DS-571 Update HouseKeeping Security Group (#74)

* DS-571 Updated nonprod database SG name * DS-571 Adding token volume used in MoM * DS-571 updated Jenkins role * DS-571 Updated Live and PUT Security Group
nhsd-exeter · Jan 16, 2024 · 8b32968 · 8b32968
1 parent 185c8bc
commit 8b32968
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 9 deletions.
diff --git a/build/automation/lib/aws/aws-ecr-create-repository-policy.json b/build/automation/lib/aws/aws-ecr-create-repository-policy.json
@@ -44,12 +44,15 @@
       "Effect": "Deny",
       "NotPrincipal": {
         "AWS": [
-          "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/jenkins_assume_role",
-          "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/jenkins_assume_role/jenkins",
+          "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/uec-core-dos-jenkins-assume-role",
+          "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/uec-core-dos-jenkins-assume-role/jenkins",
           "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:root"
         ]
       },
-      "Action": ["ecr:BatchDeleteImage", "ecr:DeleteRepository"]
+      "Action": [
+        "ecr:BatchDeleteImage",
+        "ecr:DeleteRepository"
+      ]
     }
   ]
 }
diff --git a/build/automation/lib/docker.mk b/build/automation/lib/docker.mk
@@ -692,6 +692,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S
 	make docker-config > /dev/null 2>&1
 	mkdir -p $(TMP_DIR)/.python/pip/{cache,packages}
 	mkdir -p $(HOME)/.aws
+	aws_access_dir=$$(echo "--volume /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token")
 	lib_volume_mount=$$(([ $(BUILD_ID) -eq 0 ] || [ "$(LIB_VOLUME_MOUNT)" == true ]) && echo "--volume $(TMP_DIR)/.python/pip/cache:/tmp/.cache/pip --volume $(TMP_DIR)/.python/pip/packages:/tmp/.packages" ||:)
 	image=$$([ -n "$(IMAGE)" ] && echo $(IMAGE) || echo $(DOCKER_LIBRARY_REGISTRY)/tools:$(DOCKER_LIBRARY_TOOLS_VERSION))
 	container=$$([ -n "$(CONTAINER)" ] && echo $(CONTAINER) || echo tools-$(BUILD_COMMIT_HASH)-$(BUILD_ID)-$$(date --date=$$(date -u +"%Y-%m-%dT%H:%M:%S%z") -u +"%Y%m%d%H%M%S" 2> /dev/null)-$$(make secret-random LENGTH=8))
@@ -713,6 +714,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S
 			--volume $(HOME)/bin:/tmp/bin \
 			--volume $(HOME)/etc:/tmp/etc \
 			--volume $(HOME)/usr:/tmp/usr \
+			$$aws_access_dir \
 			$$lib_volume_mount \
 			--network $(DOCKER_NETWORK) \
 			--workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \
@@ -736,6 +738,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S
 			--volume $(HOME)/bin:/tmp/bin \
 			--volume $(HOME)/etc:/tmp/etc \
 			--volume $(HOME)/usr:/tmp/usr \
+			$$aws_access_dir \
 			$$lib_volume_mount \
 			--network $(DOCKER_NETWORK) \
 			--workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \

diff --git a/build/automation/var/platform-texas/platform-texas-v1.mk b/build/automation/var/platform-texas/platform-texas-v1.mk
@@ -4,7 +4,7 @@ AWS_ECR = $(or $(AWS_ACCOUNT_ID_MGMT), 000000000000).dkr.ecr.$(AWS_DEFAULT_REGIO
 AWS_REGION = eu-west-2
 AWS_DEFAULT_REGION = $(AWS_REGION)
 AWS_ALTERNATIVE_REGION = eu-west-1
-AWS_ROLE_PIPELINE = jenkins_assume_role
+AWS_ROLE_PIPELINE = uec-core-dos-jenkins-assume-role
 AWS_ROLE_SESSION = jenkins
 AWS_ROLE = $(if $(HUDSON_URL),$(AWS_ROLE_PIPELINE),Developer)
 AWS_ALB_SSL_TLS_POLICY = ELBSecurityPolicy-TLS-1-2-2017-01

diff --git a/build/automation/var/profile/live.mk b/build/automation/var/profile/live.mk
@@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role
 
 LAMBDA_VERSIONS_TO_RETAIN = 5
 
-#TODO can be changed to new SG when available in live 
-TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-rds-postgres-sg
+#TODO can be changed to new SG when available in live
+TF_VAR_db_security_group_name = uec-core-dos-live-datastore-hk-sg
diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk
@@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role
 
 LAMBDA_VERSIONS_TO_RETAIN = 5
 
-TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg
+TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg
diff --git a/build/automation/var/profile/put.mk b/build/automation/var/profile/put.mk
@@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos-np_cw_w_events_firehose_access_role
 
 LAMBDA_VERSIONS_TO_RETAIN = 5
 
-#TODO can be changed to new SG when available in live 
-TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-put-rds-postgres-sg
+#TODO can be changed to new SG when available in live
+TF_VAR_db_security_group_name = uec-core-dos-put-datastore-hk-sg
Original file line number	Diff line number	Diff line change
Expand Up		@@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role

		LAMBDA_VERSIONS_TO_RETAIN = 5

		TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg
		TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg