diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 34d00637c02..63168a33ef5 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -3,54 +3,68 @@ # *.laa-test.modernisation-platform.service.justice.gov.uk # *.laa-preproduction.modernisation-platform.service.justice.gov.uk -# resource "aws_acm_certificate" "laa_cert" { -# domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) -# validation_method = "DNS" - -# subject_alternative_names = [ -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) -# ] - -# tags = merge(local.tags, -# { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) } -# ) - -# lifecycle { -# create_before_destroy = true -# } -# } - -# resource "aws_acm_certificate_validation" "laa_cert" { -# certificate_arn = aws_acm_certificate.laa_cert.arn -# validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn] -# timeouts { -# create = "10m" -# } -# } - -# resource "aws_route53_record" "laa_cert_validation" { -# provider = aws.core-vpc -# for_each = { -# for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => { -# name = dvo.resource_record_name -# record = dvo.resource_record_value -# type = dvo.resource_record_type -# } -# } - -# allow_overwrite = true -# name = each.value.name -# records = [each.value.record] -# ttl = 60 -# type = each.value.type -# zone_id = data.aws_route53_zone.external.zone_id -# } +resource "aws_acm_certificate" "external" { + count = local.is-production ? 0 : 1 + + validation_method = "DNS" + domain_name = "modernisation-platform.service.justice.gov.uk" + subject_alternative_names = [ + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) + ] + + tags = merge(local.tags, + { Environment = local.environment } + ) + + lifecycle { + create_before_destroy = true + } +} + +## Validation +resource "aws_route53_record" "external_validation" { + depends_on = [ + aws_instance.ec2_oracle_ebs, + aws_instance.ec2_ebsapps + ] + + provider = aws.core-network-services + + for_each = { + for dvo in local.cert_opts : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = local.cert_zone_id +} + +resource "aws_acm_certificate_validation" "external" { + count = local.is-production ? 1 : 1 + + depends_on = [ + aws_route53_record.external_validation + ] + + certificate_arn = local.cert_arn + validation_record_fqdns = [for record in aws_route53_record.external_validation : record.fqdn] + + timeouts { + create = "10m" + } +} diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf index 41b9cbb8846..3efe8f9b902 100644 --- a/terraform/environments/ccms-ebs-upgrade/member-locals.tf +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -25,5 +25,7 @@ locals { data.aws_subnet.public_subnets_c.id ] + cert_opts = aws_acm_certificate.external[0].domain_validation_options + cert_arn = aws_acm_certificate.external[0].arn cert_zone_id = data.aws_route53_zone.network-services.zone_id }