diff --git a/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md b/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md index 9d63841fa..f94123801 100644 --- a/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md +++ b/architecture-decision-record/0032-ncsc-pdns-not-at-platform-level.md @@ -4,7 +4,7 @@ Date: 2024-07-10 ## Status -🤔 Proposed +✅ Accepted ## Context diff --git a/architecture-decision-record/0034-use-cloud-map.md b/architecture-decision-record/0034-use-cloud-map.md index 282bade36..174a70481 100644 --- a/architecture-decision-record/0034-use-cloud-map.md +++ b/architecture-decision-record/0034-use-cloud-map.md @@ -1,4 +1,4 @@ -# 33. Use of AWS Cloud Map +# 34. Use of AWS Cloud Map Date: 2024-12-01 diff --git a/architecture-decision-record/0035-terraform-workspaces.md b/architecture-decision-record/0035-terraform-workspaces.md new file mode 100644 index 000000000..28b1214b9 --- /dev/null +++ b/architecture-decision-record/0035-terraform-workspaces.md @@ -0,0 +1,20 @@ +# 35. Use of Terraform Workspaces + +Date: 2024-12-01 + +## Status + +✅ Accepted + +## Context + +Terraform [workspaces](https://developer.hashicorp.com/terraform/language/state/workspaces) allow us to use code consistently across environments while maintain separation of state files. + +## Decision + +We will continue the use of workspaces for separation. Code which uses the `default` workspace will be documented here as an exception. + +## Exceptions + +* `terraform/modernisation-platform-account` +* `terraform/github` diff --git a/architecture-decision-record/README.md b/architecture-decision-record/README.md index 2c6a6fbeb..dd48b184e 100644 --- a/architecture-decision-record/README.md +++ b/architecture-decision-record/README.md @@ -35,8 +35,10 @@ This is our architecture decision log, made during the design and build of the M 1. ♻ [How we deploy shared Active Directory controllers](0029-how-we-deploy-shared-active-directory-controllers.md) 1. ✅ [Cross environment network access](0030-cross-environment-network-access.md) 1. ✅ [LLMs will be hosted on the Analytical Platform](0031-llms-will-be-hosted-on-the-analytical-platform.md) -1. 🤔 [NCSC PDNS will not be applied at platform level](0032-ncsc-pdns-not-at-platform-level.md) - +1. ✅ [NCSC PDNS will not be applied at platform level](0032-ncsc-pdns-not-at-platform-level.md) +1. ❌ [Increase security of sensitive S3 objects (state bucket)](0033-s3-state-bucket-condition-security.md) +1. ❌ [Use of AWS Cloud Map](0034-use-cloud-map.md) +1. ✅ [Use of Terraform Workspaces](0035-terraform-workspaces.md) ## Statuses diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index d54c66708..50b80a7a9 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -3,22 +3,22 @@ module modernisation-platform/get-security-hub-findings go 1.23 require ( - github.com/aws/aws-sdk-go-v2 v1.32.8 - github.com/aws/aws-sdk-go-v2/config v1.28.11 - github.com/aws/aws-sdk-go-v2/credentials v1.17.52 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11 - github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 - github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 + github.com/aws/aws-sdk-go-v2 v1.33.0 + github.com/aws/aws-sdk-go-v2/config v1.29.0 + github.com/aws/aws-sdk-go-v2/credentials v1.17.53 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 + github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 ) require ( - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.10 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9 // indirect github.com/aws/smithy-go v1.22.1 // indirect ) diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index 2ff4099c1..7916debb5 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -1,30 +1,30 @@ -github.com/aws/aws-sdk-go-v2 v1.32.8 h1:cZV+NUS/eGxKXMtmyhtYPJ7Z4YLoI/V8bkTdRZfYhGo= -github.com/aws/aws-sdk-go-v2 v1.32.8/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= -github.com/aws/aws-sdk-go-v2/config v1.28.11 h1:7Ekru0IkRHRnSRWGQLnLN6i0o1Jncd0rHo2T130+tEQ= -github.com/aws/aws-sdk-go-v2/config v1.28.11/go.mod h1:x78TpPvBfHH16hi5tE3OCWQ0pzNfyXA349p5/Wp82Yo= -github.com/aws/aws-sdk-go-v2/credentials v1.17.52 h1:I4ymSk35LHogx2Re2Wu6LOHNTRaRWkLVoJgWS5Wd40M= -github.com/aws/aws-sdk-go-v2/credentials v1.17.52/go.mod h1:vAkqKbMNUcher8fDXP2Ge2qFXKMkcD74qvk1lJRMemM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 h1:IBAoD/1d8A8/1aA8g4MBVtTRHhXRiNAgwdbo/xRM2DI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23/go.mod h1:vfENuCM7dofkgKpYzuzf1VT1UKkA/YL3qanfBn7HCaA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 h1:jSJjSBzw8VDIbWv+mmvBSP8ezsztMYJGH+eKqi9AmNs= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27/go.mod h1:/DAhLbFRgwhmvJdOfSm+WwikZrCuUJiA4WgJG0fTNSw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 h1:l+X4K77Dui85pIj5foXDhPlnqcNRG2QUyvca300lXh8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27/go.mod h1:KvZXSFEXm6x84yE8qffKvT3x8J5clWnVFXphpohhzJ8= +github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= +github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2/config v1.29.0 h1:Vk/u4jof33or1qAQLdofpjKV7mQQT7DcUpnYx8kdmxY= +github.com/aws/aws-sdk-go-v2/config v1.29.0/go.mod h1:iXAZK3Gxvpq3tA+B9WaDYpZis7M8KFgdrDPMmHrgbJM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.53 h1:lwrVhiEDW5yXsuVKlFVUnR2R50zt2DklhOyeLETqDuE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.53/go.mod h1:CkqM1bIw/xjEpBMhBnvqUXYZbpCFuj6dnCAyDk2AtAY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 h1:5grmdTdMsovn9kPZPI23Hhvp0ZyNm5cRO+IZFIYiAfw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24/go.mod h1:zqi7TVKTswH3Ozq28PkmBmgzG1tona7mo9G2IJg4Cis= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 h1:igORFSiH3bfq4lxKFkTSYDhJEUCYo6C8VKiWJjYwQuQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28/go.mod h1:3So8EA/aAYm36L7XIvCVwLa0s5N0P7o2b1oqnx/2R4g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 h1:1mOW9zAUMhTSrMDssEHS/ajx8JcAj/IcftzcmNlmVLI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28/go.mod h1:kGlXVIWDfvt2Ox5zEaNglmq0hXPHgQFNMix33Tw22jA= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 h1:cWno7lefSH6Pp+mSznagKCgfDGeZRin66UvYUqAkyeA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8/go.mod h1:tPD+VjU3ABTBoEJ3nctu5Nyg4P4yjqSH5bJGGkY4+XE= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11 h1:mM0wdUneVZdE00Tg4v75rabRdZPzX8BH+zN0HF+Suc4= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.11/go.mod h1:2Hp1QzEIaEw6v25llGTlGM+Xx7FRiCIS90Tb+iqVEfo= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 h1:TQ0sua3BwzGqHgEao1IwvJ8PAJ+OZPgJ5ByVU7vm314= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3/go.mod h1:6qzlBXc2heuoYIo9eU7/6klKvZKqhADl7Ceh0gp5jCg= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg95gpC2AyDq4hFE8= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.9/go.mod h1:lV8iQpg6OLOfBnqbGMBKYjilBlf633qwHnBEiMSPoHY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 h1:6dBT1Lz8fK11m22R+AqfRsFn8320K0T5DTGxxOQBSMw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8/go.mod h1:/kiBvRQXBc6xeJTYzhSdGvJ5vm1tjaDEjH+MSeRJnlY= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.7 h1:qwGa9MA8G7mBq2YphHFaygdPe5t9OA7SvaJdwWTlEds= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.7/go.mod h1:+8h7PZb3yY5ftmVLD7ocEoE98hdc8PoKS0H3wfx1dlc= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 h1:TQmKDyETFGiXVhZfQ/I0cCFziqqX58pi4tKJGYGFSz0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9/go.mod