Merge pull request #9484 from ministryofjustice/CC-3081

Cc 3081
ministryofjustice · Jan 28, 2025 · 31cfac7 · 31cfac7
2 parents e5ba433 + ed6d8e5
commit 31cfac7
Show file tree

Hide file tree

Showing 9 changed files with 1,020 additions and 4 deletions.
diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json
@@ -151,7 +151,7 @@
       "ec2_oracle_instance_threads_accessgate": "2",
       "ami_owner": "self",
       "ec2_instance_type_ftp": "c5d.large",
-      "ftp_ami_id": "ami-09f731dab809ea9df",
+      "ftp_ami_id": "ami-08cd358d745620807",
       "ec2_instance_type_clamav": "c5d.large",
       "clamav_ami_id": "ami-02cb9c4732e6429dd",
       "ebsdb_ami_id": "ami-014b2ba6362f16b1e",
@@ -171,14 +171,14 @@
       "ec2_instance_type_mailrelay": "c4.large",
       "mailrelay_ami_id": "ami-02654187c4eaddcc0",
       "key_name": "",
-      "lz_aws_account_id_env": "140455166311",
+      "lz_aws_account_id_env": "013163512034",
       "lz_aws_subnet_env": "10.203.0.0/20",
       "lz_aws_workspace_nonprod_subnet_env": "10.200.0.0/20",
       "lz_aws_workspace_prod_subnet_env": "10.200.16.0/20",
       "lz_aws_workspace_nonprod_prod": "10.200.0.0/19",
       "lz_aws_appstream_subnet_a_b": "10.200.32.0/23",
       "cloud_platform_subnet": "172.20.0.0/16",
-      "lz_ftp_bucket_environment": "uat",
+      "lz_ftp_bucket_environment": "test",
       "lz_domain_name": "*.uat.legalservices.gov.uk",
       "mp_aws_subnet_env": "10.200.0.0/20",
       "ebs_optimized": "false",
@@ -246,6 +246,7 @@
       "instance_role_ebsapps": "apps",
       "instance_role_ebsconc": "conc",
       "instance_role_ebsdb": "db",
+      "instance_role_ftp": "ftp",
       "instance_role_webgate": "webgate"
     }
   },

diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp-sg.tf b/terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp-sg.tf
@@ -0,0 +1,99 @@
+# Security Group for FTP Server
+
+resource "aws_security_group" "ec2_sg_ftp" {
+  count       = local.is-test ? 1 : 0
+  name        = "ec2_sg_ftp"
+  description = "Security Group for FTP Server"
+  vpc_id      = data.aws_vpc.shared.id
+  tags = merge(local.tags,
+    { Name = lower(format("sg-%s-%s-FTP", local.application_name, local.environment)) }
+  )
+}
+
+# INGRESS Rules
+
+### FTP
+
+resource "aws_security_group_rule" "ingress_traffic_ftp_20" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "ingress"
+  description       = "FTP"
+  protocol          = "TCP"
+  from_port         = 20
+  to_port           = 21
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+  local.application_data.accounts[local.environment].lz_aws_subnet_env]
+}
+
+### FTP Passive Ports
+
+resource "aws_security_group_rule" "ingress_traffic_ftp_3000" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "ingress"
+  description       = "FTP Passive Ports"
+  protocol          = "TCP"
+  from_port         = 3000
+  to_port           = 3010
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+  local.application_data.accounts[local.environment].lz_aws_subnet_env]
+}
+
+### SSH
+
+resource "aws_security_group_rule" "ingress_traffic_ftp_22" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "ingress"
+  description       = "SSH"
+  protocol          = "TCP"
+  from_port         = 22
+  to_port           = 22
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+  local.application_data.accounts[local.environment].lz_aws_subnet_env]
+}
+
+
+
+# EGRESS Rules
+
+### FTP
+
+resource "aws_security_group_rule" "egress_traffic_ftp_20" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "egress"
+  description       = "FTP"
+  protocol          = "TCP"
+  from_port         = 20
+  to_port           = 21
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+  local.application_data.accounts[local.environment].lz_aws_subnet_env]
+}
+
+### SSH
+
+resource "aws_security_group_rule" "egress_traffic_ftp_22" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "egress"
