Merge pull request #43 from companieshouse/update/linux-dev-03

Update/linux dev 03
companieshouse · Feb 17, 2025 · 7429090 · 7429090
2 parents 97c2ad5 + ad96c79
commit 7429090
Show file tree

Hide file tree

Showing 16 changed files with 598 additions and 0 deletions.
diff --git a/groups/linux-dev-03/README.md b/groups/linux-dev-03/README.md
@@ -0,0 +1,92 @@
+# linux-dev-03 - linux dev/test server
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37.0, < 6.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_vault"></a> [vault](#requirement\_vault) | >= 3.25.0, < 5.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [instance_profile](#modules\_aws) | [git@github.com:companieshouse/terraform-modules//aws/instance_profile?ref=tags/1.0.283](https://github.com/companieshouse/terraform-modules/tree/1.0.283/aws/instance_profile) | tags/1.0.283 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.linux-dev-02](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_route53_record.linux-dev-02](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_security_group.linux-dev-02](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_ingress_rule.linux-dev-02_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_egress_rule.linux-dev-02_all_out](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_ami.linux-dev-02_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_ec2_managed_prefix_list.shared_services_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_subnet.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnets.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.finance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [vault_generic_secret.account_ids](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret) | data source |
+| [vault_generic_secret.internal_cidrs](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret) | data source |
+| [vault_generic_secret.kms_keys](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret) | data source |
+| [vault_generic_secret.security_kms_keys](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret) | data source |
+| [vault_generic_secret.security_s3_buckets](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_version_pattern"></a> [ami_version_pattern](#input\_ami_version_pattern) | The pattern to use when filtering for AMI version by name. | `string` | `"*"` | no |
+| <a name="input_application_subnet_pattern"></a> [application_subnet_pattern](#input\_application_subnet_pattern) | The pattern to use when filtering for application subnets by 'Name' tag. | `string` | `"sub-application-*"` | no |
+| <a name="input_aws_account"></a> [aws_account](#input\_aws_account) | The name of the AWS account (e.g., "finance-development") | `string` | n/a | yes |
+| <a name="input_default_log_retention_in_days"></a> [default_log_retention_in_days](#input\_default_log_retention_in_days) | The default log retention period in days to be used for CloudWatch log groups. | `number` | `7` | no |
+| <a name="input_dns_zone_suffix"></a> [dns_zone_suffix](#input\_dns_zone_suffix) | The common DNS hosted zone suffix used across accounts. | `string` | `"finance.aws.internal"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The environment name (e.g., "development", "staging", "live") | `string` | n/a | yes |
+| <a name="input_instance_count"></a> [instance_count](#input\_instance_count) | The number EC2 instances to create. | `number` | n/a | yes |
+| <a name="input_instance_type"></a> [instance_type](#input\_instance_type) | The instance type to use for EC2 instances. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region in which resources will be created. | `string` | n/a | yes |
+| <a name="input_root_volume_size"></a> [root_volume_size](#input\_root_volume_size) | The size of the root volume in gibibytes (GiB). | `number` | `30` | no |
+| <a name="input_service"></a> [service](#input\_service) | The service name to be used when creating AWS resources. | `string` | `"e5"` | no |
+| <a name="input_service_subtype"></a> [service_subtype](#input\_service_subtype) | The service subtype name to be used when creating AWS resources. | `string` | `"e5-lfp"` | no |
+| <a name="input_team"></a> [team](#input\_team) | The team name for ownership of this service. | `string` | `"Finance"` | no |
+
+### Vault Authentication Variables
+
+Depending on the authentication method used for Vault, one of the following sets of variables will be required:
+
+#### UserPass Authentication - Preferred Method
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_hashicorp_vault_username"></a> [hashicorp_vault_username](#input\_hashicorp_vault_username) | The username used when retrieving configuration from Hashicorp Vault | `string` | n/a | yes |
+| <a name="input_hashicorp_vault_password"></a> [hashicorp_vault_password](#input\_hashicorp_vault_password) | The password used when retrieving configuration from Hashicorp Vault | `string` | n/a | yes |
+
+#### AppRole Authentication
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_hashicorp_vault_role_id"></a> [hashicorp_vault_role_id](#input\_hashicorp_vault_role_id) | The role identifier used when retrieving configuration from Hashicorp Vault | `string` | n/a | yes |
+| <a name="input_hashicorp_vault_secret_id"></a> [hashicorp_vault_secret_id](#input\_hashicorp_vault_secret_id) | The secret identifier used when retrieving configuration from Hashicorp Vault | `string` | n/a | yes |
+
+#### Token Authentication - **Deprecated**
+
+This method is no longer in use, but used environment variables `VAULT_ADDR` and `VAULT_TOKEN`.
