From cf6e666b230e5f872b2fc4e9c29f985a4c777aa6 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:01:03 +0000 Subject: [PATCH 01/12] CC-3020: Lambda function for monitoring certificates. --- .../ccms-lambda-certificate-checker.tf | 108 ++++++++++++++++++ .../ccms-ebs/lambda/certificate_monitor.zip | Bin 0 -> 1466 bytes 2 files changed, 108 insertions(+) create mode 100644 terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf create mode 100644 terraform/environments/ccms-ebs/lambda/certificate_monitor.zip diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf new file mode 100644 index 00000000000..885842877e8 --- /dev/null +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf @@ -0,0 +1,108 @@ +resource "aws_iam_role" "lambda_certificate_monitor_role" { + name = "acm_certificate_monitor_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" + } + }] + }) +} + +resource "aws_iam_role_policy" "lambda_policy" { + name = "acm_certificate_monitor_policy" + role = aws_iam_role.lambda_certificate_monitor_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + Resource = "arn:aws:logs:*:*:*" + }, + { + Effect = "Allow" + Action = [ + "sns:Publish" + ] + Resource = [aws_sns_topic.certificate_expiration_alerts.arn] + } + ] + }) +} + +resource "aws_sns_topic" "certificate_expiration_alerts" { + name = "acm-certificate-alerts" +} + +resource "aws_sns_topic_subscription" "email" { + topic_arn = aws_sns_topic.certificate_expiration_alerts.arn + protocol = "email" + endpoint = var.alert_email +} + +resource "aws_lambda_function" "certificate_monitor" { + filename = "certificate_monitor.zip" + function_name = "acm_certificate_monitor" + role = aws_iam_role.lambda_certificate_monitor_role.arn + handler = "lambda_function.lambda_handler" + runtime = "python3.11" + timeout = 30 + + environment { + variables = { + SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn + } + } +} + +resource "aws_cloudwatch_event_rule" "acm_events" { + name = "acm-certificate-events" + description = "Capture ACM certificate events" + + event_pattern = jsonencode({ + source = ["aws.acm"] + detail-type = [ + "ACM Certificate Approaching Expiration", + "ACM Certificate Expired" + ] + }) +} + +resource "aws_cloudwatch_event_target" "lambda_certificate_monitor" { + rule = aws_cloudwatch_event_rule.acm_events.name + target_id = "SendToLambda" + arn = aws_lambda_function.certificate_monitor.arn +} + +resource "aws_lambda_permission" "allow_eventbridge" { + statement_id = "AllowEventBridgeInvoke" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.certificate_monitor.function_name + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.acm_events.arn +} + +variable "alert_email" { + description = "maciej.matysiak@digital.justice.gov.uk" + type = string +} + +output "sns_topic_arn" { + description = "ARN of the SNS topic for certificate alerts" + value = aws_sns_topic.certificate_expiration_alerts.arn +} + +output "lambda_function_arn" { + description = "ARN of the Lambda function" + value = aws_lambda_function.certificate_monitor.arn +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip b/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip new file mode 100644 index 0000000000000000000000000000000000000000..882a4b3f0e0826cc7969394f9b9eb9e9f7015fac GIT binary patch literal 1466 zcmZ|Pc|6k%90%~q*k2xOagLKYvjp`|7$k;SFHY6FQma!Z&OKKBxB;;u1Dw@dE zdL~g;bL6OqNK~FKVvae+csU+D&wtPB)$9BEzP_LDAK&kvZ$~T`0tWzKBd`a5&0X|r zF-{5r0O?i$PzE#rUvfwo#h>C!3L~EmqyoR%@tM~1U}ysWn7}q;w#EB?=`_D6Rk1udu7Txe&JiE>F!lj8gkbc0b`j* z1KpXIruOGgKe3oq4R_Kws%?@#$<{X3L4BCPEO=*VMV>F9Af0mNyqPcE#HV+tikh%ugS`un+#xgIL|!cp#Q$Rp$p&LLk9 zqEK+xmJd(Ac@1mY=DcFIn*qII@n-;MZ9DVHnQ-Rt*KE63dgaV;F#mc*#a485uajEx z)Yvvs2HC0WN87U&IjqA7PDn#lWHfW0KB%-t7S)lK93+%5v5%UKE}pKG%y#0ZQ-|VD z8lQpQPdk5?7|~Fv59`~j2{9Uce!LajdkgHGIO%@%cV-0P0rJDLe{O9E3~ezOP*|Xf z7?#Jx;-N(#+WnMsgu}vb=14%+sv1dX(oB^k<}P&a)IJ&WC9^J8sgxy>aAaS!phMiY zc@E(ei9&KeWndS}p)ab97jvwT}00j z9;5_(Ig1vI%g3$man;=S@atP}CQZO=P0nv#Bg7YLur@IGRQY2hIm@JLw)!(~e(d1o zCI>!*4>1OhtJ?%#HHsu#9Yz)1ag55c2;JT7sva1WwE*pzmP_iLckF7734b&9W??kU zK6??7%tU;zp6dx{o${2iD!@3`o=2%Jd1UZ{9?y_ZwdXFno2C#}?#h(0T&I0z4c9b- zjkS3s2co6C`+L$y#RH);**n@9$lF%~apri_WZ25Pv-dZoVNj8lu!c`H32_o)jUa-D z9HgvumY)zGo3PdyNOj0e=oCk|SXD_%mn!x39ur-!Tjc8Vd=0iUs8&K9)DF?`G9<&S zy*0|^5>!YR9;xFZQ7?AX*MS>5$75|C=fUwfj#uN!v`b)uwm7f*hFa*9?Bdh6L2Z&F z-SxdI0&7n!06WP7N8zwZ4e7Cku12zrs3G?k+@K8x=&)bP68)!6a_?zQD~ zigroIXoRUe=>g|doxHg|BYm??{Jh9)%^J;lE$}p=FefeC!y1W~z=I z?;|ZK>_8XIZ$2gc;^ zr<0dX@7x!2@mLRET%|O6+7Szq(E|TUQq^@~0bt!opqTwL{mNC@|6Ki_sg77#xt~{{ M_3~Vw7}=lOKjMU|1^@s6 literal 0 HcmV?d00001 From 6c42f8d733974bf87f69b51fb0db092cbd6e1119 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:16:23 +0000 Subject: [PATCH 02/12] CC-3015: Fixes. --- .../ccms-ebs/application_variables.json | 12 ++++++---- .../ccms-lambda-certificate-checker.tf | 24 +++++++++---------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index cb27282cf2f..1dad79a79ff 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -100,7 +100,8 @@ "s3_lifecycle_days_transition_current_glacier": 365, "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, - "s3_lifecycle_days_transition_noncurrent_standard": 90 + "s3_lifecycle_days_transition_noncurrent_standard": 90, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "test": { "short_env": "tst", @@ -198,7 +199,8 @@ "s3_lifecycle_days_transition_current_glacier": 365, "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, - "s3_lifecycle_days_transition_noncurrent_standard": 90 + "s3_lifecycle_days_transition_noncurrent_standard": 90, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "preproduction": { "short_env": "prep", @@ -296,7 +298,8 @@ "s3_lifecycle_days_transition_current_glacier": 365, "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, - "s3_lifecycle_days_transition_noncurrent_standard": 90 + "s3_lifecycle_days_transition_noncurrent_standard": 90, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "production": { "short_env": "prod", @@ -396,7 +399,8 @@ "s3_lifecycle_days_transition_current_glacier": 365, "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, - "s3_lifecycle_days_transition_noncurrent_standard": 90 + "s3_lifecycle_days_transition_noncurrent_standard": 90, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" } }, "webgate_ebs": { diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf index 885842877e8..f76c40556ca 