From acfc20f2c018e9137efb9cdc145ad59e84462738 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 4 Mar 2025 10:56:10 +0000 Subject: [PATCH] remove egress checker lambda --- .github/workflows/docker_job.yml | 5 ---- docker/egress-checker/.trivyignore.yaml | 1 - docker/egress-checker/Dockerfile | 9 ------ .../global/iam_egress_checker_lambda_role.tf | 8 ------ terraform/environment/global/outputs.tf | 1 - .../environment/region/egress_checker.tf | 16 ----------- .../region/modules/egress_checker/main.tf | 28 ------------------- .../modules/egress_checker/variables.tf | 19 ------------- .../region/modules/egress_checker/versions.tf | 14 ---------- terraform/environment/region/variables.tf | 16 ----------- terraform/environment/regions.tf | 13 --------- terraform/environment/terraform.tfvars.json | 7 ----- terraform/environment/variables.tf | 5 ++-- 13 files changed, 2 insertions(+), 140 deletions(-) delete mode 100644 docker/egress-checker/.trivyignore.yaml delete mode 100644 docker/egress-checker/Dockerfile delete mode 100644 terraform/environment/global/iam_egress_checker_lambda_role.tf delete mode 100644 terraform/environment/region/egress_checker.tf delete mode 100644 terraform/environment/region/modules/egress_checker/main.tf delete mode 100644 terraform/environment/region/modules/egress_checker/variables.tf delete mode 100644 terraform/environment/region/modules/egress_checker/versions.tf diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml index 2ffd8ed7a8..7a03657bf8 100644 --- a/.github/workflows/docker_job.yml +++ b/.github/workflows/docker_job.yml @@ -58,11 +58,6 @@ jobs: path: ./docker/schedule-runner/Dockerfile trivyignores: ./docker/schedule-runner/.trivyignore.yaml platforms: linux/amd64 - - ecr_repository: egress-checker - name: egress-checker - path: ./docker/egress-checker/Dockerfile - trivyignores: ./docker/schedule-runner/.trivyignore.yaml - platforms: linux/amd64 runs-on: ubuntu-latest name: ${{ matrix.ecr_repository }} diff --git a/docker/egress-checker/.trivyignore.yaml b/docker/egress-checker/.trivyignore.yaml deleted file mode 100644 index 34b4c0887e..0000000000 --- a/docker/egress-checker/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -misconfigurations: diff --git a/docker/egress-checker/Dockerfile b/docker/egress-checker/Dockerfile deleted file mode 100644 index 156de5162d..0000000000 --- a/docker/egress-checker/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM public.ecr.aws/lambda/python:3.13 - -WORKDIR ${LAMBDA_TASK_ROOT} - -COPY lambda/egress_checker ${LAMBDA_TASK_ROOT} - -RUN pip install --no-cache-dir --requirement requirements.txt - -CMD [ "main.lambda_handler" ] diff --git a/terraform/environment/global/iam_egress_checker_lambda_role.tf b/terraform/environment/global/iam_egress_checker_lambda_role.tf deleted file mode 100644 index 46a4ccc2ac..0000000000 --- a/terraform/environment/global/iam_egress_checker_lambda_role.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "aws_iam_role" "egress_checker_lambda" { - name = "egress-checker-${data.aws_default_tags.current.tags.environment-name}" - assume_role_policy = data.aws_iam_policy_document.lambda_assume.json - lifecycle { - create_before_destroy = true - } - provider = aws.global -} diff --git a/terraform/environment/global/outputs.tf b/terraform/environment/global/outputs.tf index e920e6cb15..2d1dfb25d4 100644 --- a/terraform/environment/global/outputs.tf +++ b/terraform/environment/global/outputs.tf @@ -10,7 +10,6 @@ output "iam_roles" { cross_account_put = aws_iam_role.cross_account_put, fault_injection_simulator = aws_iam_role.fault_injection_simulator, create_s3_batch_replication_jobs_lambda = aws_iam_role.create_s3_batch_replication_jobs_lambda - egress_checker_lambda = aws_iam_role.egress_checker_lambda event_received_lambda = aws_iam_role.event_received_lambda schedule_runner_lambda = aws_iam_role.schedule_runner_lambda opensearch_pipeline = aws_iam_role.opensearch_pipeline diff --git a/terraform/environment/region/egress_checker.tf b/terraform/environment/region/egress_checker.tf deleted file mode 100644 index 2df2ae48d4..0000000000 --- a/terraform/environment/region/egress_checker.tf +++ /dev/null @@ -1,16 +0,0 @@ -module "egress_checker" { - count = var.egress_checker_enabled ? 