DNoV4WNWc9o7c/RewL3vlDKLnem4Wu647ecHxO/hgh2tP+Q0S0gAYTEycwV/IoXibQ16/s7nB6qWTF0m6EmY7W5FJV9zfZetXkpazgmLIVySlMJCrqiOKSb2QnlF74/HTIQsfZFiYbLThu50RAwepeqWZ0L+cn5jfMQolqmX1cLE+upRaAkdd+2wMc5VJlF5Te4b5UFaHUkUZqai2J0fFu87yGfVtH3xY0Z6oGlgtD9nOaaCV2ZffStRWWDut2ZXGt9gIo3ix6va8UHxr9qAVpkoZYuctRzvvu/Ci4dNS2mD4mesvso2pNDMKqy7/NvbDdLPSFKM0YJuIy1kWEFQi3LKblHIYvM/VdyantzO2esY4PF7vFwVNd74Cbq+i+lmxOH2uOhV8JmSghIjSyXzkzvvxavlH8Fu1iJ3Q9x5mDt5pRsqDCe6ElMmR1NVmR30R278bQobVR6Xr7nfL2tbTFAqmmWtnpx03TFE96c73i6DTKCWOpvvjB0l/sSwI9OSELwcTyU7bmGPS1W7q4Hc2l6om2KFM7oIqDRICBjmADDFR6aswMDqJSB9Anl4GRgvKdp6scwoW7ohxRwwlsMZNUpYynpmLygHstsWVPeA7m4sGkdTdXMu565pqxLBBz10kw7GQ7TTcsmCTx9QO4L2364fj2LCwdWCh1w8tw92ljlq+5UDPyBIg/1miUv6clcGsBUvPj/bNktC5KFMLLYAnbJvDNLWFxrkNbBw535fZdhh2VYdlzdunj/K90eLp7SkG0eCqE6H5A0Jqp1mpMmi+c1uKIIeXZ2JgZJA7ZhIT8ujTp12SkZ6CgB/TYa0BgqXIgVEERcw5SYE+OJbDI5YpNSjDBxpkHqZ8ivBvZtCPc2zXVM1WJ/1NaVrs73TlVrSopo0twge3d2dHQaGu4WKUV1fgs9wBKuDF4AWrY78tMjPKSWDb7ICrPy5lRLI4PMnQ/AtH1RMWiWMQP1egGwlIyeHZvSDtw3fpeq3wXWJOZFej2oHD8z66jfmwtUwLnTnRfhEjB9mxCg8Q+v+1BjTbHdrvGhfIrKgM9YHUXeXfUAMb3DiE3h4Ja5s6m5w0ipcBTN2mXU8QmuQv3oiCB/MMquy+nLRnysTNhVw6dMCXpqTz4A3x5crWeC9EsHn2Gdlsc29zPZUfhrKf2Zt27BLwn9BtlJc0Iv3nOrqjWdKcdOgbLc4bOKOmtBYFicbTprEBMZc/yslnHdkOzUnxJHfBx5yLbhQ4/svYDwZyPmNxURjshG36Atu6fWN2o1BYhSbs+VsM8BJI0kyUzWgU2tPDKYN8iuYXkLjiBVVkGi0/pwxSzMQLRNhovmoxCRtWb89/imU5CDwdwT/Uz5lwO/HrV0pcRJpTs5BTLQpANO21t1ZOsI4Rb7OU0wugrooJDhk3VHBnHh0eh3HmPJiriJTxTf2tqPeu17MQau4i3cwIQ/tuDpvUB0JAAOKTSrZpG0NSxbeVAJSKmbljpBFpPfQToTRRbZMlyx5BPl7YK3pj0O1220E341EMRrWAHPLvZXNLDjhZX5ccMeFTh5VPPDTEUZiBXaGmi+mkV9roYnG5B6YzIDJHbqnPQ3FI1C1bATXB/M9pIbvkioVwv/xfOls3bgp50eT53qxOd/Kl63xxNZowfyZ707Ngx94YnQ2Vk1ZYiwmhp5DNda/DnJfd/GTgPeVDyKj/+8Z9Wi4TcHDPaiQduNnj+2YlKDo5g81PpEQyKz2Yklb+tJBB/LiUKDAMc4ZlHWaR3LAqptNYSSa3ZjuCO8QaOjz/5gxC8OSrzk/qCp8us/mNWM/Gv2wRBHLOL6LeGYoPtz4AmsGv0PPKo5iMmgv3SBp3BE43pL4AU6Bm/vb7U+yRe+YCFNgY128nFE3UhInPSPn76UgETSYj5Y+p+4R1e1Sdmp4ETZFfXuwo3gaJLdJQsSR1G6NBLYD9Pmve3x3PWLF/ULDJjCG82nfojA9acjxrNt9IH97zyVP4uLH82psa89sIgccjD6zfyezdaDWFrkCMW7pnkay5eHym1Ai8EbpyHlJSxNkNZKE+KhTZUA5RJiAUqQxaORBdD05el8ZVV99HCdGTHeoWgzDMegF1Yf2zm9K2r2LKKCr27Ek0N6ElHWWC/pbT09n+zJV+F5sxEv918ieg+BYsqumP20sgS8JHCFffo0BNFgLAGEBdZZ00JPtrWB7i7ptlnQS1HwT2GKEX55WewLvJCDHEecFfKd0OiX6Qh//JVlGBTi3mQ2VvuxRhrnBWACDt3rUWV27ASWQuwMw1WqnNiprxZXSa/UzceZ6eQUcfV+nrG7b6Fq/CYKl27vjvh/QRhrUlnx8fMKceMaXm5IfV1ntnd9UaEgcAN7G+MyKiJkjWqKi/yBdT3Da3d0zk+Rz4JzYhRu+204hlIu7R3cgLxmDOQapBNa142RXlpL5G8NGLs4khzhzpZD5l9y0jQO8HShgVJdW+BckoPWdBaFTAG82lPl4VmAqhQzLPW58KvaaBTFUPY5wiMfgMBYNGaov6gy1F6Ny64MYQ/mLdN8W9wzn2kO9aeUW87qL2SKV71RgPwjg6QIWggKmtyGLsEd1HOuO6QjJZnML7NYOO7YwqYy+I81EmKr/zAFBBL4uqJsWE1Wc5PUmYtkTmKG6GvXTY8bOxCUHrcI7rbV2tzTG21yRQgz9uMa1+ft19Cis0PDrJRkV8plSRa2dsMW8VtoA3s3tJ4h8Xu/Rd20dL18ZiO2UOh1oudAd6F2FTS9ghnzwnYw//GMOFucWbG4xCSeVDDmHuGP4M6100za6R/+AIjAWwMwaulc5o9VzS/V6jm+IGdwdULH/2Jjtjtlc4vX7KAkDkovX324usDRWJiOCRgcP0O0w5M0qre54ZkoefVkokzhrWjbZsR0uNV2bXeNDa03Dz0BYU3CXwP3382etI7vEPQhK8EDTSeJRlozSQZqnbPXIIu6NU/hWZMVp3BaVpFZCoANWE1luU8Qn/hucHgoP0zeTAlvmRR6iFXCKDUsgj3MP1nkPeg/C2t4B0cMV/ERx4gEARtT47pCXMXbF5lInIigMJ2Qczc6B4FzqDECmgZgBW4X9gWuFw1woErYSVq9i24UxVZZjYNBwJkz64uMybm5nBssXzbb9OlPWUJHXsnklrcddbmhGRNvW7aLoEkXcFp7PcgMfwFEKQoGKRpnRwlvnKB6V0aoJqznOnhWADySOJL+LpqRz20E5fhrgNahhaCzmz+qlAZimvy3r7RkaymrO/l1VhahaWgVzUBwrRGNxIklh2HeEyF9vdVRqQBRtXUUp+amhmTrG9qmA/P078sv+T8HmfJWShKCTPBIGqPXdecz4WNl16ijHLoSjgSGtdlRZF14buYKF47AuVmFyHAfQxMgpdonT72nFwdy2EDKdU4BcqqLl5G+tpXDOd3q4YKKCW4AASR6wfR4WQe2E/0kMKj38Dt0NNHEFGEHh0CL7tG8tykuy3I+uW5yooPPMrRUwYTMzVBWARS2TDXodh7c1O4qXoyBK+u6fJkyqIGMy1mWjZUZuA+wGNlkpfFn1G148zuHffCbaWS2yxvRyGuFo/ZUPAxsqTc0FTDhY0YcV1+fEr8PDYPlFULx0NNsegNH2uB3SZW6bT4FvRJi17/WWcoYI9cAYb+FkFVtOoY0SdR/CCOWFV7cUzPbcn/ZQfjitkzLJwxFIOkgR5wCkLey486zqvrDjxFjN8oZOVgDJmMDEwITAJBgUrDgMCGgUABBSqUwSBoFUJWQC5Y8p4TJAXQNkCxQQIy8mS72MTB/MCAicQ diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf index 41f8e5e1598..dbf75bd029e 100644 --- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf +++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf @@ -15,6 +15,13 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" { server_name = join(".",[var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host],var.account_config.route53_inner_zone_info.name]) port = local.oracle_port extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host],var.account_config.route53_inner_zone_info.name])}:${local.oracle_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;" + # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration + ssl_mode = "verify-ca" + certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } } # In repository environments the dms_user_source_endpoint.read_database must be defined @@ -30,4 +37,11 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" { server_name = join(".",[var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host],var.account_config.route53_inner_zone_info.name]) port = local.oracle_port extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;" + # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration + ssl_mode = "verify-ca" + certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } } diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf index c1cd8c27065..7f7970ec1f7 100644 --- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf +++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf @@ -11,6 +11,13 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" { server_name = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name]) port = local.oracle_port extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;" + # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration + ssl_mode = "verify-ca" + certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } } # In repository environments the end point for audit (AUDITED_INTERACTION, BUSINESS_INTERACTION) is the Delius primary database. @@ -25,4 +32,11 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" { server_name = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name]) port = local.oracle_port extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;" + # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration + ssl_mode = "verify-ca" + certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } } \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf b/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf new file mode 100644 index 00000000000..69c0e266ff1 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf @@ -0,0 +1,11 @@ +# In order to add encrypted DMS endpoints we need to add an Oracle SSL Wallet. +# However, this may not exist at the time of running the terraform, so we +# initialize the endpoints with an empty wallet. We update valid wallets +# using Ansible following creation of