+
+## Locals
+
+| Name | Description |
+|------|-------------|
+| <a name="local_account_ids_secrets"></a> [account_ids_secrets](#local\_account_ids_secrets) | Account IDs retrieved from Vault |
+| <a name="local_application_subnet_ids_by_az"></a> [application_subnet_ids_by_az](#local\_application_subnet_ids_by_az) | Map of availability zones to subnet IDs for application subnets |
+| <a name="local_common_resource_name"></a> [common_resource_name](#local\_common_resource_name) | Common name format for resources |
+| <a name="local_common_tags"></a> [common_tags](#local\_common_tags) | Common tags to be applied to all resources |
+| <a name="local_dns_zone"></a> [dns_zone](#local\_dns_zone) | The DNS zone for the environment |
+| <a name="local_linux-dev-02_ami_owner_id"></a> [linux-dev-02_ami_owner_id](#local\_linux-dev-02_ami_owner_id) | E5 lfp AMI owner ID |
+| <a name="local_security_kms_keys_data"></a> [security_kms_keys_data](#local\_security_kms_keys_data) | Security KMS keys data from Vault |
+| <a name="local_security_s3_data"></a> [security_s3_data](#local\_security_s3_data) | Security S3 bucket data from Vault |
+| <a name="local_session_manager_bucket_name"></a> [session_manager_bucket_name](#local\_session_manager_bucket_name) | Session Manager S3 bucket name |
+| <a name="local_ssm_kms_key_id"></a> [ssm_kms_key_id](#local\_ssm_kms_key_id) | SSM KMS key ID |
diff --git a/groups/linux-dev-03/data.tf b/groups/linux-dev-03/data.tf
@@ -0,0 +1,103 @@
+data "aws_ec2_managed_prefix_list" "administration_cidr_ranges" {
+  name = "administration-cidr-ranges"
+}
+
+data "aws_kms_alias" "ebs" {
+  name = local.kms_key_alias
+}
+
+data "vault_generic_secret" "kms_key_alias" {
+  path = "applications/${var.aws_account}-${var.aws_region}/${var.service}/${var.service_subtype}"
+}
+
+data "aws_vpc" "heritage-development" {
+  filter {
+    name   = "tag:Name"
+    values = ["vpc-${var.aws_account}"]
+  }
+}
+
+data "aws_route53_zone" "linux_dev_02" {
+  name   = local.dns_zone
+  vpc_id = data.aws_vpc.heritage-development.id
+}
+
+data "vault_generic_secret" "internal_cidrs" {
+  path = "aws-accounts/network/internal_cidr_ranges"
+}
+
+data "aws_subnets" "application" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.heritage-development.id]
+  }
+
+  filter {
+    name   = "tag:Name"
+    values = [var.application_subnet_pattern]
+  }
+}
+
+data "aws_subnet" "application" {
+  count = length(data.aws_subnets.application.ids)
+  id    = tolist(data.aws_subnets.application.ids)[count.index]
+}
+
+data "aws_ami" "linux_dev_ami" {
+  most_recent = true
+  name_regex  = "^rhel9-base-\\d.\\d.\\d"
+
+  filter {
+    name   = "name"
+    values = ["rhel9-base-${var.ami_version_pattern}"]
+  }
+
+  filter {
+    name  = "owner-id"
+    values = ["${local.ami_owner_id}"]
+  }
+}
+
+data "vault_generic_secret" "ami_owner" {
+  path = "/applications/${var.aws_account}-${var.aws_region}/${var.service}/${var.service_subtype}"
+}
+
+data "vault_generic_secret" "account_ids" {
+  path = "aws-accounts/account-ids"
+}
+
+data "vault_generic_secret" "kms_keys" {
+  path = "aws-accounts/${var.aws_account}/kms"
+}
+
+data "vault_generic_secret" "security_s3_buckets" {
+  path = "aws-accounts/security/s3"
+}
+
+data "vault_generic_secret" "security_kms_keys" {
+  path = "aws-accounts/security/kms"
+}
+
+data "vault_generic_secret" "shared_services_s3" {
+  path = "aws-accounts/shared-services/s3"
+}
+
+data "vault_generic_secret" "sns_email" {
+  path = "/applications/${var.aws_account}-${var.aws_region}/${var.service}/sns/"
+}
+
+data "vault_generic_secret" "sns_url" {
+  path = "/applications/${var.aws_account}-${var.aws_region}/${var.service}/sns/"
