Merge pull request #3531 from ministryofjustice/CC-2117

CC-2117: Added rule for inbound connectivity from Cloud Platform
ministryofjustice · Oct 2, 2023 · 047ab32 · 047ab32
2 parents a8208f4 + b42e86a
commit 047ab32
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json
@@ -45,6 +45,7 @@
       "lz_aws_workspace_prod_subnet_env": "10.200.16.0/20",
       "lz_aws_workspace_nonprod_prod": "10.200.0.0/19",
       "lz_aws_appstream_subnet_a_b": "10.200.32.0/23",
+      "cloud_platform_subnet": "172.20.0.0/16",
       "lz_ftp_bucket_environment": "development",
       "lz_domain_name": "*.dev.legalservices.gov.uk",
       "mp_aws_subnet_env": "10.200.0.0/20",
@@ -125,6 +126,7 @@
       "lz_ftp_bucket_environment": "uat",
       "lz_domain_name": "*.uat.legalservices.gov.uk",
       "mp_aws_subnet_env": "10.200.0.0/20",
+      "cloud_platform_subnet": "172.20.0.0/16",
       "ebs_default_iops": 12000,
       "webgate_no_instances": 2,
       "webgate_default_iops": 3000,
@@ -200,6 +202,7 @@
       "lz_ftp_bucket_environment": "staging",
       "lz_domain_name": "*.stg.legalservices.gov.uk",
       "mp_aws_subnet_env": "10.200.0.0/20",
+      "cloud_platform_subnet": "172.20.0.0/16",
       "ebs_default_iops": 32000,
       "webgate_no_instances": 2,
       "webgate_default_iops": 3000,
@@ -275,6 +278,7 @@
       "lz_ftp_bucket_environment": "production",
       "lz_domain_name": "*.legalservices.gov.uk",
       "mp_aws_subnet_env": "10.200.0.0/20",
+      "cloud_platform_subnet": "172.20.0.0/16",
       "ebs_default_iops": 32000,
       "webgate_no_instances": 2,
       "webgate_default_iops": 3000,

diff --git a/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf b/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf
@@ -66,6 +66,18 @@ resource "aws_security_group_rule" "ingress_traffic_ebsdb" {
   cidr_blocks       = [data.aws_vpc.shared.cidr_block, local.application_data.accounts[local.environment].lz_aws_subnet_env, local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_prod, local.application_data.accounts[local.environment].lz_aws_appstream_subnet_a_b]
 }
 
+#### Temp, Below block seperated out rule due to design of the way rules are looped and restrictions on the limit of AWS rules per SG
+resource "aws_security_group_rule" "ingress_traffic_ebsdb_152x" {
+  security_group_id = aws_security_group.ec2_sg_ebsdb.id
+  type             = "ingress"
+  description      = "In: Oracle Net Listener for Cloud Platform"
+  protocol         = "tcp"
+  from_port        = 1521
+  to_port          = 1522
+  cidr_blocks      = [local.application_data.accounts[local.environment].cloud_platform_subnet]
+}
+
+
 resource "aws_security_group_rule" "egress_traffic_ebsdb_sg" {
   for_each                 = local.application_data.ec2_sg_egress_rules
   security_group_id        = aws_security_group.ec2_sg_ebsdb.id