From f5e13ff3c6ff40a0f123334c036a856ca1f76154 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Wed, 11 Dec 2024 09:00:44 +0000 Subject: [PATCH 01/15] Set to be accessible in dev environments only --- terraform/20-app/aurora-db.feature-flags.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/20-app/aurora-db.feature-flags.tf b/terraform/20-app/aurora-db.feature-flags.tf index 0365dea3..ea879648 100644 --- a/terraform/20-app/aurora-db.feature-flags.tf +++ b/terraform/20-app/aurora-db.feature-flags.tf @@ -8,7 +8,7 @@ module "aurora_db_feature_flags" { engine_version = "15.5" storage_encrypted = true - publicly_accessible = true + publicly_accessible = local.enable_public_db manage_master_user_password = true database_name = "unleash" From e6bc30c3920965aca5ac8e6c1e8cd8d7458ef5fc Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Wed, 11 Dec 2024 10:13:42 +0000 Subject: [PATCH 02/15] Simplify scheduled policy for non-essential envs overnight shutdown of ECS services --- terraform/20-app/locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/20-app/locals.tf b/terraform/20-app/locals.tf index 90777480..d23dd0eb 100644 --- a/terraform/20-app/locals.tf +++ b/terraform/20-app/locals.tf @@ -33,8 +33,8 @@ locals { scheduled_scaling_policies_for_non_essential_envs = { start_of_working_day_scale_out = { - min_capacity = local.use_prod_sizing ? 3 : 1 - max_capacity = local.use_prod_sizing ? 3 : 1 + min_capacity = 1 + max_capacity = 1 schedule = "cron(0 07 ? * MON-FRI *)" # Run every weekday at 7am } end_of_working_day_scale_in = { From d34d149ace33f5e2836ec2585efd67ae17640f16 Mon Sep 17 00:00:00 2001 From: Khawar Mahmood Date: Thu, 12 Dec 2024 14:34:51 +0000 Subject: [PATCH 03/15] add ip addresses for multiple users --- terraform/20-app/ip-allow-lists.tf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf index 80ebc3cd..0e6d45f2 100644 --- a/terraform/20-app/ip-allow-lists.tf +++ b/terraform/20-app/ip-allow-lists.tf @@ -7,7 +7,7 @@ locals { "167.98.124.170/32", # Burendo London "90.219.251.228/32", # Phil "84.67.254.137/32", # Rhys - "176.254.91.127/32", # Rhys 2 + "176.254.91.127/32", # Rhys 2 "35.176.13.254/32", # UKHSA test EC2 "35.176.178.91/32", # UKHSA test EC2 "35.179.30.107/32", # UKHSA test EC2 @@ -20,8 +20,7 @@ locals { "86.177.34.133/32" # Luke ], project_team = [ - "90.206.168.235/32", # Debbie - "86.19.42.86/32", # Debbie 2 + "5.68.132.72/32", # Debbie ], other_stakeholders = [ "62.253.228.56/32", # UKHSA gateway @@ -38,13 +37,15 @@ locals { "66.249.74.35/32", # Ciara 2 "2.25.205.147/32", # Prince "86.128.102.66/32", # Ester - "167.98.243.140/32", # Tom H - "81.105.235.133/32", # Tom H 2 + "167.98.243.140/32", # Tom Hebbert + "81.105.235.133/32", # Tom Hebbert 2 "51.149.2.8/32", # Agostinho Sousa - "86.29.186.201/32", # Charlotte Brace + "136.226.191.87/32", # Charlotte Brace "2.221.74.175/32", # Gareth "81.108.143.100/32", # Ruairidh Villar "90.218.199.1/32", # Ruth Baxter + "86.11.171.6/32", # Jason Deakin + "192.168.0.20/32", # Alana Firth ] ncc = [ "5.148.69.16/28", From daef37edd1f55d94b0b645dea41958d18706a01a Mon Sep 17 00:00:00 2001 From: Khawar Mahmood Date: Thu, 12 Dec 2024 15:55:10 +0000 Subject: [PATCH 04/15] add Georgina Milne's IP --- terraform/20-app/ip-allow-lists.