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf @@ -47,22 +47,25 @@ resource "aws_sns_topic" "certificate_expiration_alerts" { resource "aws_sns_topic_subscription" "email" { topic_arn = aws_sns_topic.certificate_expiration_alerts.arn protocol = "email" - endpoint = var.alert_email + endpoint = local.application_data.accounts[local.environment].certificate_monitor_email } resource "aws_lambda_function" "certificate_monitor" { - filename = "certificate_monitor.zip" - function_name = "acm_certificate_monitor" - role = aws_iam_role.lambda_certificate_monitor_role.arn - handler = "lambda_function.lambda_handler" - runtime = "python3.11" - timeout = 30 + filename = "certificate_monitor.zip" + function_name = "${local.application_name}-${local.environment}-certificate-monitor" + role = aws_iam_role.lambda_certificate_monitor_role.arn + handler = "lambda_function.lambda_handler" + runtime = "python3.11" + timeout = 30 environment { variables = { SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn } } + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_cloudwatch_event_rule" "acm_events" { @@ -70,7 +73,7 @@ resource "aws_cloudwatch_event_rule" "acm_events" { description = "Capture ACM certificate events" event_pattern = jsonencode({ - source = ["aws.acm"] + source = ["aws.acm"] detail-type = [ "ACM Certificate Approaching Expiration", "ACM Certificate Expired" @@ -92,11 +95,6 @@ resource "aws_lambda_permission" "allow_eventbridge" { source_arn = aws_cloudwatch_event_rule.acm_events.arn } -variable "alert_email" { - description = "maciej.matysiak@digital.justice.gov.uk" - type = string -} - output "sns_topic_arn" { description = "ARN of the SNS topic for certificate alerts" value = aws_sns_topic.certificate_expiration_alerts.arn From 5887e6c00220a17800f4e539430877d2168ee493 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:25:09 +0000 Subject: [PATCH 03/12] CC-3015: Renamed resources. --- .../ccms-lambda-certificate-checker.tf | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf index f76c40556ca..0810c98f120 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf @@ -1,5 +1,5 @@ resource "aws_iam_role" "lambda_certificate_monitor_role" { - name = "acm_certificate_monitor_role" + name = "${local.application_name}-${local.environment}-acm_certificate_monitor_role" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -11,10 +11,13 @@ resource "aws_iam_role" "lambda_certificate_monitor_role" { } }] }) + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_iam_role_policy" "lambda_policy" { - name = "acm_certificate_monitor_policy" + name = "${local.application_name}-${local.environment}-acm_certificate_monitor_policy" role = aws_iam_role.lambda_certificate_monitor_role.id policy = jsonencode({ @@ -38,16 +41,25 @@ resource "aws_iam_role_policy" "lambda_policy" { } ] }) + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_sns_topic" "certificate_expiration_alerts" { - name = "acm-certificate-alerts" + name = "${local.application_name}-${local.environment}-acm-certificate-alerts" + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_sns_topic_subscription" "email" { topic_arn = aws_sns_topic.certificate_expiration_alerts.arn protocol = "email" endpoint = local.application_data.accounts[local.environment].certificate_monitor_email + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_lambda_function" "certificate_monitor" { @@ -69,7 +81,7 @@ resource "aws_lambda_function" "certificate_monitor" { } resource "aws_cloudwatch_event_rule" "acm_events" { - name = "acm-certificate-events" + name = "${local.application_name}-${local.environment}-acm-certificate-events" description = "Capture ACM certificate events" event_pattern = jsonencode({ @@ -79,12 +91,18 @@ resource "aws_cloudwatch_event_rule" "acm_events" { "ACM Certificate Expired" ] }) + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_cloudwatch_event_target" "lambda_certificate_monitor" { rule = aws_cloudwatch_event_rule.acm_events.name target_id = "SendToLambda" arn = aws_lambda_function.certificate_monitor.arn + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } resource "aws_lambda_permission" "allow_eventbridge" { @@ -93,6 +111,9 @@ resource "aws_lambda_permission" "allow_eventbridge" { function_name = aws_lambda_function.certificate_monitor.function_name principal = "events.amazonaws.com" source_arn = aws_cloudwatch_event_rule.acm_events.arn + tags = merge(local.tags, { + Name = "${local.application_name}-${local.environment}-certificate-monitor" + }) } output "sns_topic_arn" { From 0eba59b4fc47050a851a544abadd7c20b9ff085d Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:30:31 +0000 Subject: [PATCH 04/12] CC-3015: Fixes. --- ...checker.tf => ccms-lambda-certificate-monitor.tf} | 12 ------------ 1 file changed, 12 deletions(-) rename terraform/environments/ccms-ebs/{ccms-lambda-certificate-checker.tf => ccms-lambda-certificate-monitor.tf} (88%) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf similarity index 88% rename from terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf rename to terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index 0810c98f120..e0d6777c74f 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-checker.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -41,9 +41,6 @@ resource "aws_iam_role_policy" "lambda_policy" { } ] }) - tags = merge(local.tags, { - Name = "${local.application_name}-${local.environment}-certificate-monitor" - }) } resource "aws_sns_topic" "certificate_expiration_alerts" { @@ -57,9 +54,6 @@ resource "aws_sns_topic_subscription" "email" { topic_arn = aws_sns_topic.certificate_expiration_alerts.arn protocol = "email" endpoint = local.application_data.accounts[local.environment].certificate_monitor_email - tags = merge(local.tags, { - Name = "${local.application_name}-${local.environment}-certificate-monitor" - }) } resource "aws_lambda_function" "certificate_monitor" { @@ -100,9 +94,6 @@ resource "aws_cloudwatch_event_target" "lambda_certificate_monitor" { rule = aws_cloudwatch_event_rule.acm_events.name target_id = "SendToLambda" arn = aws_lambda_function.certificate_monitor.arn - tags = merge(local.tags, { - Name = "${local.application_name}-${local.environment}-certificate-monitor" - }) } resource "aws_lambda_permission" "allow_eventbridge" { @@ -111,9 +102,6 @@ resource "aws_lambda_permission" "allow_eventbridge" { function_name = aws_lambda_function.certificate_monitor.function_name principal = "events.amazonaws.com" source_arn = aws_cloudwatch_event_rule.acm_events.arn - tags = merge(local.tags, { - Name = "${local.application_name}-${local.environment}-certificate-monitor" - }) } output "sns_topic_arn" { From 2b4cca686263e2583f5075251f5fba713481a889 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:48:18 +0000 Subject: [PATCH 05/12] CC-3015: Fixes. --- .../ccms-lambda-certificate-monitor.tf | 4 ++-- .../ccms-ebs/lambda/certificate_monitor.zip | Bin 1466 -> 1457 bytes 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index e0d6777c74f..3c7954b6f6b 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -61,7 +61,7 @@ resource "aws_lambda_function" "certificate_monitor" { function_name = "${local.application_name}-${local.environment}-certificate-monitor" role = aws_iam_role.lambda_certificate_monitor_role.arn handler = "lambda_function.lambda_handler" - runtime = "python3.11" + runtime = "python3.13" timeout = 30 environment { @@ -112,4 +112,4 @@ output "sns_topic_arn" { output "lambda_function_arn" { description = "ARN of the Lambda function" value = aws_lambda_function.certificate_monitor.arn -} \ No newline at end of file +} diff --git a/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip b/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip index 882a4b3f0e0826cc7969394f9b9eb9e9f7015fac..50d4db89002177ab3a492ed9c4650054dfa9ffc8 100644 GIT binary patch delta 1398 zcmV-+1&R8)3$Y6wP)h>@6aWYS2moexj9CBx000000043g000&MAdwvz4GjPXLHb%} zkp)|4LHdzD9e)ZPs07iTT2(7ii6i8SM7StWRV_lu>>A?hvR>KVTu{V+@AzfkvJk1q z2eNC=jOUqo<}u;NOh^r1l}H2bo`nkbQXCj zJ&!PjTc#;bx@GiU7yy217Gs%)ptQ8>x8g{7x}Zl^tt~axxvJh5LXY>DwOs-D0cOiD z@Y}D$pDbpxh)}KNBTLygnoJXZ;5(jheF_V}YcieBKF>bQr=$;LwkY2=C5q`Y0=ts` zEj_7~n18-xTw+X~>bIzzA7#fXc%Xi6f}A=EU;-)(?x^*t)<;%F|n~W_FIWuMzv!I{iX&qIuf@{qe$ebu5vTH ztKK9#G*C$9;$d+TuJjt$H#JCMz3^D9nC)RN`lSDA3A^EbdEQj7&?E1o%^t}{LnkY zpQ}mWfdH%P#jA&X4jSY1xWKJu9h#a(Hh+laAz@T8(DYvh)J$L|xpAkFO;ZcVq-_r< zCZBo4Am&QuR$(nOec^R3OUC+<$nqUd&yy*DN>$fy+9~UU%6DH`{mJZ&?!|as-eWg}1XMX0)bydHk zfGS{B2G|cov?p%QCt)0|Q=y4a*?GsI7Wb`$C>O&+_&0cT| zZ(!ROqxNgtGF;h|9kPGtHYoU@c7IBcL8zO`Bxqzisxi`@sRpjfV|h>&NT1FMWw4f# zTed0T;F*y1aGuqb9u=AUto%C&+kwDex27<)gAKa+0Y-?~3yX5gey=$QuW?!dzrmF6 zR_Fht(BGw=r6=DvZSB=eHZU4pzhf(ab{rg?tz1qXXRFy{JP%>HoL};Vn}1R>N!4kj z@6aWAK2mmTij9Kf=`G)ue008(6000&M9FZLve+d8sfU{a> zg0os@b$AN^0R;8|000CO0001;S8Z=1HxT~5zhdMQ0#t%%PpztzsKgQOibO~hsHzqr zWOfblby=@$Z!Rd}zjyqyZvmqA_>kD1@w`6s77sf3P!GW2%|v2Uc7z_JQ9ERjj@$krwN%(Bh*rV3v`Ptj}H| zX5Fd6);QrT)e|X&41y@3O2L>(&38OPFSkrno^;B{Or zSar70ROhPN&xIcCFgbey@ByZad-(O2!H+gAbBJZKnvX1H-)J&PfB2qndBXKEEb6i% zliBpk^wVrYdO)W0ay|J!DE~C0( z`c3s|bns#tMIujie-({^Qniz8--uf>XAi59aHUsxzOE$^)+-$ZG26jT$OF}z15=9b zS%(>Ucvi74-27&oxN;FfKHF=cpBOCW3rK}e52FEZtB-0{J;LNSE&v5Xur5}_9gy{k zocGcvA6tatmAZu$setSCm<7kiLULFRT;EI+SHfl3Y1$}&e@)hX$+Cn-tkeFx-GlZI zgF!eLw7Xpw0fKL%#m0HK6nq_?MN91vorUdY%j-xtE@w*TV`Qep-0)S!8#^p)19}N= zOe5jdRqPZ5#UQ`BU`~OF6A(!}apkhDLU}X8Q&3^o77{gT)$Jn$cBZzScI&U3*5RfV zL+kgjbr-f4f9>uG{#cF!p8>Es6TJF-PeCK_$2p3c1!%GrSz|5_38RXErvEUYX3R3l z&2<{tFtvb8+P;8d@|i~rVy>$e>9B|{nu!#2a!lMdqEMt-nNN`^;fpPc(N|rY5&ixQSe6XL?POcO_hny@OV^1 zul1?