Merge branch 'main' into renovate/actions-labeler-5.x

.gitignore

@@ -40,6 +40,7 @@ override.tf.json
 /.vs
 *.pem
 .idea
+.idea/*
 
 # ignore developer env certs
 VpnCerts

Makefile

@@ -1,54 +1,168 @@
 #!make
+.DEFAULT_GOAL := help
+SHELL := '/bin/bash'
+
+CURRENT_TIME := `date "+%Y.%m.%d-%H.%M.%S"`
+TERRAFORM_VERSION := `cat versions.tf 2> /dev/null | grep required_version | cut -d "\\"" -f 2 | cut -d " " -f 2`
+
+LOCAL_IMAGE := ministryofjustice/nvvs/terraforms:latest
+DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:latest
+
+DOCKER_RUN_GEN_ENV := @docker run --rm \
+				--env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \
+				-v `pwd`:/data \
+				--workdir /data \
+				--platform linux/amd64 \
+				$(DOCKER_IMAGE)
+
+DOCKER_RUN := @docker run --rm -it \
+				--env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \
+				--env-file ./.env \
+				-e TFENV_TERRAFORM_VERSION=$(TERRAFORM_VERSION) \
+				-v `pwd`:/data \
+				-v ${HOME}/.aws:/root/.aws \
+				--workdir /data \
+				--platform linux/amd64 \
+				$(DOCKER_IMAGE)
+
+export DOCKER_DEFAULT_PLATFORM=linux/amd64
+
+.PHONY: debug
+debug:  ## debug
+	$(info target is $@)
+	@echo "debug"
+
+.PHONY: aws
+aws:  ## provide aws cli command as an arg e.g. (make aws AWSCLI_ARGUMENT="s3 ls")
+	$(DOCKER_RUN) /bin/bash -c "aws $$AWSCLI_ARGUMENT"
+
+.PHONY: shell
+shell: ## Run Docker container with interactive terminal
+	$(DOCKER_RUN) /bin/bash
+
+.PHONY: fmt
+fmt: ## terraform fmt
+	$(DOCKER_RUN) /bin/bash -c "terraform fmt --recursive"
+
+.PHONY: init
+init: ## terraform init (make init ENV_ARGUMENT=pre-production) NOTE: Will also select the env's workspace.
+
+## INFO: Do not indent the conditional below, make stops with an error.
+ifneq ("$(wildcard .env)","")
+$(info Using config file ".env")
 include .env
-export
-
-fmt:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform fmt --recursive
-
-init:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -reconfigure \
-	--backend-config="key=terraform.$$ENV.state"
-
-workspace-list:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace list
-
-workspace-select:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace select $$ENV || \
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace new $$ENV
-
-validate:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform validate
-
-plan-out:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan -no-color > $$ENV.tfplan
-
-plan:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan
-
-refresh:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform refresh
-
-output:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform output -json
-
-apply:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform apply
-
-state-list:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform state list
-
-show:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform show -no-color
-
-destroy:
-	aws-vault exec $$AWS_VAULT_PROFILE -- terraform destroy
-
-clean:
-	rm -rf .terraform/ terraform.tfstate*
-
-authorise-performance-test-clients:
-	aws-vault exec $$AWS_VAULT_PROFILE -- sh ./scripts/authorise_performance_test_clients.sh
-
-.PHONY:
-	fmt init workspace-list workspace-select validate plan-out plan \
-	refresh output apply state-list show destroy clean authorise-performance-test-clients
+init: -init
+else
+$(info Config file ".env" does not exist.)
+init: -init-gen-env
+endif
+
+.PHONY: -init-gen-env
+-init-gen-env:
+	$(MAKE) gen-env
+	$(MAKE) -init
+
+.PHONY: -init
+-init:
+	$(DOCKER_RUN) /bin/bash -c "terraform init --backend-config=\"key=terraform.${ENV}.state\""
+	$(MAKE) workspace-select
+
+.PHONY: init--reconfigure
+init-reconfigure: ## terraform init --reconfigure
+	$(DOCKER_RUN) /bin/bash -c "terraform init -reconfigure --backend-config=\"key=terraform.${ENV}.state\""
