From 007353dcdcc5ae87df6fbffe4aaec901a8c7e13b Mon Sep 17 00:00:00 2001 From: Sam Ainsworth Date: Thu, 12 Oct 2023 15:37:55 +0100 Subject: [PATCH] UML-3119 Move ALBs to region module (#2368) * UML-3119 Move ALBs to region module --- terraform/environment/cloudwatch_alarms.tf | 10 +- terraform/environment/config_file.tf | 9 +- terraform/environment/dns.tf | 32 ++- terraform/environment/dns_health_check.tf | 4 +- terraform/environment/refactor.tf | 214 ++++++++++++++++++ terraform/environment/region.tf | 104 +++++---- terraform/environment/region/actor_ecs.tf | 6 +- .../{ => region}/actor_load_balancer.tf | 68 ++++-- terraform/environment/region/admin_ecs.tf | 12 +- .../{ => region}/admin_load_balancer.tf | 54 +++-- terraform/environment/region/api_ecs.tf | 6 +- terraform/environment/region/data_sources.tf | 8 +- terraform/environment/region/outputs.tf | 19 +- terraform/environment/region/pdf_ecs.tf | 2 +- terraform/environment/region/variables.tf | 68 +++--- terraform/environment/region/viewer_ecs.tf | 6 +- .../{ => region}/viewer_load_balancer.tf | 66 ++++-- terraform/environment/shared_data_sources.tf | 5 - terraform/environment/waf.tf | 4 +- 19 files changed, 515 insertions(+), 182 deletions(-) rename terraform/environment/{ => region}/actor_load_balancer.tf (79%) rename terraform/environment/{ => region}/admin_load_balancer.tf (72%) rename terraform/environment/{ => region}/viewer_load_balancer.tf (82%) diff --git a/terraform/environment/cloudwatch_alarms.tf b/terraform/environment/cloudwatch_alarms.tf index 6924b38632..67e5e2612d 100644 --- a/terraform/environment/cloudwatch_alarms.tf +++ b/terraform/environment/cloudwatch_alarms.tf @@ -6,7 +6,7 @@ resource "aws_cloudwatch_metric_alarm" "viewer_5xx_errors" { comparison_operator = "GreaterThanThreshold" datapoints_to_alarm = 2 dimensions = { - "LoadBalancer" = trimprefix(split(":", aws_lb.viewer.arn)[5], "loadbalancer/") + "LoadBalancer" = trimprefix(split(":", module.eu_west_1.albs.viewer.arn)[5], "loadbalancer/") } evaluation_periods = 2 insufficient_data_actions = [] @@ -28,7 +28,7 @@ resource "aws_cloudwatch_metric_alarm" "actor_5xx_errors" { comparison_operator = "GreaterThanThreshold" datapoints_to_alarm = 2 dimensions = { - "LoadBalancer" = trimprefix(split(":", aws_lb.actor.arn)[5], "loadbalancer/") + "LoadBalancer" = trimprefix(split(":", module.eu_west_1.albs.actor.arn)[5], "loadbalancer/") } evaluation_periods = 2 insufficient_data_actions = [] @@ -86,7 +86,7 @@ resource "aws_cloudwatch_metric_alarm" "actor_ddos_attack_external" { treat_missing_data = "notBreaching" alarm_actions = [aws_sns_topic.cloudwatch_to_pagerduty.arn] dimensions = { - ResourceArn = aws_lb.actor.arn + ResourceArn = module.eu_west_1.albs.actor.arn } } @@ -103,7 +103,7 @@ resource "aws_cloudwatch_metric_alarm" "viewer_ddos_attack_external" { treat_missing_data = "notBreaching" alarm_actions = [aws_sns_topic.cloudwatch_to_pagerduty.arn] dimensions = { - ResourceArn = aws_lb.viewer.arn + ResourceArn = module.eu_west_1.albs.viewer.arn } } @@ -120,7 +120,7 @@ resource "aws_cloudwatch_metric_alarm" "admin_ddos_attack_external" { treat_missing_data = "notBreaching" alarm_actions = [aws_sns_topic.cloudwatch_to_pagerduty.arn] dimensions = { - ResourceArn = aws_lb.admin.arn + ResourceArn = module.eu_west_1.albs.admin.arn } } diff --git a/terraform/environment/config_file.tf b/terraform/environment/config_file.tf index 2b50f5f738..ba6a6bf7ce 100644 --- a/terraform/environment/config_file.tf +++ b/terraform/environment/config_file.tf @@ -12,12 +12,13 @@ locals { viewer_codes_table = aws_dynamodb_table.viewer_codes_table.name user_lpa_actor_map = aws_dynamodb_table.user_lpa_actor_map.name stats_table = aws_dynamodb_table.stats_table.name - actor_fqdn = aws_route53_record.actor-use-my-lpa.fqdn - viewer_fqdn = aws_route53_record.viewer-use-my-lpa.fqdn + actor_fqdn = aws_route53_record.actor_use_my_lpa.fqdn + viewer_fqdn = aws_route53_record.viewer_use_my_lpa.fqdn admin_fqdn = aws_route53_record.admin_use_my_lpa.fqdn public_facing_use_fqdn = aws_route53_record.public_facing_use_lasting_power_of_attorney.fqdn public_facing_view_fqdn = aws_route53_record.public_facing_view_lasting_power_of_attorney.fqdn - viewer_load_balancer_security_group_name = aws_security_group.viewer_loadbalancer.name - actor_load_balancer_security_group_name = aws_security_group.actor_loadbalancer.name + viewer_load_balancer_security_group_name = module.eu_west_1.security_group_names.viewer_loadbalancer + actor_load_balancer_security_group_name = module.eu_west_1.security_group_names.actor_loadbalancer + } } diff --git a/terraform/environment/dns.tf b/terraform/environment/dns.tf index 1700e7c43d..c2fde94c55 100644 --- a/terraform/environment/dns.tf +++ b/terraform/environment/dns.tf @@ -30,8 +30,8 @@ resource "aws_route53_record" "public_facing_view_lasting_power_of_attorney" { alias { evaluate_target_health = false - name = aws_lb.viewer.dns_name - zone_id = aws_lb.viewer.zone_id + name = module.eu_west_1.albs.viewer.dns_name + zone_id = module.eu_west_1.albs.viewer.zone_id } lifecycle { @@ -43,7 +43,7 @@ output "public_facing_view_domain" { value = "https://${aws_route53_record.public_facing_view_lasting_power_of_attorney.fqdn}" } -resource "aws_route53_record" "viewer-use-my-lpa" { +resource "aws_route53_record" "viewer_use_my_lpa" { # view.lastingpowerofattorney.opg.service.justice.gov.uk provider = aws.management zone_id = data.aws_route53_zone.opg_service_justice_gov_uk.zone_id @@ -52,8 +52,8 @@ resource "aws_route53_record" "viewer-use-my-lpa" { alias { evaluate_target_health = false - name = aws_lb.viewer.dns_name - zone_id = aws_lb.viewer.zone_id + name = module.eu_west_1.albs.viewer.dns_name + zone_id = module.eu_west_1.albs.viewer.zone_id } lifecycle { @@ -61,6 +61,10 @@ resource "aws_route53_record" "viewer-use-my-lpa" { } } +moved { + from = aws_route53_record.viewer-use-my-lpa + to = aws_route53_record.viewer_use_my_lpa +} //------------------------------------------------------------- // Use @@ -74,8 +78,8 @@ resource "aws_route53_record" "public_facing_use_lasting_power_of_attorney" { alias { evaluate_target_health = false - name = aws_lb.actor.dns_name - zone_id = aws_lb.actor.zone_id + name = module.eu_west_1.albs.actor.dns_name + zone_id = module.eu_west_1.albs.actor.zone_id } lifecycle { create_before_destroy = true @@ -86,7 +90,7 @@ output "public_facing_use_domain" { value = "https://${aws_route53_record.public_facing_use_lasting_power_of_attorney.fqdn}" } -resource "aws_route53_record" "actor-use-my-lpa" { +resource "aws_route53_record" "actor_use_my_lpa" { # use.lastingpowerofattorney.opg.service.justice.gov.uk provider = aws.management zone_id = data.aws_route53_zone.opg_service_justice_gov_uk.zone_id @@ -95,8 +99,8 @@ resource "aws_route53_record" "actor-use-my-lpa" { alias { evaluate_target_health = false - name = aws_lb.actor.dns_name - zone_id = aws_lb.actor.zone_id + name = module.eu_west_1.albs.actor.dns_name + zone_id = module.eu_west_1.albs.actor.zone_id } lifecycle { @@ -104,6 +108,10 @@ resource "aws_route53_record" "actor-use-my-lpa" { } } +moved { + from = aws_route53_record.actor-use-my-lpa + to = aws_route53_record.actor_use_my_lpa +} resource "aws_route53_record" "admin_use_my_lpa" { # admin.lastingpowerofattorney.opg.service.justice.gov.uk @@ -114,8 +122,8 @@ resource "aws_route53_record" "admin_use_my_lpa" { alias { evaluate_target_health = false - name = aws_lb.admin.dns_name - zone_id = aws_lb.admin.zone_id + name = module.eu_west_1.albs.admin.dns_name + zone_id = module.eu_west_1.albs.admin.zone_id } lifecycle { diff --git a/terraform/environment/dns_health_check.tf b/terraform/environment/dns_health_check.tf index a427c42be0..73b202fc80 100644 --- a/terraform/environment/dns_health_check.tf +++ b/terraform/environment/dns_health_check.tf @@ -18,7 +18,7 @@ resource "aws_cloudwatch_metric_alarm" "viewer_health_check_alarm" { } resource "aws_route53_health_check" "viewer_health_check" { - fqdn = aws_route53_record.viewer-use-my-lpa.fqdn + fqdn = aws_route53_record.viewer_use_my_lpa.fqdn reference_name = "${substr(local.environment_name, 0, 20)}-viewer" port = 443 type = "HTTPS" @@ -49,7 +49,7 @@ resource "aws_cloudwatch_metric_alarm" "actor_health_check_alarm" { } resource "aws_route53_health_check" "actor_health_check" { - fqdn = aws_route53_record.actor-use-my-lpa.fqdn + fqdn = aws_route53_record.actor_use_my_lpa.fqdn reference_name = "${substr(local.environment_name, 0, 20)}-actor" port = 443 type = "HTTPS" diff --git a/terraform/environment/refactor.tf b/terraform/environment/refactor.tf index 2337056964..e33b4e3408 100644 --- a/terraform/environment/refactor.tf +++ b/terraform/environment/refactor.tf @@ -177,3 +177,217 @@ moved { from = aws_service_discovery_service.pdf_ecs to = module.eu_west_1.aws_service_discovery_service.pdf_ecs } + +moved { + from = aws_lb.actor + to = module.eu_west_1.aws_lb.actor +} + +moved { + from = aws_lb.admin + to = module.eu_west_1.aws_lb.admin +} + +moved { + from = aws_lb.viewer + to = module.eu_west_1.aws_lb.viewer +} + +moved { + from = aws_lb_listener.actor_loadbalancer + to = module.eu_west_1.aws_lb_listener.actor_loadbalancer +} + +moved { + from = aws_lb_listener.actor_loadbalancer_http_redirect + to = module.eu_west_1.aws_lb_listener.actor_loadbalancer_http_redirect +} + +moved { + from = aws_lb_listener.admin_loadbalancer + to = module.eu_west_1.aws_lb_listener.admin_loadbalancer +} +moved { + from = aws_lb_listener.admin_loadbalancer_http_redirect + to = module.eu_west_1.aws_lb_listener.admin_loadbalancer_http_redirect +} + +moved { + from = aws_lb_listener.viewer_loadbalancer + to = module.eu_west_1.aws_lb_listener.viewer_loadbalancer +} + +moved { + from = aws_lb_listener.viewer_loadbalancer_http_redirect + to = module.eu_west_1.aws_lb_listener.viewer_loadbalancer_http_redirect +} + +moved { + from = aws_lb_listener_certificate.actor_loadbalancer_live_service_certificate + to = module.eu_west_1.aws_lb_listener_certificate.actor_loadbalancer_live_service_certificate +} + +moved { + from = aws_lb_listener_certificate.admin_loadbalancer_live_service_certificate + to = module.eu_west_1.aws_lb_listener_certificate.admin_loadbalancer_live_service_certificate +} + +moved { + from = aws_lb_listener_certificate.viewer_loadbalancer_live_service_certificate + to = module.eu_west_1.aws_lb_listener_certificate.viewer_loadbalancer_live_service_certificate +} + +moved { + from = aws_lb_listener_rule.actor_maintenance + to = module.eu_west_1.aws_lb_listener_rule.actor_maintenance +} + +moved { + from = aws_lb_listener_rule.actor_maintenance_welsh + to = module.eu_west_1.aws_lb_listener_rule.actor_maintenance_welsh +} + +moved { + from = aws_lb_listener_rule.redirect_use_root_to_gov + to = module.eu_west_1.aws_lb_listener_rule.redirect_use_root_to_gov +} + +moved { + from = aws_lb_listener_rule.redirect_view_root_to_gov + to = module.eu_west_1.aws_lb_listener_rule.redirect_view_root_to_gov +} + +moved { + from = aws_lb_listener_rule.rewrite_use_to_live_service_url + to = module.eu_west_1.aws_lb_listener_rule.rewrite_use_to_live_service_url +} + +moved { + from = aws_lb_listener_rule.rewrite_view_to_live_service_url + to = module.eu_west_1.aws_lb_listener_rule.rewrite_view_to_live_service_url +} + +moved { + from = aws_lb_listener_rule.viewer_maintenance + to = module.eu_west_1.aws_lb_listener_rule.viewer_maintenance +} + +moved { + from = aws_lb_listener_rule.viewer_maintenance_welsh + to = module.eu_west_1.aws_lb_listener_rule.viewer_maintenance_welsh +} + +moved { + from = aws_lb_target_group.actor + to = module.eu_west_1.aws_lb_target_group.actor +} + +moved { + from = aws_lb_target_group.admin + to = module.eu_west_1.aws_lb_target_group.admin +} + +moved { + from = aws_lb_target_group.viewer + to = module.eu_west_1.aws_lb_target_group.viewer +} + +moved { + from = aws_security_group.actor_loadbalancer + to = module.eu_west_1.aws_security_group.actor_loadbalancer +} + +moved { + from = aws_security_group.actor_loadbalancer_route53 + to = module.eu_west_1.aws_security_group.actor_loadbalancer_route53 +} + +moved { + from = aws_security_group.admin_loadbalancer + to = module.eu_west_1.aws_security_group.admin_loadbalancer +} + +moved { + from = aws_security_group.viewer_loadbalancer + to = module.eu_west_1.aws_security_group.viewer_loadbalancer +} + +moved { + from = aws_security_group.viewer_loadbalancer_route53 + to = module.eu_west_1.aws_security_group.viewer_loadbalancer_route53 +} + +moved { + from = aws_security_group_rule.actor_loadbalancer_egress + to = module.eu_west_1.aws_security_group_rule.actor_loadbalancer_egress +} + +moved { + from = aws_security_group_rule.actor_loadbalancer_ingress + to = module.eu_west_1.aws_security_group_rule.actor_loadbalancer_ingress +} + +moved { + from = aws_security_group_rule.actor_loadbalancer_ingress_http + to = module.eu_west_1.aws_security_group_rule.actor_loadbalancer_ingress_http +} + +moved { + from = aws_security_group_rule.actor_loadbalancer_ingress_route53_healthchecks + to = module.eu_west_1.aws_security_group_rule.actor_loadbalancer_ingress_route53_healthchecks +} + +moved { + from = aws_security_group_rule.admin_loadbalancer_egress + to = module.eu_west_1.aws_security_group_rule.admin_loadbalancer_egress +} + +moved { + from = aws_security_group_rule.admin_loadbalancer_ingress + to = module.eu_west_1.aws_security_group_rule.admin_loadbalancer_ingress +} + +moved { + from = aws_security_group_rule.admin_loadbalancer_port_80_redirect_ingress + to = module.eu_west_1.aws_security_group_rule.admin_loadbalancer_port_80_redirect_ingress +} + +moved { + from = aws_security_group_rule.viewer_loadbalancer_egress + to = module.eu_west_1.aws_security_group_rule.viewer_loadbalancer_egress +} + +moved { + from = aws_security_group_rule.viewer_loadbalancer_ingress + to = module.eu_west_1.aws_security_group_rule.viewer_loadbalancer_ingress +} + +moved { + from = aws_security_group_rule.viewer_loadbalancer_ingress_http + to = module.eu_west_1.aws_security_group_rule.viewer_loadbalancer_ingress_http +} + +moved { + from = aws_security_group_rule.viewer_loadbalancer_ingress_route53_healthchecks + to = module.eu_west_1.aws_security_group_rule.viewer_loadbalancer_ingress_route53_healthchecks +} + +moved { + from = aws_ssm_parameter.actor_maintenance_switch + to = module.eu_west_1.aws_ssm_parameter.actor_maintenance_switch +} + +moved { + from = aws_ssm_parameter.viewer_maintenance_switch + to = module.eu_west_1.aws_ssm_parameter.viewer_maintenance_switch +} + +moved { + from = aws_security_group_rule.actor_loadbalancer_ingress_production[0] + to = module.eu_west_1.aws_security_group_rule.actor_loadbalancer_ingress_public_access[0] +} + +moved { + from = aws_security_group_rule.viewer_loadbalancer_ingress_public_access[0] + to = module.eu_west_1.aws_security_group_rule.viewer_loadbalancer_ingress_public_access[0] +} diff --git a/terraform/environment/region.tf b/terraform/environment/region.tf index 598efd5bf9..39e3cdf9df 100644 --- a/terraform/environment/region.tf +++ b/terraform/environment/region.tf @@ -1,15 +1,51 @@ module "eu_west_1" { source = "./region" - alb_tg_arns = { - "actor" = aws_lb_target_group.actor - "viewer" = aws_lb_target_group.viewer - "admin" = aws_lb_target_group.admin + account_name = local.environment.account_name + admin_container_version = var.admin_container_version + application_logs_name = aws_cloudwatch_log_group.application_logs.name + autoscaling = local.environment.autoscaling + aws_service_discovery_service = aws_service_discovery_private_dns_namespace.internal_ecs + capacity_provider = local.capacity_provider + container_version = var.container_version + cookie_expires_use = local.environment.cookie_expires_use + cookie_expires_view = local.environment.cookie_expires_view + ecs_execution_role = module.iam.ecs_execution_role + ecs_task_roles = module.iam.ecs_task_roles + environment_name = local.environment_name + google_analytics_id_use = local.environment.google_analytics_id_use + google_analytics_id_view = local.environment.google_analytics_id_view + iap_images_endpoint = local.environment.iap_images_endpoint + load_balancer_deletion_protection_enabled = local.environment.load_balancer_deletion_protection_enabled + logging_level = local.environment.logging_level + lpa_codes_endpoint = local.environment.lpa_codes_endpoint + lpas_collection_endpoint = local.environment.lpas_collection_endpoint + moj_sites = module.allow_list.moj_sites + notify_key_secret_name = local.environment.notify_key_secret_name + parameter_store_arns = [aws_ssm_parameter.system_message_view_en.arn, aws_ssm_parameter.system_message_view_cy.arn, aws_ssm_parameter.system_message_use_en.arn, aws_ssm_parameter.system_message_use_cy.arn] + pdf_container_version = local.environment.pdf_container_version + public_access_enabled = var.public_access_enabled + session_expires_use = local.environment.session_expires_use + session_expires_view = local.environment.session_expires_view + session_expiry_warning = local.environment.session_expiry_warning + sirius_account_id = local.environment.sirius_account_id + + + acm_certificate_arns = { + use = data.aws_acm_certificate.certificate_use.arn + view = data.aws_acm_certificate.certificate_view.arn + admin = data.aws_acm_certificate.certificate_admin.arn + public_facing_use = data.aws_acm_certificate.public_facing_certificate_use.arn + public_facing_view = data.aws_acm_certificate.public_facing_certificate_view.arn } - autoscaling = local.environment.autoscaling - - application_logs_name = aws_cloudwatch_log_group.application_logs.name + admin_cognito = { + id = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.id + user_pool_id = local.admin_cognito_user_pool_id + user_pool_domain_name = local.admin_cognito_user_pool_domain_name + user_pool_client_secret = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.client_secret + user_pool_id_token_validity = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.id_token_validity + } dynamodb_tables = { "actor_codes_table" = aws_dynamodb_table.actor_codes_table @@ -20,29 +56,6 @@ module "eu_west_1" { "user_lpa_actor_map" = aws_dynamodb_table.user_lpa_actor_map } - cognito_user_pool_id = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.id - - environment_name = local.environment_name - - actor_loadbalancer_security_group_id = aws_security_group.actor_loadbalancer.id - viewer_loadbalancer_security_group_id = aws_security_group.viewer_loadbalancer.id - admin_loadbalancer_security_group_id = aws_security_group.admin_loadbalancer.id - - notify_key_secret_name = local.environment.notify_key_secret_name - - lpa_codes_endpoint = local.environment.lpa_codes_endpoint - iap_images_endpoint = local.environment.iap_images_endpoint - lpas_collection_endpoint = local.environment.lpas_collection_endpoint - - logging_level = local.environment.logging_level - - parameter_store_arns = [aws_ssm_parameter.system_message_view_en.arn, aws_ssm_parameter.system_message_view_cy.arn, aws_ssm_parameter.system_message_use_en.arn, aws_ssm_parameter.system_message_use_cy.arn, ] - route_53_fqdns = { - "public_view" = aws_route53_record.public_facing_view_lasting_power_of_attorney.fqdn - "public_use" = aws_route53_record.public_facing_use_lasting_power_of_attorney.fqdn - "admin" = aws_route53_record.admin_use_my_lpa.fqdn - } - feature_flags = { "allow_gov_one_login" = local.environment.application_flags.allow_gov_one_login "instructions_and_preferences" = local.environment.application_flags.instructions_and_preferences @@ -52,32 +65,17 @@ module "eu_west_1" { "delete_lpa_feature" = local.environment.application_flags.delete_lpa_feature } - container_version = var.container_version - admin_container_version = var.admin_container_version - pdf_container_version = local.environment.pdf_container_version - - sirius_account_id = local.environment.sirius_account_id - - ecs_task_roles = module.iam.ecs_task_roles - ecs_execution_role = module.iam.ecs_execution_role - - admin_cognito_user_pool_domain_name = local.admin_cognito_user_pool_domain_name - - capacity_provider = local.capacity_provider - - aws_service_discovery_service = aws_service_discovery_private_dns_namespace.internal_ecs - + route_53_fqdns = { + "public_view" = aws_route53_record.public_facing_view_lasting_power_of_attorney.fqdn + "public_use" = aws_route53_record.public_facing_use_lasting_power_of_attorney.fqdn + "admin" = aws_route53_record.admin_use_my_lpa.fqdn + "actor" = aws_route53_record.actor_use_my_lpa.fqdn + "viewer" = aws_route53_record.viewer_use_my_lpa.fqdn + } - session_expires_use = local.environment.session_expires_use - session_expiry_warning = local.environment.session_expiry_warning - cookie_expires_use = local.environment.cookie_expires_use - google_analytics_id_use = local.environment.google_analytics_id_use - google_analytics_id_view = local.environment.google_analytics_id_view - cookie_expires_view = local.environment.cookie_expires_view - session_expires_view = local.environment.session_expires_view providers = { aws.region = aws.eu_west_1 aws.management = aws.management } -} \ No newline at end of file +} diff --git a/terraform/environment/region/actor_ecs.tf b/terraform/environment/region/actor_ecs.tf index f3d8b16765..51e6e2a24b 100644 --- a/terraform/environment/region/actor_ecs.tf +++ b/terraform/environment/region/actor_ecs.tf @@ -15,7 +15,7 @@ resource "aws_ecs_service" "actor" { } load_balancer { - target_group_arn = var.alb_tg_arns.actor.arn + target_group_arn = aws_lb_target_group.actor.arn container_name = "web" container_port = 80 } @@ -65,7 +65,7 @@ resource "aws_security_group_rule" "actor_ecs_service_ingress" { to_port = 80 protocol = "tcp" security_group_id = aws_security_group.actor_ecs_service.id - source_security_group_id = var.actor_loadbalancer_security_group_id + source_security_group_id = aws_security_group.actor_loadbalancer.id lifecycle { create_before_destroy = true } @@ -80,7 +80,7 @@ resource "aws_security_group_rule" "actor_ecs_service_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for ECR access + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for ECR access security_group_id = aws_security_group.actor_ecs_service.id lifecycle { create_before_destroy = true diff --git a/terraform/environment/actor_load_balancer.tf b/terraform/environment/region/actor_load_balancer.tf similarity index 79% rename from terraform/environment/actor_load_balancer.tf rename to terraform/environment/region/actor_load_balancer.tf index 6156258c5f..7040515bf5 100644 --- a/terraform/environment/actor_load_balancer.tf +++ b/terraform/environment/region/actor_load_balancer.tf @@ -1,21 +1,23 @@ resource "aws_lb_target_group" "actor" { - name = "${local.environment_name}-actor" + name = "${var.environment_name}-actor" port = 80 protocol = "HTTP" target_type = "ip" vpc_id = data.aws_vpc.default.id deregistration_delay = 0 depends_on = [aws_lb.actor] + + provider = aws.region } resource "aws_lb" "actor" { - name = "${local.environment_name}-actor" - internal = false #tfsec:ignore:AWS005 - public alb + name = "${var.environment_name}-actor" + internal = false #tfsec:ignore:aws-elb-alb-not-public - Intentionally public facing load_balancer_type = "application" drop_invalid_header_fields = true subnets = data.aws_subnets.public.ids - enable_deletion_protection = local.environment.load_balancer_deletion_protection_enabled + enable_deletion_protection = var.load_balancer_deletion_protection_enabled security_groups = [ aws_security_group.actor_loadbalancer.id, @@ -24,9 +26,11 @@ resource "aws_lb" "actor" { access_logs { bucket = data.aws_s3_bucket.access_log.bucket - prefix = "actor-${local.environment_name}" + prefix = "actor-${var.environment_name}" enabled = true } + + provider = aws.region } resource "aws_lb_listener" "actor_loadbalancer_http_redirect" { @@ -43,6 +47,8 @@ resource "aws_lb_listener" "actor_loadbalancer_http_redirect" { status_code = "HTTP_301" } } + + provider = aws.region } resource "aws_lb_listener" "actor_loadbalancer" { @@ -51,17 +57,19 @@ resource "aws_lb_listener" "actor_loadbalancer" { protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08" - certificate_arn = data.aws_acm_certificate.certificate_use.arn + certificate_arn = var.acm_certificate_arns.use default_action { target_group_arn = aws_lb_target_group.actor.arn type = "forward" } + + provider = aws.region } resource "aws_lb_listener_certificate" "actor_loadbalancer_live_service_certificate" { listener_arn = aws_lb_listener.actor_loadbalancer.arn - certificate_arn = data.aws_acm_certificate.public_facing_certificate_use.arn + certificate_arn = var.acm_certificate_arns.public_facing_use } # redirect root to gov.uk @@ -87,6 +95,8 @@ resource "aws_lb_listener_rule" "redirect_use_root_to_gov" { ] } } + + provider = aws.region } # rewrite to live service url @@ -97,7 +107,7 @@ resource "aws_lb_listener_rule" "rewrite_use_to_live_service_url" { type = "redirect" redirect { - host = aws_route53_record.public_facing_use_lasting_power_of_attorney.fqdn + host = var.route_53_fqdns.public_use path = "/#{path}" query = "#{query}" port = "443" @@ -108,15 +118,17 @@ resource "aws_lb_listener_rule" "rewrite_use_to_live_service_url" { condition { host_header { values = [ - aws_route53_record.actor-use-my-lpa.fqdn + var.route_53_fqdns.actor ] } } + + provider = aws.region } # maintenance site switching