=t|cS6S5=NaoF%ejEhKkrL&707ChO+>1e7+)$bD3P55jfAKf0zaHOD5qx&y<{ z?1e?SofJ<@m|nwMk$wYKAMl;hk{WaG1^Kps-d43s>b3Ikx`Bvd_@|)DLZkKyUHIZqO{~fz ze=|3zcbQ{LdhG^pr~I{%GI5|CiZhPu)tPxx{Hl1Lmn+`$WOjj;%PU^PLHwZU$N3>s9u5~c{JrjeUnehwd`8o?@UIo= zUrk0Qe0602Tlk0000000EO+1tA3m00V%tlZpi$ O3S0mH07wM@0000--JKTz From ab09308a6cd0d837702681f9e088c5aa5b5f4c90 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:57:42 +0000 Subject: [PATCH 06/12] CC-3015: Fixes. --- .../environments/ccms-ebs/ccms-lambda-certificate-monitor.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index 3c7954b6f6b..df93b7308f3 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -57,7 +57,7 @@ resource "aws_sns_topic_subscription" "email" { } resource "aws_lambda_function" "certificate_monitor" { - filename = "certificate_monitor.zip" + filename = "./lambda/certificate_monitor.zip" function_name = "${local.application_name}-${local.environment}-certificate-monitor" role = aws_iam_role.lambda_certificate_monitor_role.arn handler = "lambda_function.lambda_handler" From fa2bfaa77747735b983023f8b70f42d65f44f5b2 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 16:41:51 +0000 Subject: [PATCH 07/12] CC-3015: Added the 'certificate_expiry_days' variable. --- .../environments/ccms-ebs/application_variables.json | 12 ++++++++---- .../ccms-ebs/ccms-lambda-certificate-monitor.tf | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index 1dad79a79ff..7222d232296 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -101,7 +101,8 @@ "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" + "certificate_expiry_days": 333, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" }, "test": { "short_env": "tst", @@ -200,7 +201,8 @@ "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" + "certificate_expiry_days": 45, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" }, "preproduction": { "short_env": "prep", @@ -299,7 +301,8 @@ "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" + "certificate_expiry_days": 45, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" }, "production": { "short_env": "prod", @@ -400,7 +403,8 @@ "s3_lifecycle_days_transition_current_standard": 90, "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" + "certificate_expiry_days": 60, + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" } }, "webgate_ebs": { diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index df93b7308f3..67a5c2426e3 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -66,6 +66,7 @@ resource "aws_lambda_function" "certificate_monitor" { environment { variables = { + EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn } } From ab9bc6efb3665f2e0f458c66b5f6c3ce945fd32f Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 16:42:44 +0000 Subject: [PATCH 08/12] CC-3015: Updated the Lambda ZIP. --- .../ccms-ebs/lambda/certificate_monitor.zip | Bin 1457 -> 1681 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip b/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip index 50d4db89002177ab3a492ed9c4650054dfa9ffc8..9bc4ba8db3342d36907700e137dd884775c5f886 100644 GIT binary patch delta 1600 zcmV-G2EX~S3y}>NP)h>@6aWYS2moq?j9CBx00000003PPkr*L=$q-v-UlLnq$q-v- zb$AN^0R;8|000CO0001`SX*z~HWYr>uOK)Cl~G3sw)I7T3%HKc8A!b#_ONw>te|N9Ovk|@j0+D;FyM4tQk&Lw5Lk_&~tNL~cYzH=FD1mB^ID5}_wB6nVY z50U=OXs(DQRQr;D72BF@T(`VE8qu#Q zEfwR1tYuAdMhi6+f{P#s(ws<%CR8Z4VJTR1O%-8z*hnA50fNV)7>goCQVDZ@&3A+q zbF!oD*+LOj$@Y8B)p!F|wEN5yT*N#1Z;OXt`-q-Zf;pn^Lm!5rjdML=fAQwTv~Es$u0jEVtxqb*bC3QcCt8Og1{R^+am%E%2Ns%J|P(*YUmV#+^ zk{UA=N2M?