+
+.PHONY: init-upgrade
+init-upgrade: ## terraform init -upgrade
+	$(DOCKER_RUN) /bin/bash -c "terraform init -upgrade --backend-config=\"key=terraform.${ENV}.state\""
+
+.PHONY: unlock
+unlock: ## Terraform unblock (make unlock ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+	$(DOCKER_RUN) /bin/bash -c "terraform force-unlock ${ID}"
+
+.PHONY: import
+import: ## terraform import e.g. (make import IMPORT_ARGUMENT=module.foo.bar some_resource)
+	$(DOCKER_RUN) /bin/bash -c "terraform import ${IMPORT_ARGUMENT}"
+
+.PHONY: workspace-list
+workspace-list: ## terraform workspace list
+	$(DOCKER_RUN) /bin/bash -c "terraform workspace list"
+
+.PHONY: workspace-select
+workspace-select: ## terraform workspace select
+	$(DOCKER_RUN) /bin/bash -c "terraform workspace select ${ENV}" || \
+	$(DOCKER_RUN) /bin/bash -c "terraform workspace new ${ENV}"
+
+.PHONY: validate
+validate: ## terraform validate
+	$(DOCKER_RUN) /bin/bash -c "terraform validate"
+
+.PHONY: plan-out
+plan-out: ## terraform plan - output to timestamped file
+	$(DOCKER_RUN) /bin/bash -c "terraform plan -no-color > ${ENV}.$(CURRENT_TIME).tfplan"
+
+.PHONY: plan
+plan: ## terraform plan
+	$(DOCKER_RUN) /bin/bash -c "terraform plan"
+
+.PHONY: refresh
+refresh: ## terraform refresh
+	$(DOCKER_RUN) /bin/bash -c "terraform refresh"
+
+.PHONY: output
+output: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id')
+	$(DOCKER_RUN) /bin/bash -c "terraform output -no-color ${OUTPUT_ARGUMENT}"
+
+.PHONY: apply
+apply: ## terraform apply
+	$(DOCKER_RUN) /bin/bash -c "terraform apply"
+	$(DOCKER_RUN) /bin/bash -c "./scripts/publish_terraform_outputs.sh"
+	$(DOCKER_RUN) /bin/bash -c "./scripts/cloudwatch_log_retention_policies.sh"
+
+.PHONY: state-list
+state-list: ## terraform state list
+	$(DOCKER_RUN) /bin/bash -c "terraform state list"
+
+.PHONY: show
+show: ## terraform show
+	$(DOCKER_RUN)/bin/bash -c " terraform show -no-color"
+
+.PHONY: destroy
+destroy: ## terraform destroy
+	$(DOCKER_RUN) /bin/bash -c "terraform destroy"
+
+.PHONY: lock
+lock: ## terraform providers lock (reset hashes after upgrades prior to commit)
+	rm .terraform.lock.hcl
+	$(DOCKER_RUN) /bin/bash -c "terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64"
+
+.PHONY: clean
+clean: ## clean terraform cached providers etc
+	rm -rf .terraform/ terraform.tfstate* .env #&& echo "" > ./.env
+
+.PHONY: gen-env
+gen-env: ## generate a ".env" file with the correct TF_VARS for the environment e.g. (make gen-env ENV_ARGUMENT=pre-production)
+	$(DOCKER_RUN_GEN_ENV) /bin/bash -c "./scripts/generate-env-file.sh ${ENV_ARGUMENT}"
+
+.PHONY: aws_describe_instances
+aws_describe_instances: ## Use AWS CLI to describe EC2 instances - outputs a table with instance id, type, IP and name for current environment
+	$(DOCKER_RUN) /bin/bash -c "./scripts/aws_describe_instances.sh"
+
+.PHONY: aws_ssm_start_session
+aws_ssm_start_session: ## Use AWS CLI to start SSM session on an EC2 instance (make aws_ssm_start_session INSTANCE_ID=i-01d4de517c7336ff3)
+	$(DOCKER_RUN) /bin/bash -c "./scripts/aws_ssm_start_session.sh $$INSTANCE_ID"
+
+.PHONY: tfenv
+tfenv: ## tfenv pin - terraform version from versions.tf
+	tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin
+
+.PHONY: taint
+taint: ## terraform taint (make taint TAINT_ARGUMENT=module.radius.aws_lb.load_balancer)
+	$(DOCKER_RUN) /bin/bash -c "terraform taint -no-color ${TAINT_ARGUMENT}"
+
+help:
+	@grep -h -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+############ Repository unique targets ############
+.PHONY: authorise-performance-test-clients
+authorise-performance-test-clients: ## Update a config file with IPs for test clients
+	$(DOCKER_RUN) /bin/bash -c "./scripts/authorise_performance_test_clients.sh"

