DS-2050 Performance and Regression SG (#77)

* DS-2050 Adding Performance and Regression SG post seperation and deletion of legacy SG * DS-2050 Creating variables and egress for Performance and Regression * DS-2050 Add ingress rules for Performance and Regression * DS-2050 Add ingress rules for Performance and Regression * DS-2050 Add Environment variable to live and put make file
nhsd-exeter · Jan 18, 2024 · 7cb2da2 · 7cb2da2
1 parent 864a865
commit 7cb2da2
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 1 deletion.
diff --git a/build/automation/var/profile/live.mk b/build/automation/var/profile/live.mk
@@ -5,6 +5,7 @@
 
 PROJECT_IMAGE_TAG :=
 ENV := live
+ENVIRONMENT := live
 SERVICE_PREFIX := $(PROJECT_ID)-$(ENV)
 AWS_ROLE_PIPELINE = jenkins_assume_role
 # ==============================================================================

diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk
@@ -27,4 +27,10 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role
 
 LAMBDA_VERSIONS_TO_RETAIN = 5
 
+
+# Adding Performance and Regression SG as the legacy SG [live-lk8s-nonprod-core-dos-db-rds-postgres-sg]
+# with access to all DB is being deprecated
+# As a result adding additional SG to the Lambda used in nonprod
 TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg
+TF_VAR_db_performance_security_group_name =  uec-core-dos-performance-datastore-hk-sg
+TF_VAR_db_regression_security_group_name = uec-core-dos-regression-datastore-hk-sg
diff --git a/build/automation/var/profile/put.mk b/build/automation/var/profile/put.mk
@@ -5,6 +5,7 @@
 
 PROJECT_IMAGE_TAG :=
 ENV := put
+ENVIRONMENT := put
 SERVICE_PREFIX := $(PROJECT_ID)-$(ENV)
 AWS_ROLE_PIPELINE = jenkins_assume_role
 # ==============================================================================

diff --git a/infrastructure/stacks/security-groups/data.tf b/infrastructure/stacks/security-groups/data.tf
@@ -1,3 +1,11 @@
 data "aws_security_group" "datastore" {
   name = var.db_security_group_name
 }
+
+data "aws_security_group" "datastore_performance" {
+  name = var.db_performance_security_group_name
+}
+
+data "aws_security_group" "datastore_regression" {
+  name = var.db_regression_security_group_name
+}
diff --git a/infrastructure/stacks/security-groups/main.tf b/infrastructure/stacks/security-groups/main.tf
@@ -9,6 +9,22 @@ resource "aws_security_group" "hk_lambda_sg" {
     protocol        = "tcp"
     security_groups = [data.aws_security_group.datastore.id]
   }
+
+  egress {
+    description     = "Core DoS Performance DB Access"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [data.aws_security_group.datastore_performance.id]
+  }
+
+  egress {
+    description     = "Core DoS Regression DB Access"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [data.aws_security_group.datastore_regression.id]
+  }
   egress {
     description = "AWS API Outbound Access"
     from_port   = 443
@@ -26,5 +42,25 @@ resource "aws_security_group_rule" "db_sg_ingress" {
   protocol                 = "tcp"
   security_group_id        = data.aws_security_group.datastore.id
   source_security_group_id = aws_security_group.hk_lambda_sg.id
-  description              = "A rule to allow incoming connections from hk lambda to RDS Security Group"
+  description              = "A rule to allow incoming connections from hk lambda to Datastore Security Group"
+}
+
+resource "aws_security_group_rule" "db_perf_sg_ingress" {
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = data.aws_security_group.datastore_performance.id
+  source_security_group_id = aws_security_group.hk_lambda_sg.id
+  description              = "A rule to allow incoming connections from hk lambda to Performance Datastore Security Group"
+}
+
+resource "aws_security_group_rule" "db_regression_sg_ingress" {
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = data.aws_security_group.datastore_regression.id
+  source_security_group_id = aws_security_group.hk_lambda_sg.id
+  description              = "A rule to allow incoming connections from hk lambda to Regression Datastore Security Group"
 }
diff --git a/infrastructure/stacks/security-groups/variables.tf b/infrastructure/stacks/security-groups/variables.tf
@@ -13,3 +13,11 @@ variable "vpc_terraform_state_key" {
 variable "db_security_group_name" {
   description = "Identifier of security group attached to datastore"
 }
+
+variable "db_regression_security_group_name" {
+  description = "Identifier of security group attached to datastore for regression"
+}
+
+variable "db_performance_security_group_name" {
+  description = "Identifier of security group attached to datastore for performance"
+}