ministryofjustice · jacobwoffenden · Oct 17, 2024 · Oct 10, 2024 · Oct 10, 2024 · Oct 10, 2024
@@ -21,3 +21,15 @@ data "aws_secretsmanager_secret_version" "govuk_notify_templates" {
 data "aws_ssm_parameter" "datasync_ami" {
   name = "/aws/service/datasync/ami"
 }
+
+data "external" "external_ip" {
+  program = ["bash", "${path.module}/scripts/get-ip-address.sh"]
+}
+
+data "dns_a_record_set" "datasync_activation_nlb" {
+  host = module.datasync_activation_nlb.dns_name
+}
+
+data "aws_network_interface" "datasync_vpc_endpoint" {
+  id = tolist(module.connected_vpc_endpoints.endpoints["datasync"].network_interface_ids)[0]
+}
@@ -1,8 +1,16 @@
-# resource "aws_datasync_agent" "main" {
-#   name       = "${local.application_name}-${local.environment}-datasync"
-#   ip_address = module.datasync_instance.private_ip
+resource "aws_datasync_agent" "main" {
+  name       = "${local.application_name}-${local.environment}-datasync"
+  ip_address = data.dns_a_record_set.datasync_activation_nlb.addrs[0]
 
-#   tags = local.tags
+  subnet_arns           = [module.connected_vpc.private_subnet_arns[0]]
+  vpc_endpoint_id       = module.connected_vpc_endpoints.endpoints["datasync"].id
+  security_group_arns   = [module.datasync_task_eni_security_group.security_group_arn]
+  private_link_endpoint = data.aws_network_interface.datasync_vpc_endpoint.private_ip
 
-#   depends_on = [module.datasync_instance]
-# }
+  tags = local.tags
+
+  depends_on = [
+    module.datasync_instance,
+    module.datasync_activation_nlb_security_group
+  ]
+}
@@ -8,8 +8,8 @@ module "datasync_instance" {
   ami                    = data.aws_ssm_parameter.datasync_ami.value
   instance_type          = "m5.2xlarge"
   subnet_id              = element(module.connected_vpc.private_subnets, 0)
-  vpc_security_group_ids = [module.datasync_security_group.security_group_id]
-
+  vpc_security_group_ids = [module.datasync_instance_security_group.security_group_id]
+  private_ip             = local.environment_configuration.datasync_instance_private_ip
 
   metadata_options = {
     http_endpoint               = "enabled"
@@ -18,17 +18,25 @@ module "datasync_instance" {
     instance_metadata_tags      = "enabled"
   }
 
+  enable_volume_tags = false
   root_block_device = [
     {
       encrypted   = true
       kms_key_id  = module.ec2_ebs_kms.key_arn
       volume_type = "gp2"
-      volume_size = 80
+      volume_size = 200
+      tags = merge(
+        local.tags,
+        { Name = "${local.application_name}-${local.environment}-datasync-root" }
+      )
     }
   ]
 
   tags = merge(
     local.tags,
-    { Name = "${local.application_name}-${local.environment}-datasync" }
+    {
+      Name                = "${local.application_name}-${local.environment}-datasync"
+      instance-scheduling = "skip-scheduling" # TEMPORARY
+    }
   )
 }
@@ -35,6 +35,9 @@ locals {
           egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn
         }
       }
+
+      /* DataSync */
+      datasync_instance_private_ip = "10.26.128.5"
     }
     production = {
       /* VPC */
@@ -70,6 +73,9 @@ locals {
           egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn
         }
       }
+
+      /* DataSync */
+      datasync_instance_private_ip = "10.27.128.5"
     }
   }
 }
@@ -0,0 +1,37 @@
+module "datasync_activation_nlb" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/alb/aws"
+  version = "9.11.0"
+
+  name = "datasync-activation"
+
+  load_balancer_type    = "network"
+  vpc_id                = module.connected_vpc.vpc_id
+  subnets               = [module.connected_vpc.public_subnets[0]]
+  create_security_group = false
+  security_groups       = [module.datasync_activation_nlb_security_group.security_group_id]
+
+  target_groups = {
+    datasync = {
+      name_prefix          = "ds-"
+      protocol             = "TCP"
+      port                 = 80
+      target_type          = "ip"
+      target_id            = local.environment_configuration.datasync_instance_private_ip
+      deregistration_delay = 10
+    }
+  }
+
+  listeners = {
+    datasync = {
+      port     = 80
+      protocol = "TCP"
+      forward = {
+        target_group_key = "datasync"
+      }
+    }
+  }
+
+  tags = local.tags
+}
@@ -4,6 +4,14 @@ terraform {
       version = "~> 5.0"
       source  = "hashicorp/aws"
     }
+    dns = {
+      version = "~> 3.0"
+      source  = "hashicorp/dns"
+    }
+    external = {
+      version = "~> 2.0"
+      source  = "hashicorp/external"
+    }
     http = {
       version = "~> 3.0"
       source  = "hashicorp/http"