+}
+
+data "template_file" "userdata" {
+  template = file("${path.module}/templates/user_data.tpl")
+
+  count = var.instance_count
+
+  vars = { 
+    ENVIRONMENT          = title(var.environment)
+    APPLICATION_NAME     = var.service_subtype
+    ANSIBLE_INPUTS       = jsonencode(merge(local.ansible_inputs, { hostname = format("%s", var.service_subtype) }))
+  }
+}
diff --git a/groups/linux-dev-03/dns.tf b/groups/linux-dev-03/dns.tf
@@ -0,0 +1,9 @@
+resource "aws_route53_record" "linux_dev_02" {
+  count = var.instance_count
+
+  zone_id = data.aws_route53_zone.linux_dev_02.zone_id
+  name    = "${var.service_subtype}"
+  type    = "A"
+  ttl     = 300
+  records = [aws_instance.linux_dev_03[0].private_ip]
+}
diff --git a/groups/linux-dev-03/iam.tf b/groups/linux-dev-03/iam.tf
@@ -0,0 +1,19 @@
+module "instance_profile" {
+  source = "git@github.com:companieshouse/terraform-modules//aws/instance_profile?ref=tags/1.0.283"
+  name   = local.common_resource_name
+
+  enable_ssm       = true
+  kms_key_refs     = [local.ssm_kms_key_id]
+
+
+  custom_statements = [
+    {
+      sid       = "CloudWatchMetricsWrite"
+      effect    = "Allow"
+      resources = ["*"]
+      actions = [
+        "cloudwatch:PutMetricData"
+      ]
+    }
+  ]
+}
diff --git a/groups/linux-dev-03/instance.tf b/groups/linux-dev-03/instance.tf
@@ -0,0 +1,58 @@
+resource "aws_instance" "linux_dev_03" {
+  count = var.instance_count
+
+  ami           = data.aws_ami.linux_dev_ami.id
+  instance_type = var.instance_type
+  subnet_id     = element(local.application_subnet_ids_by_az, count.index) # use 'element' function for wrap-around behaviour
+
+  iam_instance_profile   = module.instance_profile.aws_iam_instance_profile.name
+  vpc_security_group_ids = [aws_security_group.linux_dev_02.id]
+  tags = {
+    Name           = local.common_resource_name
+    Environment    = var.environment
+    Service        = var.service
+    ServiceSubType = var.service_subtype
+    Team           = var.team
+    Backup         = true
+    Domain         = "${var.environment}.${var.dns_zone_suffix}"
+    Hostname       = "${var.service_subtype}"
+  }
+
+  root_block_device {
+    volume_size = var.root_volume_size
+    encrypted   = var.encrypt_root_block_device
+    iops        = var.root_block_device_iops
+    kms_key_id  = data.aws_kms_alias.ebs.target_key_arn
+    throughput  = var.root_block_device_throughput
+    volume_type = var.root_block_device_volume_type
+    tags = {
+      Name           = "${local.common_resource_name}-root"
+      Environment    = var.environment
+      Service        = var.service
+      ServiceSubType = var.service_subtype
+      Team           = var.team
+      Backup         = true
+    }
+
+  }
+
+  ebs_block_device {
+    device_name           = var.ebs_device_name
+    volume_size           = var.data_volume_size_gib
+    encrypted             = var.encrypt_ebs_block_device
+    iops                  = var.ebs_block_device_iops
+    kms_key_id            = data.aws_kms_alias.ebs.target_key_arn
+    throughput            = var.ebs_block_device_throughput
+    volume_type           = var.ebs_block_device_volume_type
+    delete_on_termination = var.ebs_delete_on_termination
+    tags = {
+      Name           = "${local.common_resource_name}-data"
+      Environment    = var.environment
+      Service        = var.service
+      ServiceSubType = var.service_subtype
+      Team           = var.team
+      Backup         = true
+    }
+  }
+    user_data = data.template_file.userdata[count.index].rendered
+}
diff --git a/groups/linux-dev-03/locals.tf b/groups/linux-dev-03/locals.tf
