Merge pull request #5181 from ministryofjustice/CC-2391/execute-scrip…

…t-via-systems-manager CC-2391: Added resource groups, tags.
ministryofjustice · Mar 22, 2024 · 9169450 · 9169450
2 parents 8e329cd + 67e09cd
commit 9169450
Show file tree

Hide file tree

Showing 15 changed files with 592 additions and 40 deletions.
diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json
@@ -4,7 +4,11 @@
       "short_env": "dev",
       "dns": "laa-development",
       "ses_domain_identity": "dev.legalservices.gov.uk",
-      "instance-scheduling": "skip-scheduling",
+      "instance-scheduling-accessgate": "skip-scheduling",
+      "instance-scheduling-ebsapps": "skip-scheduling",
+      "instance-scheduling-ebsconc": "skip-scheduling",
+      "instance-scheduling-ebsdb": "skip-scheduling",
+      "instance-scheduling-webgate": "skip-scheduling",
       "ec2_oracle_instance_type_ebsdb_test": "x2iedn.8xlarge",
       "ec2_oracle_instance_type_ebsdb": "m5d.4xlarge",
       "ec2_oracle_instance_cores_ebsdb": "8",
@@ -100,7 +104,12 @@
       "ebs_size_ebsconc_home": 100,
       "ebs_size_ebsconc_stage": 100,
       "ebs_size_ebsconc_temp": 100,
-      "ebs_backup_snapshot_id": "snap-0cdfe4b46c1e34ebb"
+      "ebs_backup_snapshot_id": "snap-0cdfe4b46c1e34ebb",
+      "instance_role_accessgate": "accessgate",
+      "instance_role_ebsapps": "apps",
+      "instance_role_ebsconc": "conc",
+      "instance_role_ebsdb": "db",
+      "instance_role_webgate": "webgate"
     }
   },
   "webgate_ebs": {

diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-resource-groups.tf b/terraform/environments/ccms-ebs-upgrade/ccms-resource-groups.tf
@@ -0,0 +1,119 @@
+resource "aws_resourcegroups_group" "accessgate" {
+  name        = "accessgate"
+  description = "Accessgate instances"
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": [ "AWS::EC2::Instance" ],
+  "TagFilters": [
+    {
+      "Key": "instance-role",
+      "Values": ["accessgate"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_resourcegroups_group" "ebsapps" {
+  name        = "ebsapps"
+  description = "EBSapps instances"
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": [ "AWS::EC2::Instance" ],
+  "TagFilters": [
+    {
+      "Key": "instance-role",
+      "Values": ["ebsapps"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_resourcegroups_group" "conc" {
+  name        = "conc"
+  description = "EBSconc instances"
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": [ "AWS::EC2::Instance" ],
+  "TagFilters": [
+    {
+      "Key": "instance-role",
+      "Values": ["conc"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_resourcegroups_group" "ebsdb" {
+  name        = "ebsdb"
+  description = "EBSdb instances"
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": [ "AWS::EC2::Instance" ],
+  "TagFilters": [
+    {
+      "Key": "instance-role",
+      "Values": ["ebsdb"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_resourcegroups_group" "webgate" {
+  name        = "webgate"
+  description = "Webgate instances"
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": [ "AWS::EC2::Instance" ],
+  "TagFilters": [
+    {
+      "Key": "instance-role",
+      "Values": ["webgate"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+output "aws_resourcegroups_group_accessgate_arn" {
+  description = "aws_resourcegroups_group accessgate arn"
+  value       = "aws_resourcegroups_group.accessgate.arn"
+}
+
+output "aws_resourcegroups_group_ebsapps_arn" {
+  description = "aws_resourcegroups_group ebsapps arn"
+  value       = "aws_resourcegroups_group.ebsapps.arn"
+}
+
+output "aws_resourcegroups_group_conc_arn" {
+  description = "aws_resourcegroups_group conc arn"
+  value       = "aws_resourcegroups_group.conc.arn"
+}
+
+output "aws_resourcegroups_group_ebsdb_arn" {
+  description = "aws_resourcegroups_group ebsdb arn"
+  value       = "aws_resourcegroups_group.ebsdb.arn"
+}
+
+output "aws_resourcegroups_group_webgate_arn" {
+  description = "aws_resourcegroups_group webgate arn"
+  value       = "aws_resourcegroups_group.webgate.arn"
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-start.yaml b/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-start.yaml
@@ -0,0 +1,20 @@
+# ccms-ssm-document-ebs-apps-service-start.yaml
+---
+schemaVersion: "2.2"
+description: Execute the startAPP.sh script.
+parameters:
+  action:
+    type: String
+    allowedValues:
+    - start
+mainSteps:
+  - name: startAPP
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - "{{ action }}"
+        - start
+    inputs:
+      runCommand:
+        - "/home/applmgr/scripts/startAPP.sh"
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-status.yaml b/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-status.yaml
@@ -0,0 +1,20 @@
+# ccms-ssm-document-ebs-apps-service-status.yaml
+---
+schemaVersion: "2.2"
+description: Execute the statusAPP.sh script.
+parameters:
+  action:
+    type: String
+    allowedValues:
+    - status
+mainSteps:
+  - name: statusAPP
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - "{{ action }}"
+        - status
+    inputs:
+      runCommand:
+        - "/home/applmgr/scripts/statusAPP.sh"
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-stop.yaml b/terraform/environments/ccms-ebs-upgrade/ccms-ssm-document-ebs-apps-service-stop.yaml
@@ -0,0 +1,20 @@
+# ccms-ssm-document-ebs-apps-service-stop.yaml
+---
+schemaVersion: "2.2"
+description: Execute the stopAPP.sh script.
+parameters:
+  action:
+    type: String
+    allowedValues:
+    - stop
+mainSteps:
+  - name: stopAPP
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - "{{ action }}"
+        - stop
+    inputs:
+      runCommand:
+        - "/home/applmgr/scripts/stopAPP.sh"
diff --git a/terraform/environments/ccms-ebs-upgrade/ccms-ssm.tf b/terraform/environments/ccms-ebs-upgrade/ccms-ssm.tf
@@ -0,0 +1,92 @@
+resource "aws_ssm_document" "ebs_apps_service_start" {
+  name            = "EBS-Apps-Service-Start"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("ccms-ssm-document-ebs-apps-service-start.yaml")
+}
+
+resource "aws_ssm_document" "ebs_apps_service_status" {
+  name            = "EBS-Apps-Service-Status"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("ccms-ssm-document-ebs-apps-service-status.yaml")
+}
+
+resource "aws_ssm_document" "ebs_apps_service_stop" {
+  name            = "EBS-Apps-Service-Stop"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("ccms-ssm-document-ebs-apps-service-stop.yaml")