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Get IP address via Cloudflare
+ip="$(curl --silent https://cloudflare.com/cdn-cgi/trace | awk -F= '/ip=/{print $2}')"
+
+# Return it as a JSON object
+echo "{\"ip\": \"${ip}\"}"
@@ -20,6 +20,7 @@ resource "aws_security_group" "transfer_server" {
   description = "Security Group for Transfer Server"
   name        = "transfer-server"
   vpc_id      = module.isolated_vpc.vpc_id
+  tags        = local.tags
 }
 
 #tfsec:ignore:avd-aws-0104 - The security group is attached to the resource
@@ -77,25 +78,113 @@ module "scan_lambda_security_group" {
   tags = local.tags
 }
 
-module "datasync_security_group" {
+module "datasync_activation_nlb_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.2.0"
+
+  name        = "${local.application_name}-${local.environment}-datasync-activation-nlb"
+  description = "Security Group for DataSync Activation NLB"
+
+  vpc_id = module.connected_vpc.vpc_id
+
+  egress_cidr_blocks = ["${local.environment_configuration.datasync_instance_private_ip}/32"]
+  egress_rules       = ["http-80-tcp",]
+
+  ingress_cidr_blocks = ["${data.external.external_ip.result["ip"]}/32"]
+  ingress_rules = ["http-80-tcp"]
+
+  tags = local.tags
+}
+
+module "datasync_vpc_endpoint_security_group" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
 
   source  = "terraform-aws-modules/security-group/aws"
   version = "5.2.0"
 
-  name        = "${local.application_name}-${local.environment}-datasync"
+  name        = "${local.application_name}-${local.environment}-datasync-vpc-endpoint"
+  description = "Security Group for DataSync VPC Endpoint"
+
+  vpc_id = module.connected_vpc.vpc_id
+
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 1024
+      to_port     = 1064
+      protocol    = "tcp"
+      description = "DataSync Control Plane"
+      cidr_blocks = module.connected_vpc.vpc_cidr_block
+    }
+  ]
+
+  tags = local.tags
+}
+
+module "datasync_task_eni_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.2.0"
+
+  name        = "${local.application_name}-${local.environment}-datasync-task-eni"
+  description = "Security Group for DataSync Task ENIs"
+
+  vpc_id = module.connected_vpc.vpc_id
+
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 443
+      to_port     = 443
+      protocol    = "tcp"
+      description = "DataSync Data Plane"
+      cidr_blocks = module.connected_vpc.vpc_cidr_block
+    }
+  ]
+
+  tags = local.tags
+}
+
+module "datasync_instance_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.2.0"
+
+  name        = "${local.application_name}-${local.environment}-datasync-instance"
   description = "Security Group for DataSync Instance"
 
   vpc_id = module.connected_vpc.vpc_id
 
-  egress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
-  egress_rules       = ["https-443-tcp"]
+  egress_with_source_security_group_id = [
+    {
+      from_port                = 1024
+      to_port                  = 1064
+      protocol                 = "tcp"
+      description              = "DataSync Control Plane"
+      source_security_group_id = module.datasync_vpc_endpoint_security_group.security_group_id
+    },
+    {
+      from_port                = 443
+      to_port                  = 443
+      protocol                 = "tcp"
+      description              = "DataSync Data Plane"
+      source_security_group_id = module.datasync_task_eni_security_group.security_group_id
+    }
+  ]
 
-  ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
-  ingress_rules = [
-    "http-80-tcp",
-    "https-443-tcp"
+  ingress_with_source_security_group_id = [
+    {
+      rule                     = "http-80-tcp"
+      source_security_group_id = module.datasync_activation_nlb_security_group.security_group_id
+    }
   ]
 
   tags = local.tags
 }
+
+moved {
+  from = module.datasync_security_group
+  to   = module.datasync_instance_security_group
+}
@@ -4,15 +4,19 @@ module "connected_vpc_endpoints" {
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
   version = "5.13.0"
 
-  vpc_id             = module.connected_vpc.vpc_id
-  subnet_ids         = module.connected_vpc.private_subnets
-  security_group_ids = [aws_security_group.connected_vpc_endpoints.id]
+  vpc_id     = module.connected_vpc.vpc_id
+  subnet_ids = module.connected_vpc.private_subnets
+  # security_group_ids = [aws_security_group.connected_vpc_endpoints.id]
 
   endpoints = {
     datasync = {
       service             = "datasync"
       service_type        = "Interface"
       private_dns_enabled = true
+      security_group_ids = [
+        module.datasync_vpc_endpoint_security_group.security_group_id,
+        module.datasync_task_eni_security_group.security_group_id
+      ]
       tags = merge(
         local.tags,
         { Name = format("%s-datasync", "${local.application_name}-${local.environment}-connected") }