README.md

@@ -31,6 +31,8 @@ This repository defines the **system infrastructure only**. Specific components
 - [Authentication with Azure AD](documentation/azure-ad.md)
 - [Vertically scaling the Read Replica](documentation/database-upgrade.md)
 - [Setup Performance Testing](documentation/performance_testing.md)
+- [Database Access - dump with bastion](documentation/rds-bastion.md)
+- [DEP OCSP Service Overview](documentation/ocsp-over-internet.md)
 
 ## CI/CD
 

bastion-rds-admin.tf

@@ -0,0 +1,27 @@
+module "rds_admin_bastion_label" {
+  source       = "./modules/label"
+  service_name = "rds-admin-bastion"
+  owner_email  = var.owner_email
+}
+
+module "rds_admin_bastion" {
+  source                      = "./modules/bastion"
+  prefix                      = module.rds_admin_bastion_label.id
+  vpc_id                      = module.admin_vpc.vpc.vpc_id
+  vpc_cidr_block              = module.admin_vpc.vpc.vpc_cidr_block
+  private_subnets             = module.admin_vpc.public_subnets
+  security_group_ids          = [module.admin.security_group_ids.admin_ecs]
+  ami_name                    = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1"
+  number_of_bastions          = 1
+  assume_role                 = local.s3-mojo_file_transfer_assume_role_arn
+  associate_public_ip_address = false
+  tags                        = module.rds_admin_bastion_label.tags
+
+  providers = {
+    aws = aws.env
+  }
+
+  depends_on = [module.admin_vpc]
+  // Set in SSM parameter store, true or false to enable or disable this module.
+  count = var.enable_rds_admin_bastion == true ? 1 : 0
+}

bastion-rds-servers.tf

@@ -0,0 +1,27 @@
+module "rds_servers_bastion_label" {
+  source       = "./modules/label"
+  service_name = "rds-servers-bastion"
+  owner_email  = var.owner_email
+}
+
+module "rds_servers_bastion" {
+  source                      = "./modules/bastion"
+  prefix                      = module.rds_servers_bastion_label.id
+  vpc_id                      = module.radius_vpc.vpc.vpc_id
+  vpc_cidr_block              = module.radius_vpc.vpc.vpc_cidr_block
+  private_subnets             = module.radius_vpc.private_subnets
+  security_group_ids          = [module.radius.security_group_ids.radius_server]
+  ami_name                    = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1"
+  number_of_bastions          = 1
+  assume_role                 = local.s3-mojo_file_transfer_assume_role_arn
+  associate_public_ip_address = false
+  tags                        = module.rds_servers_bastion_label.tags
+
+  providers = {
+    aws = aws.env
+  }
+
+  depends_on = [module.radius_vpc]
+  // Set in SSM parameter store, true or false to enable or disable this module.
+  count = var.enable_rds_servers_bastion == true ? 1 : 0
+}

bootstrap/variables.tf

@@ -5,6 +5,6 @@ variable "is_production" {
 
 variable "owner_email" {
   type    = string
-  default = "emile.swarts@digital.justice.gov.uk"
+  default = "lanwifi-devops@digital.justice.gov.uk"
 }
 

