From 515b582a13995e49f686d1ad70fb5eb54df95ca2 Mon Sep 17 00:00:00 2001 From: MoJ Official GitHub Account <72017220+staff-infrastructure-moj@users.noreply.github.com> Date: Mon, 1 Jul 2024 10:39:01 +0100 Subject: [PATCH 1/8] Update andymckay/labeler digest to 3a4296e (#291) Co-authored-by: Renovate Bot --- .github/workflows/label-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-issues.yml b/.github/workflows/label-issues.yml index 6180bd9..55c284d 100644 --- a/.github/workflows/label-issues.yml +++ b/.github/workflows/label-issues.yml @@ -16,7 +16,7 @@ jobs: issues: write steps: - name: Label issues - uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90 + uses: andymckay/labeler@3a4296e9dcdf9576b0456050db78cfd34853f260 with: add-labels: "network-access-control" repo-token: ${{ secrets.GITHUB_TOKEN }} From 47281a7d58b982189757cb05ce26ca056737fa70 Mon Sep 17 00:00:00 2001 From: MoJ Official GitHub Account <72017220+staff-infrastructure-moj@users.noreply.github.com> Date: Mon, 1 Jul 2024 11:39:04 +0100 Subject: [PATCH 2/8] Update hashicorp/setup-terraform action to v3 (#298) Co-authored-by: Renovate Bot Co-authored-by: lauren_tb --- .github/workflows/terraform-apply.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform-apply.yaml b/.github/workflows/terraform-apply.yaml index d4ffedd..566effd 100644 --- a/.github/workflows/terraform-apply.yaml +++ b/.github/workflows/terraform-apply.yaml @@ -57,7 +57,7 @@ jobs: # Install the specified version of Terraform CLI - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TFVERSION }} From 956f13b3bf37f3595602f9d07dc83ee597e7ca38 Mon Sep 17 00:00:00 2001 From: "Stephen.James" Date: Mon, 1 Jul 2024 11:13:33 +0100 Subject: [PATCH 3/8] Set default bastion AMI to the new version created monthly with Packer in the https://github.com/ministryofjustice/diso-devops-ami-builder repository. ND-403 --- modules/bastion/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf index d838d62..7ad4ccd 100644 --- a/modules/bastion/variables.tf +++ b/modules/bastion/variables.tf @@ -46,7 +46,7 @@ variable "security_group_ids" { variable "ami_name" { type = string description = "The ami name" - default = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1" + default = "diso-devops/bastion/ubuntu-jammy-22.04-amd64-server-generic-*" } variable "assume_role" { From 2de08b7d94c752a06cf5447c230b83320c84722c Mon Sep 17 00:00:00 2001 From: "Stephen.James" Date: Mon, 1 Jul 2024 11:16:29 +0100 Subject: [PATCH 4/8] Set AMI filter for the bastion module remove unrequired filters set to filter by tag and name. ND-403 --- modules/bastion/bastion.tf | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/modules/bastion/bastion.tf b/modules/bastion/bastion.tf index ec9d3c4..67f004e 100644 --- a/modules/bastion/bastion.tf +++ b/modules/bastion/bastion.tf @@ -34,15 +34,9 @@ data "aws_ami" "ubuntu" { values = ["${var.ami_name}"] } - filter { - name = "virtualization-type" - values = ["hvm"] + tags = { + deploy_to_all_environments = "True" } - # filter { - # name = "tag:env_${terraform.workspace}" - # values = ["true"] - # } - - owners = ["683290208331"] # shared services accunt + owners = ["683290208331"] # shared services account } From b68a21230dda9cf2f69c007a5abbc8287ddfde05 Mon Sep 17 00:00:00 2001 From: "Stephen.James" Date: Mon, 1 Jul 2024 11:17:57 +0100 Subject: [PATCH 5/8] Removed ami parameter The default value is useful for all bastion version now. ND-403 --- bastion-rds-admin.tf | 1 - bastion-rds-servers.tf | 1 - 2 files changed, 2 deletions(-) diff --git a/bastion-rds-admin.tf b/bastion-rds-admin.tf index 3bc0b60..b0c1487 100644 --- a/bastion-rds-admin.tf +++ b/bastion-rds-admin.tf @@ -11,7 +11,6 @@ module "rds_admin_bastion" { vpc_cidr_block = module.admin_vpc.vpc.vpc_cidr_block private_subnets = module.admin_vpc.public_subnets security_group_ids = [module.admin.security_group_ids.admin_ecs] - ami_name = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1" number_of_bastions = 1 assume_role = local.s3-mojo_file_transfer_assume_role_arn associate_public_ip_address = false diff --git a/bastion-rds-servers.tf b/bastion-rds-servers.tf index 5cdd9b7..09c6f7b 100644 --- a/bastion-rds-servers.tf +++ b/bastion-rds-servers.tf @@ -11,7 +11,6 @@ module "rds_servers_bastion" { vpc_cidr_block = module.radius_vpc.vpc.vpc_cidr_block private_subnets = module.radius_vpc.private_subnets security_group_ids = [module.radius.security_group_ids.radius_server] - ami_name = "diso-devops/bastion/rds-admin/ubuntu-jammy-22.04-amd64-server-1.0.1" number_of_bastions = 1 assume_role = local.s3-mojo_file_transfer_assume_role_arn associate_public_ip_address = false From 3bd2e1fc808b24ed2bc6d978c22a5ff6e59514c7 Mon Sep 17 00:00:00 2001 From: "Stephen.James" Date: Mon, 1 Jul 2024 12:54:30 +0100 Subject: [PATCH 6/8] Added bastion instance ID as output This enables quicker itdetification of the instance id for use when starting an SSM Session. ND-403 --- Makefile | 8 ++++++++ modules/bastion/outputs.tf | 3 +++ outputs.tf | 4 ++++ 3 files changed, 15 insertions(+) create mode 100644 modules/bastion/outputs.tf diff --git a/Makefile b/Makefile index 3ccd4ff..e9c3689 100644 --- a/Makefile +++ b/Makefile @@ -112,6 +112,14 @@ refresh: ## terraform refresh output: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') $(DOCKER_RUN) /bin/bash -c "terraform output -no-color ${OUTPUT_ARGUMENT}" +.PHONY: output-bastion-rds-admin +output-bastion-rds-admin: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') + $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json terraform_outputs | jq -r .rds_bastion.admin[][]" + +.PHONY: output-bastion-rds-server +output-bastion-rds-server: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') + $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json terraform_outputs | jq -r .rds_bastion.server[][]" + .PHONY: apply apply: ## terraform apply $(DOCKER_RUN) /bin/bash -c "terraform apply" diff --git a/modules/bastion/outputs.tf b/modules/bastion/outputs.tf new file mode 100644 index 0000000..5c97cff --- /dev/null +++ b/modules/bastion/outputs.tf @@ -0,0 +1,3 @@ +output "bastion" { + value = aws_instance.bastion[*].id +} diff --git a/outputs.tf b/outputs.tf index 27abe49..4b7b295 100644 --- a/outputs.tf +++ b/outputs.tf @@ -22,5 +22,9 @@ output "terraform_outputs" { nat_gateway_route_table = { value = module.radius_vpc.nat_gateway_route_table_id } + rds_bastion = { + admin = module.rds_admin_bastion[*].bastion + server = module.rds_servers_bastion[*].bastion + } } } From 8b294818f34b936df712d4795c7fa35f465dd884 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 1 Jul 2024 12:07:09 +0000 Subject: [PATCH 7/8] Commit changes made by code formatters --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 4b7b295..41e6df5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -23,7 +23,7 @@ output "terraform_outputs" { value = module.radius_vpc.nat_gateway_route_table_id } rds_bastion = { - admin = module.rds_admin_bastion[*].bastion + admin = module.rds_admin_bastion[*].bastion server = module.rds_servers_bastion[*].bastion } } From 24339d41ae19f957cb47f40e6d0f9e10af6266c1 Mon Sep 17 00:00:00 2001 From: "Stephen.James" Date: Mon, 1 Jul 2024 14:01:18 +0100 Subject: [PATCH 8/8] Moved rds bastion output into it's own block for consistency with other projects. ND-403 --- Makefile | 8 ++++---- outputs.tf | 11 +++++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index e9c3689..5e86ab1 100644 --- a/Makefile +++ b/Makefile @@ -113,12 +113,12 @@ output: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id' $(DOCKER_RUN) /bin/bash -c "terraform output -no-color ${OUTPUT_ARGUMENT}" .PHONY: output-bastion-rds-admin -output-bastion-rds-admin: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') - $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json terraform_outputs | jq -r .rds_bastion.admin[][]" +output-bastion-rds-admin: ## terraform output (make output-bastion-rds-admin) + $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json rds_bastion | jq -r .admin[][]" .PHONY: output-bastion-rds-server -output-bastion-rds-server: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') - $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json terraform_outputs | jq -r .rds_bastion.server[][]" +output-bastion-rds-server: ## terraform output (make output-bastion-rds-server) + $(DOCKER_RUN) /bin/bash -c "terraform output -no-color -json rds_bastion | jq -r .server[][]" .PHONY: apply apply: ## terraform apply diff --git a/outputs.tf b/outputs.tf index 41e6df5..9114432 100644 --- a/outputs.tf +++ b/outputs.tf @@ -22,9 +22,12 @@ output "terraform_outputs" { nat_gateway_route_table = { value = module.radius_vpc.nat_gateway_route_table_id } - rds_bastion = { - admin = module.rds_admin_bastion[*].bastion - server = module.rds_servers_bastion[*].bastion - } + } +} + +output "rds_bastion" { + value = { + admin = module.rds_admin_bastion[*].bastion + server = module.rds_servers_bastion[*].bastion } }