Merge pull request #9264 from ministryofjustice/migration_yjaf_initial

Initial Yjaf commit
ministryofjustice · Jan 22, 2025 · 1fd0520 · 1fd0520
2 parents b6aecf1 + bf63c37
commit 1fd0520
Show file tree

Hide file tree

Showing 117 changed files with 5,761 additions and 4 deletions.
diff --git a/terraform/environments/youth-justice-app-framework/application_variables.json b/terraform/environments/youth-justice-app-framework/application_variables.json
@@ -1,16 +1,24 @@
 {
   "accounts": {
     "development": {
-      "example_var": "dev-data"
+      "environment_name": "yjaf-development",
+      "allow_s3_replication": true,
+      "source_account": "856879713508"
     },
     "test": {
-      "example_var": "test-data"
+      "environment_name": "yjaf-test",
+      "allow_s3_replication": true,
+      "source_account": "856879713508"
     },
     "preproduction": {
-      "example_var": "preproduction-data"
+      "environment_name": "yjaf-preproduction",
+      "allow_s3_replication": true,
+      "source_account": "053556912568"
     },
     "production": {
-      "example_var": "production-data"
+      "environment_name": "jyaf-production",
+      "allow_s3_replication": true,
+      "source_account": "066012302209"
     }
   }
 }
diff --git a/terraform/environments/youth-justice-app-framework/aurora.tf b/terraform/environments/youth-justice-app-framework/aurora.tf
@@ -0,0 +1,101 @@
+
+module "aurora" {
+  source       = "./modules/aurora"
+  project_name = local.project_name
+  vpc_id       = data.aws_vpc.shared.id
+  tags         = local.tags
+
+  database_subnets           = local.data_subnet_list[*].id
+  alb_route53_record_zone_id = data.aws_route53_zone.yjaf-inner.id
+
+
+  name                       = "yjafrds01-cluster"
+  azs                        = ["eu-west-2a", "eu-west-2b"]
+  db_cluster_instance_class  = "db.t4g.medium"
+  database_subnet_group_name = "yjaf-db-subnet-group"
+  alb_route53_record_name    = "db-yjafrds01"
+
+  #one time restore from a shared snapshot on preprod
+  snapshot_identifier = "arn:aws:rds:eu-west-2:053556912568:cluster-snapshot:sharedwithdevencrypt"
+
+  user_passwords_to_reset = ["postgres_rotated"]
+
+  engine          = "aurora-postgresql"
+  engine_version  = "16.2"
+  master_username = "root"
+
+  create_sheduler              = true
+  stop_aurora_cluster_schedule = "cron(00 00 ? * MON-FRI *)"
+  performance_insights_enabled = true
+
+  #pass in provider for creating records on central route53
+  providers = {
+    aws                       = aws
+    aws.core-network-services = aws.core-network-services
+  }
+  kms_key_arn = module.kms.key_arn
+  kms_key_id  = module.kms.key_id
+
+  # todo - some of these rules are commented out as the resource doesn't exist yet. 
+  # It would make more sense the add the rules in their respective modules rather than here
+  rds_security_group_ingress = [
+    {
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Dummy rule"
+      cidr_blocks = [data.aws_vpc.shared.cidr_block] #todo change to real sg rules
+    }
+    /*
+    windows_mgmt_servers = {
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Access from mgmt servers on the local account"
+      source_security_group_id = "sg-blablabla"
+    }
+    quicksight = {
+      source_security_group_id = "sg-blablabla"
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Quicksight access to postgres"
+    }
+    redshift = {
+      source_security_group_id = "sg-blablabla"
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Redshift access to postgres"
+    }
+    yjsm = {
+      source_security_group_id = "sg-blablabla" 
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "YJSM access to postgres"
+    }
+    tableau = {
+      source_security_group_id = "sg-blablabla"
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Tableau access to postgres"
+    }
+    ecs_to_postgres = {
+      source_security_group_id = "sg-blablabla" 
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "ECS to Postgres access"
+    }
+    mgmt_access = {
+      source_security_group_id = "sg-blablabla" 
+      from_port   = "5432"
+      to_port     = "5432"
+      protocol    = "tcp"
+      description = "Whitelisted mgmt account access"
+    }
+  */
+  ]
+}
diff --git a/terraform/environments/youth-justice-app-framework/certs.tf b/terraform/environments/youth-justice-app-framework/certs.tf
@@ -0,0 +1,11 @@
+
+module "certs" {
+  source = "./modules/dns/certs"