resource "aws_ssm_parameter" "actor_maintenance_switch" { - name = "${local.environment_name}_actor_enable_maintenance" + name = "${var.environment_name}_actor_enable_maintenance" type = "String" value = "false" description = "values of either 'true' or 'false' only" @@ -125,6 +137,8 @@ resource "aws_ssm_parameter" "actor_maintenance_switch" { lifecycle { ignore_changes = [value] } + + provider = aws.region } resource "aws_lb_listener_rule" "actor_maintenance" { @@ -154,6 +168,8 @@ resource "aws_lb_listener_rule" "actor_maintenance" { condition, ] } + + provider = aws.region } resource "aws_lb_listener_rule" "actor_maintenance_welsh" { @@ -183,14 +199,18 @@ resource "aws_lb_listener_rule" "actor_maintenance_welsh" { condition, ] } + + provider = aws.region } resource "aws_security_group" "actor_loadbalancer" { - name_prefix = "${local.environment_name}-actor-loadbalancer" + name_prefix = "${var.environment_name}-actor-loadbalancer" description = "Allow inbound traffic" vpc_id = data.aws_vpc.default.id + + provider = aws.region } resource "aws_security_group_rule" "actor_loadbalancer_ingress_http" { @@ -199,8 +219,10 @@ resource "aws_security_group_rule" "actor_loadbalancer_ingress_http" { from_port = 80 to_port = 80 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006 - open ingress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr - open ingress for load balancers security_group_id = aws_security_group.actor_loadbalancer.id + + provider = aws.region } resource "aws_security_group_rule" "actor_loadbalancer_ingress" { @@ -209,19 +231,23 @@ resource "aws_security_group_rule" "actor_loadbalancer_ingress" { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = module.allow_list.moj_sites + cidr_blocks = var.moj_sites security_group_id = aws_security_group.actor_loadbalancer.id + + provider = aws.region } -resource "aws_security_group_rule" "actor_loadbalancer_ingress_production" { +resource "aws_security_group_rule" "actor_loadbalancer_ingress_public_access" { + count = var.public_access_enabled ? 1 : 0 description = "Port 443 ingress for production from the internet to the application load balancer" - count = local.environment_name == "production" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006 - open ingress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr - open ingress for load balancers security_group_id = aws_security_group.actor_loadbalancer.id + + provider = aws.region } resource "aws_security_group_rule" "actor_loadbalancer_egress" { @@ -230,14 +256,18 @@ resource "aws_security_group_rule" "actor_loadbalancer_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for load balancers security_group_id = aws_security_group.actor_loadbalancer.id + + provider = aws.region } resource "aws_security_group" "actor_loadbalancer_route53" { - name_prefix = "${local.environment_name}-actor-loadbalancer-route53" + name_prefix = "${var.environment_name}-actor-loadbalancer-route53" description = "Allow Route53 healthchecks" vpc_id = data.aws_vpc.default.id + + provider = aws.region } resource "aws_security_group_rule" "actor_loadbalancer_ingress_route53_healthchecks" { @@ -248,4 +278,6 @@ resource "aws_security_group_rule" "actor_loadbalancer_ingress_route53_healthche to_port = "443" cidr_blocks = data.aws_ip_ranges.route53_healthchecks.cidr_blocks security_group_id = aws_security_group.actor_loadbalancer_route53.id + + provider = aws.region } diff --git a/terraform/environment/region/admin_ecs.tf b/terraform/environment/region/admin_ecs.tf index c5041a1fce..17f5e0aabd 100644 --- a/terraform/environment/region/admin_ecs.tf +++ b/terraform/environment/region/admin_ecs.tf @@ -15,7 +15,7 @@ resource "aws_ecs_service" "admin" { } load_balancer { - target_group_arn = var.alb_tg_arns.admin.arn + target_group_arn = aws_lb_target_group.admin.arn container_name = "app" container_port = 80 } @@ -76,7 +76,7 @@ resource "aws_security_group_rule" "admin_ecs_service_ingress" { to_port = 80 protocol = "tcp" security_group_id = aws_security_group.admin_ecs_service.id - source_security_group_id = var.admin_loadbalancer_security_group_id + source_security_group_id = aws_security_group.admin_loadbalancer.id lifecycle { create_before_destroy = true } @@ -96,7 +96,7 @@ resource "aws_security_group_rule" "admin_ecs_service_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for ECR access + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for ECR access security_group_id = aws_security_group.admin_ecs_service.id lifecycle { create_before_destroy = true @@ -259,7 +259,7 @@ locals { }, { name = "ADMIN_LOGOUT_URL", - value = "${var.admin_cognito_user_pool_domain_name}/logout" + value = "${var.admin_cognito.user_pool_domain_name}/logout" }, { name = "ADMIN_JWT_SIGNING_KEY_URL", @@ -267,7 +267,7 @@ locals { }, { name = "ADMIN_CLIENT_ID", - value = var.cognito_user_pool_id + value = var.admin_cognito.user_pool_id }, { name = "LPA_CODES_API_ENDPOINT", @@ -277,4 +277,4 @@ locals { } ) -} \ No newline at end of file +} diff --git a/terraform/environment/admin_load_balancer.tf b/terraform/environment/region/admin_load_balancer.tf similarity index 72% rename from terraform/environment/admin_load_balancer.tf rename to terraform/environment/region/admin_load_balancer.tf index b3d786d2d9..677b06e55b 100644 --- a/terraform/environment/admin_load_balancer.tf +++ b/terraform/environment/region/admin_load_balancer.tf @@ -1,5 +1,5 @@ resource "aws_lb_target_group" "admin" { - name = "${local.environment_name}-admin" + name = "${var.environment_name}-admin" port = 80 protocol = "HTTP" target_type = "ip" @@ -12,6 +12,8 @@ resource "aws_lb_target_group" "admin" { } depends_on = [aws_lb.admin] + + provider = aws.region } moved { @@ -20,12 +22,12 @@ moved { } resource "aws_lb" "admin" { - name = "${local.environment_name}-admin" - internal = false #tfsec:ignore:AWS005 - public alb + name = "${var.environment_name}-admin" + internal = false #tfsec:ignore:aws-elb-alb-not-public - public alb load_balancer_type = "application" drop_invalid_header_fields = true subnets = data.aws_subnets.public.ids - enable_deletion_protection = local.environment.load_balancer_deletion_protection_enabled + enable_deletion_protection = var.load_balancer_deletion_protection_enabled security_groups = [ aws_security_group.admin_loadbalancer.id, @@ -33,9 +35,11 @@ resource "aws_lb" "admin" { access_logs { bucket = data.aws_s3_bucket.access_log.bucket - prefix = "admin-${local.environment_name}" + prefix = "admin-${var.environment_name}" enabled = true } + + provider = aws.region } moved { @@ -57,6 +61,8 @@ resource "aws_lb_listener" "admin_loadbalancer_http_redirect" { status_code = "HTTP_301" } } + + provider = aws.region } moved { @@ -70,22 +76,22 @@ resource "aws_lb_listener" "admin_loadbalancer" { protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08" - certificate_arn = data.aws_acm_certificate.certificate_admin.arn + certificate_arn = var.acm_certificate_arns.admin default_action { type = "authenticate-oidc" authenticate_oidc { authentication_request_extra_params = {} - authorization_endpoint = "${local.admin_cognito_user_pool_domain_name}/oauth2/authorize" - client_id = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.id - client_secret = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.client_secret - issuer = "https://cognito-idp.eu-west-1.amazonaws.com/${local.admin_cognito_user_pool_id}" + authorization_endpoint = "${var.admin_cognito.user_pool_domain_name}/oauth2/authorize" + client_id = var.admin_cognito.id + client_secret = var.admin_cognito.user_pool_client_secret + issuer = "https://cognito-idp.eu-west-1.amazonaws.com/${var.admin_cognito.user_pool_id}" on_unauthenticated_request = "authenticate" scope = "openid" session_cookie_name = "AWSELBAuthSessionCookie" - session_timeout = aws_cognito_user_pool_client.use_a_lasting_power_of_attorney_admin.id_token_validity - token_endpoint = "${local.admin_cognito_user_pool_domain_name}/oauth2/token" - user_info_endpoint = "${local.admin_cognito_user_pool_domain_name}/oauth2/userInfo" + session_timeout = var.admin_cognito.user_pool_id_token_validity + token_endpoint = "${var.admin_cognito.user_pool_domain_name}/oauth2/token" + user_info_endpoint = "${var.admin_cognito.user_pool_domain_name}/oauth2/userInfo" } } @@ -93,6 +99,8 @@ resource "aws_lb_listener" "admin_loadbalancer" { target_group_arn = aws_lb_target_group.admin.arn type = "forward" } + + provider = aws.region } moved { @@ -102,7 +110,9 @@ moved { resource "aws_lb_listener_certificate" "admin_loadbalancer_live_service_certificate" { listener_arn = aws_lb_listener.admin_loadbalancer.arn - certificate_arn = data.aws_acm_certificate.public_facing_certificate_use.arn + certificate_arn = var.acm_certificate_arns.public_facing_use + + provider = aws.region } moved { @@ -111,12 +121,14 @@ moved { } resource "aws_security_group" "admin_loadbalancer" { - name_prefix = "${local.environment_name}-admin-loadbalancer" + name_prefix = "${var.environment_name}-admin-loadbalancer" description = "Admin service application load balancer" vpc_id = data.aws_vpc.default.id lifecycle { create_before_destroy = true } + + provider = aws.region } moved { @@ -130,8 +142,10 @@ resource "aws_security_group_rule" "admin_loadbalancer_port_80_redirect_ingress" from_port = 80 to_port = 80 protocol = "tcp" - cidr_blocks = module.allow_list.moj_sites + cidr_blocks = var.moj_sites security_group_id = aws_security_group.admin_loadbalancer.id + + provider = aws.region } moved { @@ -145,8 +159,10 @@ resource "aws_security_group_rule" "admin_loadbalancer_ingress" { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = module.allow_list.moj_sites + cidr_blocks = var.moj_sites security_group_id = aws_security_group.admin_loadbalancer.id + + provider = aws.region } moved { @@ -160,8 +176,10 @@ resource "aws_security_group_rule" "admin_loadbalancer_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for load balancers security_group_id = aws_security_group.admin_loadbalancer.id + + provider = aws.region } moved { diff --git a/terraform/environment/region/api_ecs.tf b/terraform/environment/region/api_ecs.tf index 407a2d8cb1..5823a957a6 100644 --- a/terraform/environment/region/api_ecs.tf +++ b/terraform/environment/region/api_ecs.tf @@ -81,6 +81,8 @@ resource "aws_security_group" "api_ecs_service" { lifecycle { create_before_destroy = true } + + provider = aws.region } //---------------------------------- @@ -127,11 +129,13 @@ resource "aws_security_group_rule" "api_ecs_service_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for ECR access + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for ECR access security_group_id = aws_security_group.api_ecs_service.id lifecycle { create_before_destroy = true } + + provider = aws.region } //-------------------------------------- diff --git a/terraform/environment/region/data_sources.tf b/terraform/environment/region/data_sources.tf index 15bc2cf67a..45826cd91d 100644 --- a/terraform/environment/region/data_sources.tf +++ b/terraform/environment/region/data_sources.tf @@ -150,4 +150,10 @@ data "aws_iam_role" "ecs_autoscaling_service_role" { name = "AWSServiceRoleForApplicationAutoScaling_ECSService" provider = aws.region -} \ No newline at end of file +} + +data "aws_s3_bucket" "access_log" { + bucket = "opg-ual-${var.account_name}-lb-access-logs" + + provider = aws.region +} diff --git a/terraform/environment/region/outputs.tf b/terraform/environment/region/outputs.tf index 27aac90a33..0b34f3fe23 100644 --- a/terraform/environment/region/outputs.tf +++ b/terraform/environment/region/outputs.tf @@ -14,7 +14,24 @@ output "ecs_services" { } } +output "albs" { + description = "Objects containing the ALBs" + value = { + actor = aws_lb.actor + admin = aws_lb.admin + viewer = aws_lb.viewer + } +} + +output "security_group_names" { + description = "Security group names" + value = { + actor_loadbalancer = aws_security_group.actor_loadbalancer.name + viewer_loadbalancer = aws_security_group.viewer_loadbalancer.name + } +} + output "admin_domain" { description = "The URL for the admin interface" value = "https://${var.route_53_fqdns.admin}" -} \ No newline at end of file +} diff --git a/terraform/environment/region/pdf_ecs.tf b/terraform/environment/region/pdf_ecs.tf index ad0a0a0863..818a5573c3 100644 --- a/terraform/environment/region/pdf_ecs.tf +++ b/terraform/environment/region/pdf_ecs.tf @@ -108,7 +108,7 @@ resource "aws_security_group_rule" "pdf_ecs_service_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for ECR access + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for ECR access security_group_id = aws_security_group.pdf_ecs_service.id lifecycle { create_before_destroy = true diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index d9f63c9726..31ac77b91d 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -1,34 +1,39 @@ # Many of these variables are temporary and will be removed once the relevant region specific resources are moved to the region module. # E.g. dynamodb_tables will no longer be needed once the DynamoDB tables are moved to the region module. -variable "actor_loadbalancer_security_group_id" { - description = "The ID of the ALB security group for actor service." +variable "account_name" { + description = "The name of the AWS account." type = string } -variable "admin_cognito_user_pool_domain_name" { - description = "The domain name of the Cognito User Pool to use for the admin interface." - type = string +variable "acm_certificate_arns" { + description = "The ARNs of the ACM certificates to use." + type = object({ + use = string + view = string + admin = string + public_facing_use = string + public_facing_view = string + }) } -variable "admin_container_version" { - description = "The image tag to use for the admin container." - type = string +variable "admin_cognito" { + description = "Settings for the AWS Cognito to use for the admin interface." + type = object({ + id = string + user_pool_id = string + user_pool_domain_name = string + user_pool_client_secret = string + user_pool_id_token_validity = string + }) + sensitive = true } -variable "admin_loadbalancer_security_group_id" { - description = "The ID of the ALB security group for admin service." +variable "admin_container_version" { + description = "The image tag to use for the admin container." type = string } -variable "alb_tg_arns" { - description = "Map of ALB ARNs to be used by the ECS services." - type = map(object({ - arn = string - name = string - })) -} - variable "application_logs_name" { description = "The name of the CloudWatch Logs group to send application logs to." type = string @@ -56,11 +61,6 @@ variable "capacity_provider" { type = string } -variable "cognito_user_pool_id" { - description = "The Cognito User Pool ID to use for authentication to the admin interface." - type = string -} - variable "container_version" { description = "The image tag to use for the containers." type = string @@ -142,6 +142,17 @@ variable "lpas_collection_endpoint" { type = string } +variable "load_balancer_deletion_protection_enabled" { + description = "Whether or not deletion protection should be enabled for the load balancers." + type = bool + default = false +} + +variable "moj_sites" { + description = "A list of MOJ IP addresses used by security groups to allow access to the admin interface and non-production environments." + type = list(string) +} + variable "notify_key_secret_name" { description = "The name of the secret containing the Notify API key." type = string @@ -157,6 +168,12 @@ variable "pdf_container_version" { type = string } +variable "public_access_enabled" { + description = "Whether or not the front ECS services should be publicly accessible via the ALBs." + type = bool + default = false +} + variable "route_53_fqdns" { description = "The FQDNs to use for the Route 53 records." @@ -182,8 +199,3 @@ variable "sirius_account_id" { description = "The AWS ID of the Sirius account." type = string } - -variable "viewer_loadbalancer_security_group_id" { - description = "The ID of the ALB security group for viewer service." - type = string -} \ No newline at end of file diff --git a/terraform/environment/region/viewer_ecs.tf b/terraform/environment/region/viewer_ecs.tf index dd0dacf984..1e730e0b11 100644 --- a/terraform/environment/region/viewer_ecs.tf +++ b/terraform/environment/region/viewer_ecs.tf @@ -15,7 +15,7 @@ resource "aws_ecs_service" "viewer" { } load_balancer { - target_group_arn = var.alb_tg_arns.viewer.arn + target_group_arn = aws_lb_target_group.viewer.arn container_name = "web" container_port = 80 } @@ -65,7 +65,7 @@ resource "aws_security_group_rule" "viewer_ecs_service_ingress" { to_port = 80 protocol = "tcp" security_group_id = aws_security_group.viewer_ecs_service.id - source_security_group_id = var.viewer_loadbalancer_security_group_id + source_security_group_id = aws_security_group.viewer_loadbalancer.id lifecycle { create_before_destroy = true } @@ -80,7 +80,7 @@ resource "aws_security_group_rule" "viewer_ecs_service_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for ECR access + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for ECR access security_group_id = aws_security_group.viewer_ecs_service.id lifecycle { create_before_destroy = true diff --git a/terraform/environment/viewer_load_balancer.tf b/terraform/environment/region/viewer_load_balancer.tf similarity index 82% rename from terraform/environment/viewer_load_balancer.tf rename to terraform/environment/region/viewer_load_balancer.tf index 09e1069ee1..259f3eb484 100644 --- a/terraform/environment/viewer_load_balancer.tf +++ b/terraform/environment/region/viewer_load_balancer.tf @@ -1,20 +1,22 @@ resource "aws_lb_target_group" "viewer" { - name = "${local.environment_name}-viewer" + name = "${var.environment_name}-viewer" port = 80 protocol = "HTTP" target_type = "ip" vpc_id = data.aws_vpc.default.id deregistration_delay = 0 depends_on = [aws_lb.viewer] + + provider = aws.region } resource "aws_lb" "viewer" { - name = "${local.environment_name}-viewer" - internal = false #tfsec:ignore:AWS005 - public alb + name = "${var.environment_name}-viewer" + internal = false #tfsec:ignore:aws-elb-alb-not-public - public alb load_balancer_type = "application" drop_invalid_header_fields = true subnets = data.aws_subnets.public.ids - enable_deletion_protection = local.environment.load_balancer_deletion_protection_enabled + enable_deletion_protection = var.load_balancer_deletion_protection_enabled security_groups = [ aws_security_group.viewer_loadbalancer.id, @@ -23,9 +25,11 @@ resource "aws_lb" "viewer" { access_logs { bucket = data.aws_s3_bucket.access_log.bucket - prefix = "viewer-${local.environment_name}" + prefix = "viewer-${var.environment_name}" enabled = true } + + provider = aws.region } resource "aws_lb_listener" "viewer_loadbalancer_http_redirect" { @@ -42,6 +46,8 @@ resource "aws_lb_listener" "viewer_loadbalancer_http_redirect" { status_code = "HTTP_301" } } + + provider = aws.region } resource "aws_lb_listener" "viewer_loadbalancer" { @@ -50,17 +56,21 @@ resource "aws_lb_listener" "viewer_loadbalancer" { protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08" - certificate_arn = data.aws_acm_certificate.certificate_view.arn + certificate_arn = var.acm_certificate_arns.view default_action { target_group_arn = aws_lb_target_group.viewer.arn type = "forward" } + + provider = aws.region } resource "aws_lb_listener_certificate" "viewer_loadbalancer_live_service_certificate" { listener_arn = aws_lb_listener.viewer_loadbalancer.arn - certificate_arn = data.aws_acm_certificate.public_facing_certificate_view.arn + certificate_arn = var.acm_certificate_arns.public_facing_view + + provider = aws.region } # redirect root to gov.uk @@ -86,6 +96,8 @@ resource "aws_lb_listener_rule" "redirect_view_root_to_gov" { ] } } + + provider = aws.region } # rewrite to live service url @@ -96,7 +108,7 @@ resource "aws_lb_listener_rule" "rewrite_view_to_live_service_url" { type = "redirect" redirect { - host = aws_route53_record.public_facing_view_lasting_power_of_attorney.fqdn + host = var.route_53_fqdns.public_view path = "/#{path}" query = "#{query}" port = "443" @@ -107,15 +119,17 @@ resource "aws_lb_listener_rule" "rewrite_view_to_live_service_url" { condition { host_header { values = [ - aws_route53_record.viewer-use-my-lpa.fqdn + var.route_53_fqdns.viewer ] } } + + provider = aws.region } # maintenance site switching resource "aws_ssm_parameter" "viewer_maintenance_switch" { - name = "${local.environment_name}_viewer_enable_maintenance" + name = "${var.environment_name}_viewer_enable_maintenance" type = "String" value = "false" description = "values of either 'true' or 'false' only" @@ -124,6 +138,8 @@ resource "aws_ssm_parameter" "viewer_maintenance_switch" { lifecycle { ignore_changes = [value] } + + provider = aws.region } resource "aws_lb_listener_rule" "viewer_maintenance" { @@ -153,6 +169,8 @@ resource "aws_lb_listener_rule" "viewer_maintenance" { condition, ] } + + provider = aws.region } @@ -183,16 +201,20 @@ resource "aws_lb_listener_rule" "viewer_maintenance_welsh" { condition, ] } + + provider = aws.region } resource "aws_security_group" "viewer_loadbalancer" { - name_prefix = "${local.environment_name}-viewer-loadbalancer" + name_prefix = "${var.environment_name}-viewer-loadbalancer" description = "View service application load balancer" vpc_id = data.aws_vpc.default.id lifecycle { create_before_destroy = true } + + provider = aws.region } resource "aws_security_group_rule" "viewer_loadbalancer_ingress_http" { @@ -201,8 +223,10 @@ resource "aws_security_group_rule" "viewer_loadbalancer_ingress_http" { from_port = 80 to_port = 80 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006 - open ingress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr - open ingress for load balancers security_group_id = aws_security_group.viewer_loadbalancer.id + + provider = aws.region } resource "aws_security_group_rule" "viewer_loadbalancer_ingress" { @@ -211,8 +235,10 @@ resource "aws_security_group_rule" "viewer_loadbalancer_ingress" { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = module.allow_list.moj_sites + cidr_blocks = var.moj_sites security_group_id = aws_security_group.viewer_loadbalancer.id + + provider = aws.region } resource "aws_security_group_rule" "viewer_loadbalancer_ingress_public_access" { @@ -224,11 +250,8 @@ resource "aws_security_group_rule" "viewer_loadbalancer_ingress_public_access" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr - open ingress for production security_group_id = aws_security_group.viewer_loadbalancer.id -} -moved { - from = aws_security_group_rule.viewer_loadbalancer_ingress_production[0] - to = aws_security_group_rule.viewer_loadbalancer_ingress_public_access[0] + provider = aws.region } resource "aws_security_group_rule" "viewer_loadbalancer_egress" { @@ -237,18 +260,21 @@ resource "aws_security_group_rule" "viewer_loadbalancer_egress" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007 - open egress for load balancers + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr - open egress for load balancers security_group_id = aws_security_group.viewer_loadbalancer.id lifecycle { create_before_destroy = true } + provider = aws.region } resource "aws_security_group" "viewer_loadbalancer_route53" { - name_prefix = "${local.environment_name}-viewer-loadbalancer-route53" + name_prefix = "${var.environment_name}-viewer-loadbalancer-route53" description = "View service Route53 healthchecks" vpc_id = data.aws_vpc.default.id + + provider = aws.region } resource "aws_security_group_rule" "viewer_loadbalancer_ingress_route53_healthchecks" { @@ -259,4 +285,6 @@ resource "aws_security_group_rule" "viewer_loadbalancer_ingress_route53_healthch to_port = "443" cidr_blocks = data.aws_ip_ranges.route53_healthchecks.cidr_blocks security_group_id = aws_security_group.viewer_loadbalancer_route53.id + + provider = aws.region } diff --git a/terraform/environment/shared_data_sources.tf b/terraform/environment/shared_data_sources.tf index febf87fb59..19505d5ad5 100644 --- a/terraform/environment/shared_data_sources.tf +++ b/terraform/environment/shared_data_sources.tf @@ -2,10 +2,6 @@ data "aws_vpc" "default" { default = "true" } -data "aws_s3_bucket" "access_log" { - bucket = "opg-ual-${local.environment.account_name}-lb-access-logs" -} - data "aws_subnets" "private" { filter { name = "vpc-id" @@ -152,4 +148,3 @@ data "aws_elasticache_replication_group" "brute_force_cache_replication_group" { data "aws_iam_role" "ecs_autoscaling_service_role" { name = "AWSServiceRoleForApplicationAutoScaling_ECSService" } - diff --git a/terraform/environment/waf.tf b/terraform/environment/waf.tf index c157ad69f4..b89ffd7da0 100644 --- a/terraform/environment/waf.tf +++ b/terraform/environment/waf.tf @@ -5,12 +5,12 @@ data "aws_wafv2_web_acl" "main" { resource "aws_wafv2_web_acl_association" "actor" { count = local.environment.associate_alb_with_waf_web_acl_enabled ? 1 : 0 - resource_arn = aws_lb.actor.arn + resource_arn = module.eu_west_1.albs.actor.arn web_acl_arn = data.aws_wafv2_web_acl.main.arn } resource "aws_wafv2_web_acl_association" "viewer" { count = local.environment.associate_alb_with_waf_web_acl_enabled ? 1 : 0 - resource_arn = aws_lb.viewer.arn + resource_arn = module.eu_west_1.albs.viewer.arn web_acl_arn = data.aws_wafv2_web_acl.main.arn }