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf index 0e6d45f2..4df8e06b 100644 --- a/terraform/20-app/ip-allow-lists.tf +++ b/terraform/20-app/ip-allow-lists.tf @@ -46,6 +46,7 @@ locals { "90.218.199.1/32", # Ruth Baxter "86.11.171.6/32", # Jason Deakin "192.168.0.20/32", # Alana Firth + "62.253.228.56/32", # Georgina Milne ] ncc = [ "5.148.69.16/28", From 7a33b9e96337018971a4a2f5c1a694417b67ecd0 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Thu, 12 Dec 2024 16:10:19 +0000 Subject: [PATCH 05/15] Remove pen testers from IP allow list --- terraform/20-app/ip-allow-lists.tf | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf index 0e6d45f2..91d86c0a 100644 --- a/terraform/20-app/ip-allow-lists.tf +++ b/terraform/20-app/ip-allow-lists.tf @@ -47,13 +47,7 @@ locals { "86.11.171.6/32", # Jason Deakin "192.168.0.20/32", # Alana Firth ] - ncc = [ - "5.148.69.16/28", - "167.98.200.192/27", - "167.98.200.196/27", - "195.95.131.0/24", - "5.148.32.192/26", - ] + ncc = [] } complete_ip_allow_list = tolist( # Cast back to a list for portability From 6318d73ae9a551f90c58ed1d8efc98cc863d92b5 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Tue, 17 Dec 2024 13:10:05 +0000 Subject: [PATCH 06/15] Apply deletion protection to prod-grade feature flag dbs --- terraform/20-app/aurora-db.feature-flags.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/20-app/aurora-db.feature-flags.tf b/terraform/20-app/aurora-db.feature-flags.tf index 0365dea3..5d291111 100644 --- a/terraform/20-app/aurora-db.feature-flags.tf +++ b/terraform/20-app/aurora-db.feature-flags.tf @@ -9,6 +9,7 @@ module "aurora_db_feature_flags" { storage_encrypted = true publicly_accessible = true + deletion_protection = local.use_prod_sizing manage_master_user_password = true database_name = "unleash" From 10ce54afc56acfced542cf5f38f5bb2d196a9f33 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Tue, 17 Dec 2024 13:52:01 +0000 Subject: [PATCH 07/15] Send `postgresql` logs to cloudwatch --- terraform/20-app/aurora-db.app.tf | 11 ++++++----- terraform/20-app/aurora-db.feature-flags.tf | 7 ++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/terraform/20-app/aurora-db.app.tf b/terraform/20-app/aurora-db.app.tf index e9e44597..73825b15 100644 --- a/terraform/20-app/aurora-db.app.tf +++ b/terraform/20-app/aurora-db.app.tf @@ -14,11 +14,12 @@ module "aurora_db_app" { database_name = "cms" master_username = "api_user" - monitoring_interval = 0 - apply_immediately = true - skip_final_snapshot = true - publicly_accessible = local.enable_public_db - deletion_protection = local.use_prod_sizing + monitoring_interval = 0 + apply_immediately = true + skip_final_snapshot = true + publicly_accessible = local.enable_public_db + deletion_protection = local.use_prod_sizing + enabled_cloudwatch_logs_exports = ["postgresql"] instance_class = "db.serverless" serverlessv2_scaling_configuration = { diff --git a/terraform/20-app/aurora-db.feature-flags.tf b/terraform/20-app/aurora-db.feature-flags.tf index 0365dea3..afb1eec0 100644 --- a/terraform/20-app/aurora-db.feature-flags.tf +++ b/terraform/20-app/aurora-db.feature-flags.tf @@ -14,9 +14,10 @@ module "aurora_db_feature_flags" { database_name = "unleash" master_username = "unleash_user" - monitoring_interval = 60 - apply_immediately = true - skip_final_snapshot = true + monitoring_interval = 60 + apply_immediately = true + skip_final_snapshot = true + enabled_cloudwatch_logs_exports = ["postgresql"] instance_class = "db.serverless" serverlessv2_scaling_configuration = { From d48509b368e15247bb4e44c480f4e94ea908ebaf Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Tue, 17 Dec 2024 14:13:05 +0000 Subject: [PATCH 08/15] Add `data-dashboard-engineers` as default code owners --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..dbab7b13 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @UKHSAInternal/data-dashboard-engineers \ No newline at end of file From 78f8ad3af81f024e19c3dc254cbca09119a013bf Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Tue, 17 Dec 2024 14:19:23 +0000 Subject: [PATCH 09/15] Update team name --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index