+
+  project_name = local.project_name
+
+  r53_zone_id = module.public_dns_zone.aws_route53_zone_id
+  domain_name = "yjaf.${local.environment}.yjbservices.yjb.gov.uk"
+
+  tags = local.tags
+}
diff --git a/terraform/environments/youth-justice-app-framework/cloudfront.tf b/terraform/environments/youth-justice-app-framework/cloudfront.tf
@@ -0,0 +1,17 @@
+module "cloudfront_yjaf" {
+  source = "./modules/cloudfront"
+
+  providers = {
+    aws           = aws
+    aws.us-east-1 = aws.us-east-1
+  }
+
+  cloudfront_alias = "yjaf.${local.environment}.yjbservices.yjb.gov.uk"
+  alb_dns          = module.external_alb.dns_name
+  waf_web_acl_arn  = module.waf-cf.waf_arn
+  r53_zone_id      = module.public_dns_zone.aws_route53_zone_id
+  kms_key_arn      = module.kms.key_arn
+  environment      = local.environment
+  project_name     = local.project_name
+  tags             = local.tags
+}
diff --git a/terraform/environments/youth-justice-app-framework/codedeploy.tf b/terraform/environments/youth-justice-app-framework/codedeploy.tf
@@ -0,0 +1,37 @@
+
+module "codedeploy" {
+  source       = "./modules/codedeploy"
+  project_name = local.project_name
+  tags         = local.tags
+  cluster_name = "yjaf-cluster"
+  environment  = local.environment
+  services = [
+    { "auth" = "internal" },
+    { "bands" = "internal" },
+    { "bu" = "internal" },
+    { "case" = "internal" },
+    { "cmm" = "internal" },
+    { "conversions" = "internal" },
+    { "dal" = "internal" },
+    { "documents" = "internal" },
+    { "placements" = "internal" },
+    { "refdata" = "internal" },
+    { "returns" = "internal" },
+    { "sentences" = "internal" },
+    { "serious-incidents" = "internal" },
+    { "transfers" = "internal" },
+    { "transitions" = "internal" },
+    { "ui" = "internal" },
+    { "views" = "internal" },
+    { "workflow" = "internal" },
+    { "yp" = "internal" },
+  ]
+
+  internal_alb_name = "yjaf-int-internal"
+  external_alb_name = "yjaf-ext-external"
+  depends_on = [
+    module.internal_alb,
+    module.external_alb,
+    module.ecs
+  ]
+}
diff --git a/terraform/environments/youth-justice-app-framework/directory_service.tf b/terraform/environments/youth-justice-app-framework/directory_service.tf
@@ -0,0 +1,16 @@
+module "ds" {
+  source = "./modules/directory-service"
+
+  project_name = local.project_name
+  tags         = merge(local.tags, { Name = "AD Management Server" })
+
+  ds_managed_ad_directory_name = "i2n.com"
+  ds_managed_ad_short_name     = "i2n"
+  management_keypair_name      = "ad_management_server"
+  ds_managed_ad_secret_key     = module.kms.key_arn
+
+  ds_managed_ad_vpc_id     = data.aws_vpc.shared.id
+  ds_managed_ad_subnet_ids = [data.aws_subnet.private_subnets_a.id, data.aws_subnet.private_subnets_b.id]
+  vpc_cidr_block           = data.aws_vpc.shared.cidr_block
+  management_subnet_id     = local.private_subnet_list[0].id
+}
diff --git a/terraform/environments/youth-justice-app-framework/dns_private_hosted_zone.tf b/terraform/environments/youth-justice-app-framework/dns_private_hosted_zone.tf
@@ -0,0 +1,7 @@
+
+data "aws_route53_zone" "yjaf-inner" {
+  provider = aws.core-network-services
+
+  name         = "development.yjaf"
+  private_zone = true
+}
diff --git a/terraform/environments/youth-justice-app-framework/dns_public_hosted_zone.tf b/terraform/environments/youth-justice-app-framework/dns_public_hosted_zone.tf
@@ -0,0 +1,9 @@
+
+module "public_dns_zone" {
+  source              = "./modules/dns/hosted_zone"
+  domain_name         = "${local.environment}.yjbservices.yjb.gov.uk"
+  project_name        = local.project_name
+  private_hosted_zone = false
+  vpc                 = data.aws_vpc.shared.id
+  tags                = local.tags
+}
diff --git a/terraform/environments/youth-justice-app-framework/ecs.tf b/terraform/environments/youth-justice-app-framework/ecs.tf
@@ -0,0 +1,51 @@
+
+#tfsec:ignore:AVD-AWS-0130
+module "ecs" {
+  source = "./modules/ecs"
+
+  #Network details
+  vpc_id         = data.aws_vpc.shared.id
+  ecs_subnet_ids = local.private_subnet_list[*].id
+
+  #ALB details 
+  external_alb_security_group_id = module.external_alb.alb_security_group_id
+  internal_alb_security_group_id = module.internal_alb.alb_security_group_id
+  external_alb_arn               = module.external_alb.alb_arn
+  internal_alb_arn               = module.internal_alb.alb_arn
+  external_alb_name              = module.external_alb.alb_name