the populated wallet. +# +# We use base64 encoding of the originally binary wallet +# (base64 -i cwallet.sso -o empty_wallet_base64.txt) +resource "aws_dms_certificate" "empty_oracle_wallet" { + certificate_id = "empty-oracle-wallet" + certificate_wallet = file("files/empty_wallet_base64.txt") +} \ No newline at end of file From f78bad1a63272dca1cf07a7270753adc84228db2 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 17 Sep 2024 17:45:34 +0100 Subject: [PATCH 2/3] Enforce dependency on the wallet --- .../components/dms/dms_db_source_endpoints.tf | 2 ++ .../components/dms/dms_db_target_endpoints.tf | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf index dbf75bd029e..7481e68ffb9 100644 --- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf +++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf @@ -22,6 +22,7 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" { lifecycle { ignore_changes = [certificate_arn] } + depends_on = [aws_dms_certificate.empty_oracle_wallet] } # In repository environments the dms_user_source_endpoint.read_database must be defined @@ -44,4 +45,5 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" { lifecycle { ignore_changes = [certificate_arn] } + depends_on = [aws_dms_certificate.empty_oracle_wallet] } diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf index 7f7970ec1f7..9c3d89e5ceb 100644 --- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf +++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf @@ -14,10 +14,11 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" { # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration ssl_mode = "verify-ca" certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn - # Ignore subsequent replacement with a valid wallet - lifecycle { - ignore_changes = [certificate_arn] - } + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } + depends_on = [aws_dms_certificate.empty_oracle_wallet] } # In repository environments the end point for audit (AUDITED_INTERACTION, BUSINESS_INTERACTION) is the Delius primary database. @@ -35,8 +36,9 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" { # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration ssl_mode = "verify-ca" certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn - # Ignore subsequent replacement with a valid wallet - lifecycle { - ignore_changes = [certificate_arn] - } + # Ignore subsequent replacement with a valid wallet + lifecycle { + ignore_changes = [certificate_arn] + } + depends_on = [aws_dms_certificate.empty_oracle_wallet] } \ No newline at end of file From 997ca02d10de619dd9d7be31a0a3d0b32e655442 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 17 Sep 2024 18:24:32 +0100 Subject: [PATCH 3/3] Ignore changes to the wallet --- .../delius-core/modules/components/dms/oracle_wallet.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf b/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf index 69c0e266ff1..ffafe03e30e 100644 --- a/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf +++ b/terraform/environments/delius-core/modules/components/dms/oracle_wallet.tf @@ -8,4 +8,7 @@ resource "aws_dms_certificate" "empty_oracle_wallet" { certificate_id = "empty-oracle-wallet" certificate_wallet = file("files/empty_wallet_base64.txt") + lifecycle { + ignore_changes = [certificate_wallet] + } } \ No newline at end of file