dbab7b13..5e33874c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @UKHSAInternal/data-dashboard-engineers \ No newline at end of file +* @UKHSA-Internal/data-dashboard-engineers \ No newline at end of file From 244cce65702ef62b6b94e9b5ee193510d29b963e Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Thu, 19 Dec 2024 09:43:17 +0000 Subject: [PATCH 10/15] Restart feedback API when rotating db password --- src/lambda-db-password-rotation/index.js | 1 + src/lambda-db-password-rotation/index.test.js | 2 ++ terraform/20-app/lambda.db-password-rotation.tf | 3 +++ 3 files changed, 6 insertions(+) diff --git a/src/lambda-db-password-rotation/index.js b/src/lambda-db-password-rotation/index.js index 2e2e45cb..8a7658ad 100644 --- a/src/lambda-db-password-rotation/index.js +++ b/src/lambda-db-password-rotation/index.js @@ -32,6 +32,7 @@ async function restartMainDbECSServices(ecsClient = new ECSClient(), overridenDe await dependencies.restartECSService(ecsClient, process.env.CMS_ADMIN_ECS_SERVICE_NAME) await dependencies.restartECSService(ecsClient, process.env.PRIVATE_API_ECS_SERVICE_NAME) await dependencies.restartECSService(ecsClient, process.env.PUBLIC_API_ECS_SERVICE_NAME) + await dependencies.restartECSService(ecsClient, process.env.FEEDBACK_API_ECS_SERVICE_NAME) console.log(`All required ECS tasks have been restarted for main DB`); }; diff --git a/src/lambda-db-password-rotation/index.test.js b/src/lambda-db-password-rotation/index.test.js index 5284d924..e0706678 100644 --- a/src/lambda-db-password-rotation/index.test.js +++ b/src/lambda-db-password-rotation/index.test.js @@ -58,12 +58,14 @@ describe('restartMainDbECSServices', () => { const fakeCMSAdminECSServiceName = 'fake-cms-admin-ecs-service-name' const fakePrivateAPIECSServiceName = 'fake-private-api-ecs-service-name' const fakePublicAPIECSServiceName = 'fake-public-api-ecs-service-name' + const fakeFeedbackAPIECSServiceName = 'fake-feedback-api-ecs-service-name' const mockedEnvVar = sinon.stub(process, 'env').value( { CMS_ADMIN_ECS_SERVICE_NAME: fakeCMSAdminECSServiceName, PRIVATE_API_ECS_SERVICE_NAME: fakePrivateAPIECSServiceName, PUBLIC_API_ECS_SERVICE_NAME: fakePublicAPIECSServiceName, + FEEDBACK_API_ECS_SERVICE_NAME: fakeFeedbackAPIECSServiceName, } ); diff --git a/terraform/20-app/lambda.db-password-rotation.tf b/terraform/20-app/lambda.db-password-rotation.tf index 7a67c35c..555b0425 100644 --- a/terraform/20-app/lambda.db-password-rotation.tf +++ b/terraform/20-app/lambda.db-password-rotation.tf @@ -19,6 +19,7 @@ module "lambda_db_password_rotation" { CMS_ADMIN_ECS_SERVICE_NAME = module.ecs_service_cms_admin.name PRIVATE_API_ECS_SERVICE_NAME = module.ecs_service_private_api.name PUBLIC_API_ECS_SERVICE_NAME = module.ecs_service_public_api.name + FEEDBACK_API_ECS_SERVICE_NAME = module.ecs_service_feedback_api.name FEATURE_FLAGS_ECS_SERVICE_NAME = module.ecs_service_feature_flags.name } @@ -31,7 +32,9 @@ module "lambda_db_password_rotation" { module.ecs_service_private_api.id, module.ecs_service_public_api.id, module.ecs_service_cms_admin.id, + module.ecs_service_feedback_api.id, module.ecs_service_feature_flags.id, + ] } } From 62fa94d4af3201929ffe86576a1d1bfc6d393d8b Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Thu, 19 Dec 2024 09:50:59 +0000 Subject: [PATCH 11/15] Update test --- src/lambda-db-password-rotation/index.test.