+LXwInmQs{4DJs)V4LV)$RV5nKy0R#%HB``}4uC9V=q^pA4Uw$YUubHp z(p1Kp^SmjIJImUn2+YtWqIk*DrY1mWlA1n$4k_jkrWv;f^)5Xs3W3(=vTOcCB+0*56TCFbU0Zx;Whu>8llJuHO&PI z4@QpEdDRmy^$OYOl#vDJSZt-|zcptGnet4s$HpY+S6ZYm&NYL!mDiR#tK2u@2DpLS zRCL%p#o9YxfyD|0H}0sjeWr7ypG{{l`g2fMEbJ_hI|cpds8#H#ilCnB zF;Y;dvn;|L@q^BnE6tal1=zxA!ZV6v^z+r#uurn)*&Z(Y%;wg0WgzG{bIy3&S75}X z-RT*l*N5vFDK>h*ZC}n&`6!Bik6_p5IdqQ>T?qIPH7hw@q0#94Zrufj8)0Tmn%vKp zv&r~2MvKMmDPDBh;G<1;w`m{C{1ayHZ2s|#NZnl)93a#RM&a>dW#Tiyt=HaacVahh zfhVg}w_Tt+y{t5QidR%8f!YJ94ty8kbOuHtPLP7LqrQc0rme6^Z$nU_rTkOwu7}>nWpt0^{+2X?O=7&^2EN>us90+ zpB7P8?MmqYb7HxAE&u0p?WOjFg}t%wS=))jzfemD2#$6$u(JgK09_FP08mQ-0u%!j y00;mG0BVGcS&nuyu(JgO003PPlTigP3&{{$XI~OqXUPy-lZyo)1{VeZ0002AyZJT% delta 1374 zcmV-k1)=(p4Y3OtP)h>@6aWYS2moexj9CBx000000043gkr*L=LHb%}kp)|4LHb%} zb$AN^0R;8|000CO0001;S8Z=1HxT~5zhdMH9jFA+o?2BaQHdkuibS|5P*p8L$m|;8 z>#|6} zcekrg8BY(z-Z(vf_2HIBx({=%nWRY{R;P@`W-TZp?}Qc~ox6FAgk%Hu60uBkk*Xrr zB;hR8Qz?ZEf*?w$QZQjs^F5C+g$l=adAguSR;?{H z)w!zP7ebHsn6+I2_yK0iFYw#1!=Ef>vxrcw(R=`#YmlK(9|sg;<%WL#oQp6a)#oF8W0T5HDtBzb&b_OW%yGm{ES zT_NXj^&Hz^TWl<=K-nGhA>+w?{b(3xnG`g7GAyuZQ`1F*{jH_lWihd_HuhVITt>BH z2>qr8G&&N0w@sr+g|y! zMGvgYj6v8cU=MD7H>bGj5kl^)8|Wtn%f%8>;Xz_L;A0KY%$i47g00Iy!3gXTYvLBj zW=-0?_2^?uS#+sKSd)s$-i}$aY%NDe<#-Ovd~qdz9Kvqdz-F+5@?*u~>q~=zOtvl}$lsb8Ra>~wF3xpdzZzJ6_wT#+RW`@Xk_!^_f9?RS! z*$Ku8u9@z_t1II<2#Rrkbvc~_lP(~?c;aek`-l5Ypy!~XwXH5%)Ji@;UhGZ5yB|7# z-*k?DH=P(de}tX;u(SNoJHwx=N#KD1tLw$9hkXtjz_tPQ^}$q#TO}=UTQ0(=g+qMaH9lavm_~HnQ4|?Xy?Gz`b?}Zh6L8mo4=Q zj)p=FSo+MRNRd2?<#zSuVK&)fwF*jT)XS3O)fod1r@Jx{v3#R4bRX_ro+F=cAC?Z@ z$iwWF0ez)bGG~6~%ym`2qkt-4RR-7(M6@Sv&nICt($&PWP@a0_o>+ZUtuYuhqh*_0i!f9EzR_@H)5kU^-M$|PuHJE}3# zo~Z_|%42y@6-b}X3T3dCl3TVZ;ozB&^>Ciml^zwD`>gys2-|_cU$>?(wSx`1`T<6W z*$azu%YLsp2(NKk0l&eN?^fskqtM@frJkiH-#2aT)l4=p8eP9*D}Z(!9G$IPP9A5g z*`N6Gx^G3+)~81*)HR8}a7R}| zqw>fw7ws+!SE*UO;O(HjHUJSvn~8`S3E}7A&=kIiZt%k|!(qSavJ>$Mjhlgg?2bPj zH;KE8loewaZl5Q~iL{)m^IBW>d~%1~#|EK%FeE z_Ckg&<*a4fsKb9yO9u!)Tz04;(*ytjat#0gP)h*<6ay3h2mlBGW_OHPKU{XG(*ytj gat)I)1}_Ui`dVj^1zTr9`dX7~1|SAE1poj50B5$4egFUf From f74b44778f0c3dadce73ccf0952cc15682b10603 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Dec 2024 16:48:44 +0000 Subject: [PATCH 09/12] CC-3015: Fixes. --- .../environments/ccms-ebs/application_variables.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index 7222d232296..9fb56b34e0a 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -102,7 +102,7 @@ "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, "certificate_expiry_days": 333, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "test": { "short_env": "tst", @@ -202,7 +202,7 @@ "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, "certificate_expiry_days": 45, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "preproduction": { "short_env": "prep", @@ -302,7 +302,7 @@ "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, "certificate_expiry_days": 45, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" }, "production": { "short_env": "prod", @@ -404,7 +404,7 @@ "s3_lifecycle_days_transition_noncurrent_glacier": 365, "s3_lifecycle_days_transition_noncurrent_standard": 90, "certificate_expiry_days": 60, - "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk,sahid.khan@digital.justice.gov.uk" + "certificate_monitor_email": "maciej.matysiak@digital.justice.gov.uk" } }, "webgate_ebs": { From 988456adaaba8d733d1c7d0cc336ca5c6ed9a2b9 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Fri, 13 Dec 2024 09:13:29 +0000 Subject: [PATCH 10/12] CC-3015: Updated the Lambda ZIP. --- .../ccms-ebs/lambda/certificate_monitor.zip | Bin 1681 -> 1673 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip b/terraform/environments/ccms-ebs/lambda/certificate_monitor.zip index 9bc4ba8db3342d36907700e137dd884775c5f886..4ad0df5374460d6ad615fae313665be4f13264a6 100644 GIT binary patch delta 115 zcmbQp+sQjYN>zwKfgvX`Hz_4CKCLt_xg;|`Pp_adG=!Id{iHy2deN`w^uk{oojuN>hwMfgw4ys3bEjGdZy&H9j{#FS8`SNUxwWG=!Id{iHy2dc06{`bmL} w_8(Z|K&oM2Nh63wl-}s{(h6<{MwV}k3=AwHKwSaetZX3Nj6j$Iq{YEJ09o54od5s; From da3ec14259454528ffd8639eae9f3bcaca165e73 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Fri, 13 Dec 2024 09:21:59 +0000 Subject: [PATCH 11/12] CC-3015: Added the 'source_code_hash' parameter. --- .../ccms-ebs/ccms-lambda-certificate-monitor.tf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index 67a5c2426e3..bbdd0cec802 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -57,12 +57,14 @@ resource "aws_sns_topic_subscription" "email" { } resource "aws_lambda_function" "certificate_monitor" { - filename = "./lambda/certificate_monitor.zip" - function_name = "${local.application_name}-${local.environment}-certificate-monitor" - role = aws_iam_role.lambda_certificate_monitor_role.arn - handler = "lambda_function.lambda_handler" - runtime = "python3.13" - timeout = 30 + filename = "./lambda/certificate_monitor.zip" + source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip")) + function_name = "${local.application_name}-${local.environment}-certificate-monitor" + role = aws_iam_role.lambda_certificate_monitor_role.arn + handler = "lambda_function.lambda_handler" + runtime = "python3.13" + timeout = 30 + publish = true environment { variables = { From 12a2ea2221db123a342e0863c6ccdbc0c9f7f600 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Fri, 13 Dec 2024 09:24:30 +0000 Subject: [PATCH 12/12] CC-3015: Fixes. --- .../environments/ccms-ebs/ccms-lambda-certificate-monitor.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf index bbdd0cec802..b00caafd659 100644 --- a/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf +++ b/terraform/environments/ccms-ebs/ccms-lambda-certificate-monitor.tf @@ -58,7 +58,7 @@ resource "aws_sns_topic_subscription" "email" { resource "aws_lambda_function" "certificate_monitor" { filename = "./lambda/certificate_monitor.zip" - source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip")) + source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip") function_name = "${local.application_name}-${local.environment}-certificate-monitor" role = aws_iam_role.lambda_certificate_monitor_role.arn handler = "lambda_function.lambda_handler"