+  internal_alb_name              = module.internal_alb.alb_name
+
+  #ECS details
+  cluster_name         = "yjaf-cluster"
+  ec2_instance_type    = "m5.xlarge"
+  ec2_min_size         = 1
+  ec2_max_size         = 8
+  ec2_desired_capacity = 5
+  nameserver           = join(".", [split(".", data.aws_vpc.shared.cidr_block)[0], split(".", data.aws_vpc.shared.cidr_block)[1], "0", "2"]) #eg "10.23.0.2"
+
+  spot_overrides = [
+    {
+      instance_type     = "t3.xlarge"
+      weighted_capacity = "3"
+    },
+    {
+      instance_type     = "m5.large"
+      weighted_capacity = "2"
+    },
+    {
+      instance_type     = "t3.large"
+      weighted_capacity = "1"
+    }
+  ]
+
+  #todo should be a ecs specific user instead of root user
+  ecs_service_postgres_secret_arn = "arn:aws:secretsmanager:eu-west-2:012345678:secret:rds!cluster-9e616cc2-98fd-4b4a-af98-44b25c088ff8-KPsJBM"
+
+  ecs_services = local.ecs_services
+
+  project_name = local.project_name
+  environment  = local.environment
+  tags         = local.tags
+
+  depends_on = [module.internal_alb, module.external_alb]
+}
diff --git a/terraform/environments/youth-justice-app-framework/external_alb.tf b/terraform/environments/youth-justice-app-framework/external_alb.tf
@@ -0,0 +1,27 @@
+#tfsec:ignore:AWS0053 "The load balancer is internet facing by design."
+#tfsec:ignore:AVD-AWS-0053
+module "external_alb" {
+  #checkov:skip=CKV_AWS_2:false alert
+  source = "./modules/alb"
+  #pass in provider for creating records on central route53
+  providers = {
+    aws.core-network-services = aws.core-network-services
+  }
+
+  environment  = local.environment
+  project_name = local.project_name
+  vpc_id       = data.aws_vpc.shared.id
+  tags         = local.tags
+
+  alb_name = "yjaf-ext"
+  internal = false
+  #alb_route53_record_zone_id = module.private_dns_zone.aws_route53_zone_id #data.aws_route53_zone_id.inner.id
+
+  listeners              = local.external_listeners
+  existing_target_groups = module.internal_alb.target_group_arns
+
+
+  alb_subnets_ids   = local.public_subnet_list[*].id
+  web_acl_arn       = module.waf.waf_arn
+  associate_web_acl = true
+}
diff --git a/terraform/environments/youth-justice-app-framework/internal_alb.tf b/terraform/environments/youth-justice-app-framework/internal_alb.tf
@@ -0,0 +1,25 @@
+#tfsec:ignore:AWS0054 "This is an internal alb, the traffic only moves within the vpc and https is not required."
+#tfsec:ignore:AVD-AWS-0054
+module "internal_alb" {
+  source = "./modules/alb"
+
+  environment     = local.environment
+  project_name    = local.project_name
+  vpc_id          = data.aws_vpc.shared.id
+  alb_subnets_ids = local.private_subnet_list[*].id
+  tags            = local.tags
+
+  alb_name                   = "yjaf-int"
+  internal                   = true
+  alb_route53_record_name    = "private-lb"
+  alb_route53_record_zone_id = data.aws_route53_zone.yjaf-inner.id
+
+  listeners     = local.internal_listeners
+  target_groups = local.target_groups
+
+  #pass in provider for creating records on central route53
+  providers = {
+    aws.core-network-services = aws.core-network-services
+  }
+
+}
diff --git a/terraform/environments/youth-justice-app-framework/kms.tf b/terraform/environments/youth-justice-app-framework/kms.tf
@@ -0,0 +1,47 @@
+module "kms" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/kms/aws"
+  version = "3.1.1"
+
+  deletion_window_in_days = 7
+  description             = "KMS key for ${local.project_name}"
+  enable_key_rotation     = true
+  is_enabled              = true
+  key_usage               = "ENCRYPT_DECRYPT"
+
+  aliases = [local.project_name]
+
+  key_statements = [
+    {
+      sid = "CloudWatchLogs"
+      actions = [
+        "kms:Encrypt*",
+        "kms:Decrypt*",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:Describe*"
+      ]
+      resources = ["*"]
+
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "ArnLike"
+          variable = "kms:EncryptionContext:aws:logs:arn"
+          values = [
+            "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*",
+          ]
+        }
+      ]
+    }
+  ]
+
+  tags = local.tags
+}
+#todo add to all secrets
diff --git a/terraform/environments/youth-justice-app-framework/locals.tf b/terraform/environments/youth-justice-app-framework/locals.tf
@@ -1 +1,4 @@
 #### This file can be used to store locals specific to the member account ####
+locals {
+  project_name = "yjaf"
+}