h1:HVLPK2iHQBUx7HfZeOQSEu3v2ubZaAY2YPbAm5/WUyY= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12 h1:ySWassPBVhrtg96atdKlpUJkxvbYTpi9YnweIjDkGz0= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.12/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 h1:zFglcUjphRYNX9++btAajm4lkFHUqEEFam6S9Pb73/U= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4/go.mod h1:8IYDBdfP7wR5P1hZ9WacHyV97Fnvrvbz/LvDjSOynKM= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.10 h1:DyZUj3xSw3FR3TXSwDhPhuZkkT14QHBiacdbUVcD0Dg= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.10/go.mod h1:Ro744S4fKiCCuZECXgOi760TiYylUM8ZBf6OGiZzJtY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9 h1:I1TsPEs34vbpOnR81GIcAq4/3Ud+jRHVGwx6qLQUHLs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9/go.mod h1:Fzsj6lZEb8AkTE5S68OhcbBqeWPsR8RnGuKPr8Todl8= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.8 h1:pqEJQtlKWvnv3B6VRt60ZmsHy3SotlEBvfUBPB1KVcM= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.8/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= diff --git a/source/concepts/environments/instance-scheduling.html.md.erb b/source/concepts/environments/instance-scheduling.html.md.erb index ee8af3f5a..02e481325 100644 --- a/source/concepts/environments/instance-scheduling.html.md.erb +++ b/source/concepts/environments/instance-scheduling.html.md.erb @@ -40,6 +40,52 @@ Here's a Terraform example of how to add the relevant tag for any EC2 and RDS in Ordering instances and automatically stopping them on public holidays is not supported using this option. +## Setting non-production Member Accounts to the Skipped + +For convenience, it is possible to flag an entire non-production member account to be skipped. This is done via the addition of the field "instance_scheduler_skip": ["true"] to the environment list in the account .json file in modernisation-platform/environments. + +The example below shows this: + +``` +{ + "account-type": "member", + "environments": [ + { + "name": "development", + "access": [ + { + "sso_group_name": "modernisation-platform", + "level": "developer", + "nuke": "rebuild" + }, + --- + ], + "instance_scheduler_skip": ["true"] + } + ], + "tags": { + "application": "modernisation-platform", + --- + }, + "github-oidc-team-repositories": [""], + "go-live-date": "" +} + +``` + +To check whether an account being skipped or not, check the logs of the latest workflow "Build-test-push" in the Instance Scheduler [repository](https://github.com/ministryofjustice/modernisation-platform-instance-scheduler). It will show the log output of any unit tests of the Go source and specifically details of any accounts that were excluded & why. + +For example: + +``` +Account is of type member: nomis +extractNames - Found name: nomis.development +extractNames - Found name: nomis.test +extractNames - Skipping due to instance_scheduler_skip: nomis.preproduction +extractNames - Skipping due to production: nomis.production +``` + + ## Custom Shutdown & Startup Schedules For those teams that require the shutdown & startup of ec2 & rds resources in a specific order or at different times, the option exists to make use of github workflows & cron schedules to stop & start services. diff --git a/terraform/environments/youth-justice-app-framework/iam.tf b/terraform/environments/youth-justice-app-framework/iam.tf index 8c40699ad..ea95e97a1 100644 --- a/terraform/environments/youth-justice-app-framework/iam.tf +++ b/terraform/environments/youth-justice-app-framework/iam.tf @@ -27,6 +27,7 @@ data "aws_iam_policy_document" "circleci_iam_policy" { #checkov:skip=CKV_AWS_111 statement { actions = [ + "codedeploy:CreateDeployment", "ecs:RegisterTaskDefinition", "ecs:UpdateService", "ecs:deregisterTaskDefinition",