buildspec.yml

@@ -39,6 +39,10 @@ env:
     HOSTED_ZONE_ID: "/moj-network-access-control/$ENV/hosted_zone_id"
     ROLE_ARN: "/codebuild/pttp-ci-infrastructure-core-pipeline/$ENV/assume_role"
     TF_VAR_shared_services_account_id: "/codebuild/staff_device_shared_services_account_id"
+    TF_VAR_enable_rds_admin_bastion: "/moj-network-access-control/$ENV/enable_rds_admin_bastion"
+    TF_VAR_enable_rds_servers_bastion: "/moj-network-access-control/$ENV/enable_rds_servers_bastion"
+    TF_VAR_ocsp_dep_ip: "/moj-network-access-control/$ENV/ocsp_dep_ip"
+    TF_VAR_ocsp_prs_ip: "/moj-network-access-control/$ENV/ocsp_prs_ip"
 
 phases:
   install:
@@ -54,5 +58,6 @@ phases:
       - terraform workspace new $ENV || true
       - terraform workspace select $ENV
       - ./scripts/terraform_plan_or_apply.sh
+      - ./scripts/cloudwatch_log_retention_policies.sh
       - ./scripts/publish_terraform_outputs.sh
       - ./scripts/route53/ensure_delegated_non_production_subdomains.sh

data.tf

@@ -0,0 +1,35 @@
+locals {
+  xaiam_secrets_version_development    = "2e73a1de-af34-4c1d-a8ce-759df5b7bf75"
+  xaiam_secrets_version_pre_production = "9a071db2-4ed2-4c3f-9568-5ef2d5299dc4"
+  xaiam_secrets_version_production     = "a275ae6e-fc4c-4341-bb63-064f4e2fe209"
+}
+
+#-----------------------------------------------------------------
+### Getting the staff-device-shared-services-infrastructure state
+#-----------------------------------------------------------------
+data "terraform_remote_state" "staff-device-shared-services-infrastructure" {
+  backend = "s3"
+
+  config = {
+    bucket = "pttp-global-bootstrap-pttp-infrastructure-tf-remote-state"
+    key    = "env:/ci/terraform/v1/state"
+    region = "eu-west-2"
+  }
+}
+
+data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" {
+  name = "/nac-server/${terraform.workspace}/xsiam_endpoint_secrets"
+}
+
+data "aws_secretsmanager_secret_version" "xaiam_secrets_version" {
+  secret_id  = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id
+  version_id = terraform.workspace == "pre-production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development
+}
+
+data "aws_secretsmanager_secret" "allowed_ips" {
+  name = "/moj-network-access-control/production/allowed_ips"
+}
+
+data "aws_secretsmanager_secret_version" "allowed_ips" {
+  secret_id = data.aws_secretsmanager_secret.allowed_ips.id
+}

documentation/ocsp-over-internet.md

@@ -0,0 +1,19 @@
+- ### OCSP
+
+  NAC currently required to work with OCSP endpoint within internal subnet issued by internal CA and no requirement to send traffic over the internet, however, as a part of DEP(Digital Education Project) this service needed to onboard external CA which required NAC to send OCSP traffic over the internet.
+
+- As a part of this we needed to provide a static set of IPS in order for the supplier to ALLOW-LIST NAC on their service.
+
+Currently, NAC's cluster tasks are auto assigned with a public IP and these are subjected to change everytime service gets re-deployed.
+In order to solve this problem a SOURCE-NAT was configured using AWS NAT Gateway for traffic bound to DEP OCSP IP range.
+
+#### High level solution outlining DEP OCSP traffic
+
+![High level solution outlining DEP OCSP traffic
+](../documentation/azure-images/ocsp-nat.png)
+
+- ### Limitation
+
+  As per the best practice NAT should have been deployed in to multi-az, however, due to the limitation on the available subnet and CIDR limitation assigned to this VPC, it was not possible to deploy NAT across all availability zones without significant refactoring of the existing VPC.
+
+- In the event of an availability zone failures NAC DEP service will be degraded until AWS brings back the service.This has been raised as risk.