+}
+
+resource "aws_ssm_maintenance_window" "ebs_apps_service_status_mw" {
+  name                       = "EBS-Apps-Service-Status"
+  schedule                   = "cron(*/15 * * * ? *)"
+  duration                   = 1
+  cutoff                     = 0
+  allow_unassociated_targets = false
+}
+
+resource "aws_ssm_maintenance_window" "ebs_apps_service_start_mw" {
+  name                       = "EBS-Apps-Service-Start"
+  schedule                   = "cron(15 7 * * ? *)" # "cron(15 7 ? * MON-FRI *)"
+  duration                   = 1
+  cutoff                     = 0
+  allow_unassociated_targets = false
+}
+
+resource "aws_ssm_maintenance_window" "ebs_apps_service_stop_mw" {
+  name                       = "EBS-Apps-Service-Stop"
+  schedule                   = "cron(45 17 * * ? *)"
+  duration                   = 1
+  cutoff                     = 0
+  allow_unassociated_targets = false
+}
+
+# resource "aws_ssm_maintenance_window_target" "ebs_apps_service_status_targets" {
+#   window_id        = aws_ssm_maintenance_window.ebs_apps_service_status_mw.id
+#   resource_type    = "INSTANCE"
+#   
+#   targets {
+#     key    = "ResourceGroup"
+#     values = ["EBS-Apps"]
+#   }
+# }
+# 
+# resource "aws_ssm_maintenance_window_target" "ebs_apps_service_start_targets" {
+#   window_id        = aws_ssm_maintenance_window.ebs_apps_service_start_mw.id
+#   resource_type    = "INSTANCE"
+#   
+#   targets {
+#     key    = "ResourceGroup"
+#     values = ["EBS-Apps"]
+#   }
+# }
+# 
+# resource "aws_ssm_maintenance_window_target" "ebs_apps_service_stop_targets" {
+#   window_id        = aws_ssm_maintenance_window.ebs_apps_service_stop_mw.id
+#   resource_type    = "INSTANCE"
+#   
+#   targets {
+#     key    = "ResourceGroup"
+#     values = ["EBS-Apps"]
+#   }
+# }
+
+# resource "aws_ssm_association" "start_app_association" {
+#   name            = "StartAppMaintenanceWindowAssociation"
+#   document_version = "$LATEST"
+#   instance_id     = aws_ssm_maintenance_window_target.foo_ec2_targets.targets[0].key
+#   targets {
+#     key    = "WindowTargetIds"
+#     values = [aws_ssm_maintenance_window_target.foo_ec2_targets.id]
+#   }
+#   parameters {
+#     "documentVersion" = "$LATEST"
+#     "documentName"    = aws_ssm_document.start_app_command_document.name
+#   }
+#   schedule_expression = "cron(15 7 ? * MON-FRI *)"
+# }
diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf
@@ -38,7 +38,8 @@ resource "aws_instance" "ec2_accessgate" {
     volume_size = 50
     encrypted   = true
     tags = merge(local.tags,
-      { Name = "root-block" }
+      { Name = lower(format("%s-%s-%s", local.application_data.accounts[local.environment].instance_role_accessgate, count.index + 1, "root")) },
+      { device-name = "/dev/sda1" }
     )
   }
   # swap
@@ -48,6 +49,10 @@ resource "aws_instance" "ec2_accessgate" {
     volume_size = 20
     encrypted   = true
     kms_key_id  = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s-%s", local.application_data.accounts[local.environment].instance_role_accessgate, count.index + 1, "swap")) },
+      { device-name = "/dev/sdb" }
+    )
   }
   # temp
   ebs_block_device {
@@ -56,6 +61,10 @@ resource "aws_instance" "ec2_accessgate" {
     volume_size = 100
     encrypted   = true
     kms_key_id  = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s-%s", local.application_data.accounts[local.environment].instance_role_accessgate, count.index + 1, "temp")) },
+      { device-name = "/dev/sdc" }
+    )
   }
   # home
   ebs_block_device {
@@ -64,6 +73,10 @@ resource "aws_instance" "ec2_accessgate" {
     volume_size = 100
     encrypted   = true
     kms_key_id  = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s-%s", local.application_data.accounts[local.environment].instance_role_accessgate, count.index + 1, "home")) },
+      { device-name = "/dev/sdd" }
+    )
   }
 
   # non-AMI mappings start at /dev/sdh
@@ -75,11 +88,16 @@ resource "aws_instance" "ec2_accessgate" {
     iops        = local.application_data.accounts[local.environment].accessgate_default_iops
     encrypted   = true
     kms_key_id  = data.aws_kms_key.ebs_shared.key_id
+    tags = merge(local.tags,
+      { Name = lower(format("%s-%s-%s", local.application_data.accounts[local.environment].instance_role_accessgate, count.index + 1, "ccms")) },
+      { device-name = "/dev/sdh" }
+    )
   }
 
   tags = merge(local.tags,
     { Name = lower(format("ec2-%s-%s-accessgate-%s", local.application_name, local.environment, count.index + 1)) },
-    { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling },
+    { instance-role = local.application_data.accounts[local.environment].instance_role_accessgate },
+    { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-accessgate },
     { backup = "true" }
   )
   depends_on = [aws_security_group.ec2_sg_accessgate]