+  description       = "SSH"
+  protocol          = "TCP"
+  from_port         = 22
+  to_port           = 22
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+### HTTPS
+
+resource "aws_security_group_rule" "egress_traffic_ftp_443" {
+  count             = local.is-test ? 1 : 0
+  security_group_id = aws_security_group.ec2_sg_ftp[count.index].id
+  type              = "egress"
+  description       = "HTTPS"
+  protocol          = "TCP"
+  from_port         = 443
+  to_port           = 443
+  cidr_blocks       = ["0.0.0.0/0"]
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp.tf b/terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp.tf
@@ -0,0 +1,105 @@
+resource "aws_instance" "ec2_ftp" {
+  count                       = local.is-test ? 1 : 0
+  instance_type               = local.application_data.accounts[local.environment].ec2_instance_type_ftp
+  ami                         = local.application_data.accounts[local.environment].ftp_ami_id
+  key_name                    = local.application_data.accounts[local.environment].key_name
+  vpc_security_group_ids      = [aws_security_group.ec2_sg_ftp[count.index].id]
+  subnet_id                   = data.aws_subnet.private_subnets_a.id
+  monitoring                  = true
+  ebs_optimized               = false
+  associate_public_ip_address = false
+  iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
+
+  # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
+  lifecycle {
+    ignore_changes = [
+      ebs_block_device,
+      root_block_device,
+      user_data,
+      user_data_replace_on_change
+    ]
+  }
+  user_data_replace_on_change = false
+  user_data = base64encode(templatefile("./templates/ec2_user_data_ftp.sh", {
+    environment               = "${local.environment}"
+    lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
+    lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
+    hostname                  = "ftp"
+  }))
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
+  # Increase the volume size of the root volume
+  root_block_device {
+    volume_type = "gp3"
+    volume_size = 50
+    iops        = 3000
+    encrypted   = true
+    kms_key_id  = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s", local.application_data.accounts[local.environment].instance_role_ftp, "root")) },
+      { device-name = "/dev/sda1" }
+    )
+  }
+
+  ebs_block_device {
+    device_name = "/dev/sdb"
+    volume_type = "gp3"
+    volume_size = 20
+    //    iops = 12000
+    encrypted  = true
+    kms_key_id = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s", local.application_data.accounts[local.environment].instance_role_ftp, "ftp")) },
+      { device-name = "/dev/sda1" }
+    )
+  }
+
+  tags = merge(local.tags,
+    { Name = lower(format("ec2-%s-%s-FTP", local.application_name, local.environment)) },
+    { instance-role = local.application_data.accounts[local.environment].instance_role_ftp },
+    { backup = "true" }
+  )
+
+  depends_on = [aws_security_group.ec2_sg_ftp]
+}
+
+module "cw-ftp-ec2" {
+  count  = local.is-test ? 1 : 0
+  source = "./modules/cw-ec2"
+
+  short_env    = local.application_data.accounts[local.environment].short_env
+  name         = "ec2-ftp"
+  topic        = aws_sns_topic.cw_alerts.arn
+  instanceId   = aws_instance.ec2_ftp[count.index].id
+  imageId      = local.application_data.accounts[local.environment].ftp_ami_id
+  instanceType = local.application_data.accounts[local.environment].ec2_instance_type_ftp
+  fileSystem   = "xfs"       # Linux root filesystem
+  rootDevice   = "nvme0n1p1" # This is used by default for root on all the ec2 images
+
+  cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods
+  cpu_datapoints   = local.application_data.cloudwatch_ec2.cpu.eval_periods
+  cpu_period       = local.application_data.cloudwatch_ec2.cpu.period
+  cpu_threshold    = local.application_data.cloudwatch_ec2.cpu.threshold