1 : 0 - source = "./modules/egress_checker" - lambda_function_image_ecr_url = var.egress_checker_repository_url - lambda_function_image_tag = var.egress_checker_container_version - egress_checker_lambda_role = var.iam_roles.egress_checker_lambda - vpc_config = { - subnet_ids = data.aws_subnet.application[*].id - security_group_ids = [data.aws_security_group.lambda_egress.id] - } - - providers = { - aws.region = aws.region - aws.management = aws.management - } -} diff --git a/terraform/environment/region/modules/egress_checker/main.tf b/terraform/environment/region/modules/egress_checker/main.tf deleted file mode 100644 index cf9ef34082..0000000000 --- a/terraform/environment/region/modules/egress_checker/main.tf +++ /dev/null @@ -1,28 +0,0 @@ -data "aws_kms_alias" "cloudwatch_application_logs_encryption" { - name = "alias/${data.aws_default_tags.current.tags.application}_cloudwatch_application_logs_encryption" - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} - -module "egress_checker" { - source = "../lambda" - lambda_name = "egress-checker" - description = "Function to check egress from the VPC via the network firewall" - image_uri = "${var.lambda_function_image_ecr_url}:${var.lambda_function_image_tag}" - aws_iam_role = var.egress_checker_lambda_role - environment = data.aws_default_tags.current.tags.environment-name - kms_key = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn - iam_policy_documents = [] - timeout = 300 - memory = 1024 - vpc_config = { - subnet_ids = var.vpc_config.subnet_ids - security_group_ids = var.vpc_config.security_group_ids - } - providers = { - aws.region = aws.region - } -} diff --git a/terraform/environment/region/modules/egress_checker/variables.tf b/terraform/environment/region/modules/egress_checker/variables.tf deleted file mode 100644 index 5415ee2f83..0000000000 --- a/terraform/environment/region/modules/egress_checker/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "lambda_function_image_ecr_url" { - type = string -} - -variable "lambda_function_image_tag" { - type = string -} - -variable "egress_checker_lambda_role" { - type = any -} - -variable "vpc_config" { - description = "Configuration block for VPC" - type = object({ - subnet_ids = list(string) - security_group_ids = list(string) - }) -} diff --git a/terraform/environment/region/modules/egress_checker/versions.tf b/terraform/environment/region/modules/egress_checker/versions.tf deleted file mode 100644 index 22142bec93..0000000000 --- a/terraform/environment/region/modules/egress_checker/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.89.0" - configuration_aliases = [ - aws.region, - aws.management - ] - } - } -} diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index df64c93a39..787d4b6948 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -6,7 +6,6 @@ variable "iam_roles" { cross_account_put = any fault_injection_simulator = any create_s3_batch_replication_jobs_lambda = any - egress_checker_lambda = any event_received_lambda = any schedule_runner_scheduler = any schedule_runner_lambda = any @@ -187,21 +186,6 @@ variable "waf_alb_association_enabled" { default = true } -variable "egress_checker_repository_url" { - type = string - description = "Repository URL for the egress-checker lambda function" -} - -variable "egress_checker_container_version" { - type = string - description = "Container version the egress-checker lambda function" -} - -variable "egress_checker_enabled" { - type = bool - default = false -} - variable "ecs_aws_otel_collector_version" { type = string description = "semver tag for the public ecr tag of the aws-otel-collector image" diff --git a/terraform/environment/regions.tf b/terraform/environment/regions.tf index e37f848bb2..5eb33f1cc4 100644 --- a/terraform/environment/regions.tf +++ b/terraform/environment/regions.tf @@ -13,11 +13,6 @@ data "aws_ecr_repository" "mock_pay" { provider = aws.management_eu_west_1 } -data "aws_ecr_repository" "egress_checker" { - name = "egress-checker" - provider = aws.management_eu_west_1 -} - data "aws_ecr_image" "mock_onelogin" { repository_name = data.aws_ecr_repository.mock_onelogin.name image_tag = "latest" @@ -38,7 +33,6 @@ module "eu_west_1" { cross_account_put = module.global.iam_roles.cross_account_put fault_injection_simulator = module.global.iam_roles.fault_injection_simulator create_s3_batch_replication_jobs_lambda = module.global.iam_roles.create_s3_batch_replication_jobs_lambda - egress_checker_lambda = module.global.iam_roles.egress_checker_lambda event_received_lambda = module.global.iam_roles.event_received_lambda schedule_runner_lambda = module.global.iam_roles.schedule_runner_lambda schedule_runner_scheduler = module.global.iam_roles.schedule_runner_scheduler @@ -53,9 +47,6 @@ module "eu_west_1" { mock_onelogin_service_container_version = data.aws_ecr_image.mock_onelogin.id mock_pay_service_repository_url = data.aws_ecr_repository.mock_pay.repository_url mock_pay_service_container_version = var.container_version - egress_checker_repository_url = data.aws_ecr_repository.egress_checker.repository_url - egress_checker_container_version = var.container_version - egress_checker_enabled = local.environment.egress_checker_enabled ingress_allow_list_cidr = module.allow_list.moj_sites alb_deletion_protection_enabled = local.environment.application_load_balancer.deletion_protection_enabled waf_alb_association_enabled = local.environment.application_load_balancer.waf_alb_association_enabled @@ -113,7 +104,6 @@ module "eu_west_2" { cross_account_put = module.global.iam_roles.cross_account_put fault_injection_simulator = module.global.iam_roles.fault_injection_simulator create_s3_batch_replication_jobs_lambda = module.global.iam_roles.create_s3_batch_replication_jobs_lambda - egress_checker_lambda = module.global.iam_roles.egress_checker_lambda event_received_lambda = module.global.iam_roles.event_received_lambda schedule_runner_lambda = module.global.iam_roles.schedule_runner_lambda schedule_runner_scheduler = module.global.iam_roles.schedule_runner_scheduler @@ -128,9 +118,6 @@ module "eu_west_2" { mock_onelogin_service_container_version = local.mock_onelogin_version mock_pay_service_repository_url = data.aws_ecr_repository.mock_pay.repository_url mock_pay_service_container_version = var.container_version - egress_checker_repository_url = data.aws_ecr_repository.egress_checker.repository_url - egress_checker_container_version = var.container_version - egress_checker_enabled = local.environment.egress_checker_enabled ingress_allow_list_cidr = module.allow_list.moj_sites alb_deletion_protection_enabled = local.environment.application_load_balancer.deletion_protection_enabled waf_alb_association_enabled = local.environment.application_load_balancer.waf_alb_association_enabled diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index 2cfd962980..3671fd0f48 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -27,7 +27,6 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": true, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -117,7 +116,6 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": true, - "egress_checker_enabled": true, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -207,7 +205,6 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": false, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -298,7 +295,6 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": true, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -388,7 +384,6 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": true, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -478,7 +473,6 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": false, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://preproduction.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -568,7 +562,6 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": false, - "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf index a3b94a0837..516e57aac4 100644 --- a/terraform/environment/variables.tf +++ b/terraform/environment/variables.tf @@ -56,9 +56,8 @@ variable "environments" { fault_injection_experiments_enabled = bool real_user_monitoring_cw_logs_enabled = bool }) - mock_onelogin_enabled = bool - mock_pay_enabled = bool - egress_checker_enabled = bool + mock_onelogin_enabled = bool + mock_pay_enabled = bool uid_service = object({ base_url = string api_arns = list(string)