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lambda-db-password-rotation/index.test.js b/src/lambda-db-password-rotation/index.test.js index e0706678..d54749f3 100644 --- a/src/lambda-db-password-rotation/index.test.js +++ b/src/lambda-db-password-rotation/index.test.js @@ -80,12 +80,11 @@ describe('restartMainDbECSServices', () => { await restartMainDbECSServices(mockedECSClient, spyDependencies); // Then - // The function should have been called 3 times, 1 for each ECS service - expect(restartECSServiceSpy.calledThrice).toBeTruthy(); // The function should have been called with each ECS service name expect(restartECSServiceSpy.firstCall.lastArg).toEqual(fakeCMSAdminECSServiceName) expect(restartECSServiceSpy.secondCall.lastArg).toEqual(fakePrivateAPIECSServiceName) expect(restartECSServiceSpy.thirdCall.lastArg).toEqual(fakePublicAPIECSServiceName) + expect(restartECSServiceSpy.lastCall.lastArg).toEqual(fakeFeedbackAPIECSServiceName) // Restore the environment variable mockedEnvVar.restore(); From cba4b226fc52dfcc6a53e5848e6c95e74785aef9 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Fri, 3 Jan 2025 15:24:19 +0000 Subject: [PATCH 12/15] Remove broad `PassRole` permission from operations IAM role --- terraform/10-account/iam.operations-role.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/10-account/iam.operations-role.tf b/terraform/10-account/iam.operations-role.tf index 682dcf10..9248622f 100644 --- a/terraform/10-account/iam.operations-role.tf +++ b/terraform/10-account/iam.operations-role.tf @@ -54,7 +54,6 @@ module "iam_operations_policy" { "ecs:DescribeTasks", "ecs:ExecuteCommand", "ecs:RunTask", - "iam:PassRole", "logs:StartLiveTail", "logs:StopLiveTail" ], From 8c7ee9fe0e1e9cc92baa1a66ffcc221827df8064 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Mon, 6 Jan 2025 10:42:45 +0000 Subject: [PATCH 13/15] Setup terraform before `restart-services` build --- .github/workflows/production.yml | 1 + .github/workflows/well-known-environment.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index a4b43379..354d2be6 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -102,6 +102,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }} + - uses: ./.github/actions/setup-terraform - uses: ./.github/actions/setup-zsh - name: Terraform output diff --git a/.github/workflows/well-known-environment.yml b/.github/workflows/well-known-environment.yml index bb195336..e3336833 100644 --- a/.github/workflows/well-known-environment.yml +++ b/.github/workflows/well-known-environment.yml @@ -126,6 +126,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }} + - uses: ./.github/actions/setup-terraform - uses: ./.github/actions/setup-zsh - uses: ./.github/actions/well-known-environment-name with: From 1001bb2cf77660d555c8214d1f48f4369c103cc4 Mon Sep 17 00:00:00 2001 From: A-Ashiq Date: Mon, 6 Jan 2025 11:22:03 +0000 Subject: [PATCH 14/15] Setup terraform before `restart-services` build --- .github/workflows/pull-request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 6ec0e183..8abfcc11 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -193,6 +193,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }} + - uses: ./.github/actions/setup-terraform - uses: ./.github/actions/setup-zsh - uses: ./.github/actions/short-sha From e7241e8a1e3c0efcf0a1fb18f2df6d322aca2acc Mon Sep 17 00:00:00 2001 From: Khawar Mahmood Date: Thu, 2 Jan 2025 14:51:37 +0000 Subject: [PATCH 15/15] add Krishna's ip address --- terraform/20-app/ip-allow-lists.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf index 6f1e1dc6..a6bcf1de 100644 --- a/terraform/20-app/ip-allow-lists.tf +++ b/terraform/20-app/ip-allow-lists.tf @@ -13,7 +13,7 @@ locals { "35.179.30.107/32", # UKHSA test EC2 "18.133.111.70/32", # UKHSA test gateway "81.108.89.51/32", # Krishna - Macbook - "165.225.197.26/32", # Krishna - Windows + "147.161.236.99/32", # Krishna - Windows "80.7.227.61/32", # Kiran "92.234.44.48/32", # Zesh "51.241.222.137/32", # Temitope Akinsoto