@@ -0,0 +1,42 @@
+locals {
+  application_subnet_ids_by_az = values(zipmap(data.aws_subnet.application[*].availability_zone, data.aws_subnet.application[*].id))
+
+  common_tags = {
+    Environment    = var.environment
+    Service        = var.service
+    ServiceSubType = var.service_subtype
+    Team           = var.team
+  }
+
+  common_resource_name = "${var.environment}-${var.service_subtype}"
+  dns_zone             = "${var.environment}.${var.dns_zone_suffix}"
+
+  security_s3_data            = data.vault_generic_secret.security_s3_buckets.data
+  session_manager_bucket_name = local.security_s3_data.session-manager-bucket-name
+
+  shared_services_s3_data = data.vault_generic_secret.shared_services_s3.data
+  resources_bucket_name       = local.shared_services_s3_data["resources_bucket_name"]
+
+  security_kms_keys_data = data.vault_generic_secret.security_kms_keys.data
+  ssm_kms_key_id         = local.security_kms_keys_data.session-manager-kms-key-arn
+
+  account_ids_secrets = jsondecode(data.vault_generic_secret.account_ids.data_json)
+
+  kms_key       = data.vault_generic_secret.kms_key_alias.data
+  kms_key_alias = local.kms_key["kms_key_alias"]
+
+  sns_email_secret = data.vault_generic_secret.sns_email.data
+  linux_sns_email = local.sns_email_secret["linux_email"]
+
+  ami_owner = data.vault_generic_secret.ami_owner.data
+  ami_owner_id = local.ami_owner["ami_owner"]
+
+  ansible_inputs = {
+    environment = var.environment
+    region      = var.aws_region
+    fqdn        = "${var.service_subtype}.${var.environment}.${var.dns_zone_suffix}"
+    hostname    = var.service_subtype    
+  }
+
+
+}
diff --git a/groups/linux-dev-03/main.tf b/groups/linux-dev-03/main.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">= 1.3"
+
+  backend "s3" {}
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.37.0, < 6.0.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = ">= 3.25.0, < 5.0.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
diff --git a/groups/linux-dev-03/profiles/heritage-development-eu-west-2/development/vars b/groups/linux-dev-03/profiles/heritage-development-eu-west-2/development/vars
@@ -0,0 +1,17 @@
+# Account details
+
+aws_account = "heritage-development"
+aws_region  = "eu-west-2"
+environment = "development"
+dns_zone_suffix = "heritage.aws.internal"
+
+# Instance details
+
+instance_count = "1"
+instance_type = "t2.medium"
+root_volume_size = 40
+data_volume_size_gib = 20
+service = "unix-development"
+service_subtype = "linux-dev-03"
+application_subnet_pattern = "sub-application-*"
+default_log_retention_in_days = "7"
diff --git a/groups/linux-dev-03/security_groups.tf b/groups/linux-dev-03/security_groups.tf
@@ -0,0 +1,26 @@
+resource "aws_security_group" "linux_dev_02" {
+  name        = local.common_resource_name
+  description = "Security group for the ${var.service_subtype} EC2 instances"
+  vpc_id      = data.aws_vpc.heritage-development.id
+
+  tags = merge(local.common_tags, {
+    Name = "${local.common_resource_name}"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "linux_dev_02_ssh" {
+  description       = "Allow SSH connectivity for application deployments"
+  security_group_id = aws_security_group.linux_dev_02.id
+  prefix_list_id    = data.aws_ec2_managed_prefix_list.administration_cidr_ranges.id
+  ip_protocol       = "tcp"
+  from_port         = 22
+  to_port           = 22
+}
+
+resource "aws_vpc_security_group_egress_rule" "linux_dev_02_all_out" {
+  description       = "Allow outbound traffic"
+  security_group_id = aws_security_group.linux_dev_02.id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1"
+}
+