+
+  mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods
+  mem_datapoints   = local.application_data.cloudwatch_ec2.mem.eval_periods
+  mem_period       = local.application_data.cloudwatch_ec2.mem.period
+  mem_threshold    = local.application_data.cloudwatch_ec2.mem.threshold
+
+  disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods
+  disk_datapoints   = local.application_data.cloudwatch_ec2.disk.eval_periods
+  disk_period       = local.application_data.cloudwatch_ec2.disk.period
+  disk_threshold    = local.application_data.cloudwatch_ec2.disk.threshold
+
+  insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods
+  insthc_period       = local.application_data.cloudwatch_ec2.insthc.period
+  insthc_threshold    = local.application_data.cloudwatch_ec2.insthc.threshold
+
+  syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods
+  syshc_period       = local.application_data.cloudwatch_ec2.syshc.period
+  syshc_threshold    = local.application_data.cloudwatch_ec2.syshc.threshold
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-secrets.tf b/terraform/environments/ccms-ebs-upgrade/ccms-secrets.tf
@@ -0,0 +1,11 @@
+#### This file can be used to store secrets specific to the member account ####
+
+resource "aws_secretsmanager_secret" "secret_ftp_s3" {
+  count       = local.is-test ? 1 : 0
+  name        = "ftp-s3-${local.environment}-aws-key"
+  description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
+
+  tags = merge(local.tags,
+    { Name = "ftp-s3-${local.environment}-aws-key" }
+  )
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf
@@ -67,4 +67,29 @@ resource "aws_route53_record" "webgate_ec2" {
   type    = "A"
   ttl     = 300
   records = [aws_instance.ec2_webgate[count.index].private_ip]
-}
+}
+
+## EBSWEBGATE LB DNS
+resource "aws_route53_record" "ebswgate" {
+  provider = aws.core-vpc
+  zone_id  = data.aws_route53_zone.external.zone_id
+  name     = "portal-ag-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+  type     = "A"
+  alias {
+    name                   = aws_lb.webgate_lb.dns_name
+    zone_id                = aws_lb.webgate_lb.zone_id
+    evaluate_target_health = false
+  }
+}
+
+
+## FTP
+resource "aws_route53_record" "ftp" {
+  count    = local.is-test ? 1 : 0
+  provider = aws.core-vpc
+  zone_id  = data.aws_route53_zone.external.zone_id
+  name     = "ftp-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+  type     = "A"
+  ttl      = 300
+  records  = [aws_instance.ec2_ftp[0].private_ip]
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/scripts/cron-ftp-15-v2.ksh b/terraform/environments/ccms-ebs-upgrade/scripts/cron-ftp-15-v2.ksh
@@ -0,0 +1,44 @@
+#
+# This job runs out of cron and sequentially runs jobs every 15 minutes.
+#
+# RBS Outbound
+#/export/home/aebsprod/scripts/curl-ftp-v2.ksh 001
+#
+# Allpay Outbound
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 002
+#
+# Eckoh Outbound
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 003
+#
+# Rossendales Outbound
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 004
+#
+#TDX Outbound
+# added this script to cope with files owned by oebsprod and unix2dos them
+# psb 14sep2016
+/export/home/aebsprod/scripts/unix2dos.ksh
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 008
+#
+# Microgen Bacway Outbound RBS
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 010
+#
+# RBS Inbound
+/export/home/aebsprod/scripts/curl-ftp-v2.ksh 011
+#
+# Citibank Inbound
+## js /export/home/aebsprod/scripts/curl-ftp-v2.ksh 012
+#
+# LFFramework Inbound
+## js /export/home/aebsprod/scripts/curl-ftp-v2.ksh 013
+#
+# Barclaycard Inbound
+## js /export/home/aebsprod/scripts/curl-ftp-v2.ksh 014
+#
+# Barclaycard Outbound
+## js /export/home/aebsprod/scripts/curl-ftp-v2.ksh 007
+#
+# Test Outbound
+##/export/home/aebsprod/scripts/curl-ftp-v2.ksh 098
+#
+# Test Inbound
+##/export/home/aebsprod/scripts/curl-ftp-v2.ksh 099