From 8a6a522f5a6392a42f67df7d1d6001057d24f04b Mon Sep 17 00:00:00 2001 From: jackleary Date: Thu, 1 May 2025 14:54:37 +0100 Subject: [PATCH 01/23] NRL-1385 initial ec2 stuff --- terraform/account-wide-infrastructure/modules/ec2/ec2.tf | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 terraform/account-wide-infrastructure/modules/ec2/ec2.tf diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf new file mode 100644 index 000000000..e69de29bb From 8483dd25afd9550d31dcaf45c24d27299888e8e5 Mon Sep 17 00:00:00 2001 From: jackleary Date: Fri, 2 May 2025 09:32:06 +0100 Subject: [PATCH 02/23] NRL-1385 base ec2 set up --- .../modules/ec2/ec2.tf | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index e69de29bb..8116d10f1 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -0,0 +1,97 @@ +module "autoscaling" { + source = "registry.terraform.io/terraform-aws-modules/autoscaling/aws" + version = "6.5.2" + + name = "PowerBI-On-Premise-Gateway" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + + # Autoscaling Schedule + schedules = { + morning_start = { + min_size = -1 + max_size = -1 + desired_capacity = 1 + recurrence = "50 5 * * 0-6" + time_zone = "Europe/Paris" + } + + morning_stop = { + min_size = -1 + max_size = -1 + desired_capacity = 0 + recurrence = "30 6 * * 0-6" + time_zone = "Europe/Paris" + } + + noon_start = { + min_size = -1 + max_size = -1 + desired_capacity = 1 + recurrence = "50 11 * * 0-6" + time_zone = "Europe/Paris" + } + + noon_stop = { + min_size = -1 + max_size = -1 + desired_capacity = 0 + recurrence = "30 12 * * 0-6" + time_zone = "Europe/Paris" + } + + evening_start = { + min_size = -1 + max_size = -1 + desired_capacity = 1 + recurrence = "50 17 * * 0-6" + time_zone = "Europe/Paris" + } + + evening_stop = { + min_size = -1 + max_size = -1 + desired_capacity = 0 + recurrence = "30 18 * * 0-6" + time_zone = "Europe/Paris" + } + } + + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + health_check_grace_period = 300 + enable_monitoring = false + + #image_id = data.aws_ami.windows.id // Phase 2 : we let the Auto Scaling Group use the AMI we've juste created. + image_id = data.aws_ami.final.id + launch_template_version = "$Latest" + instance_type = "m5a.large" + + instance_market_options = { + market_type = "spot" + } + + # Refresh instances when redeploying + instance_refresh = { + strategy = "Rolling" + triggers = ["tag"] + } + + # Assign a role to the instance + create_iam_instance_profile = true + iam_role_name = "powerbi-gateway-role" + iam_role_description = "Allow the Power BI Gateway to be managed by" + iam_role_policies = { + AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + } + key_name = aws_key_pair.ec2_key_pair.key_name + + vpc_zone_identifier = data.aws_subnets.subnets.ids + + security_groups = [module.security-group-outbound.security_group_id] + + user_data = filebase64("./userdata.txt") + update_default_version = true +} From 37a2e8a2358a44c0900888e43c8b70a9f7d8628b Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 7 May 2025 16:18:05 +0100 Subject: [PATCH 03/23] NRL-1385 use autoscaling ec2 for flexibility --- .../modules/ec2/data.tf | 53 +++++++++++++++++++ .../modules/ec2/ec2.tf | 36 +++++++++++++ .../modules/ec2/userdata.txt | 4 ++ .../modules/ec2/vars.tf | 16 ++++++ 4 files changed, 109 insertions(+) create mode 100644 terraform/account-wide-infrastructure/modules/ec2/data.tf create mode 100644 terraform/account-wide-infrastructure/modules/ec2/userdata.txt create mode 100644 terraform/account-wide-infrastructure/modules/ec2/vars.tf diff --git a/terraform/account-wide-infrastructure/modules/ec2/data.tf b/terraform/account-wide-infrastructure/modules/ec2/data.tf new file mode 100644 index 000000000..f6182d839 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/data.tf @@ -0,0 +1,53 @@ +# Initial AMI to use +data "aws_ami" "windows" { + most_recent = true + filter { + name = "name" + values = ["Windows_Server-2022-English-Full-Base-*"] + } + filter { + name = "virtualization-type" + values = ["hvm"] + } + owners = ["801119661308"] # Canonical +} + +# AMI to use +data "aws_ami" "final" { + most_recent = true + filter { + name = "name" + values = ["PowerBI-On-Premise-Gateway"] + } + filter { + name = "virtualization-type" + values = ["hvm"] + } + owners = ["self"] +} + +# Subnets +data "aws_subnets" "subnets" { + filter { + name = "tag:Type" + values = ["private"] + } +} + +# VPC +data "aws_vpc" "account_vpc" { + filter { + name = "tag:Name" + values = [var.account_name] + } +} + +# Security group of db +data "aws_security_group" "db_sg" { + filter { + name = "group-name" + values = [var.db_sg_name] + } + + vpc_id = data.aws_vpc.account_vpc.id +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 8116d10f1..36fd5ff13 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -95,3 +95,39 @@ module "autoscaling" { user_data = filebase64("./userdata.txt") update_default_version = true } + +############################ +# Add rule to db managed group +############################ +# module "upgrade_db_sg" { +# source = "registry.terraform.io/terraform-aws-modules/security-group/aws" +# version = "4.13.1" + +# create_sg = false +# security_group_id = data.aws_security_group.db_sg.id +# ingress_with_source_security_group_id = [ +# { +# description = "Allow incoming connections from Power BI Gateway" +# rule = "postgresql-tcp" +# source_security_group_id = module.security-group-outbound.security_group_id +# }, +# ] +# } + +############################ +# Key pair for RDP access +############################ +resource "tls_private_key" "instance_key_pair" { + algorithm = "RSA" +} + +resource "aws_key_pair" "ec2_key_pair" { + key_name = "PowerBI-GateWay-Key" + public_key = tls_private_key.instance_key_pair.public_key_openssh +} + +# Saving Key Pair for ssh login for Client if needed +resource "local_file" "ssh_key" { + filename = "${aws_key_pair.ec2_key_pair.key_name}.pem" + content = tls_private_key.instance_key_pair.private_key_pem +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/userdata.txt b/terraform/account-wide-infrastructure/modules/ec2/userdata.txt new file mode 100644 index 000000000..33f111f39 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/userdata.txt @@ -0,0 +1,4 @@ + +Start-Service AmazonSSMAgent + +true diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf new file mode 100644 index 000000000..593038735 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -0,0 +1,16 @@ +variable "aws_region" { + description = "Default region where to deploy resources" + type = string +} + +## Account +variable "account_name" { + description = "Account where to deploy VPC" + type = string +} + +## Account +variable "db_sg_name" { + description = "Name of edeal security group" + type = string +} From 70c2e55d74aeece21deca6ee5bf1332b47453bd6 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 14:23:57 +0100 Subject: [PATCH 04/23] NRL-1385 create ec2 instance --- .../modules/ec2/data.tf | 51 +------ .../modules/ec2/ec2.tf | 138 +----------------- .../modules/ec2/outputs.tf | 7 + .../modules/ec2/scripts/gateway_install.ps1 | 49 +++++++ .../modules/ec2/scripts/user_data.tpl | 25 ++++ .../modules/ec2/userdata.txt | 4 - .../modules/ec2/vars.tf | 21 +-- 7 files changed, 99 insertions(+), 196 deletions(-) create mode 100644 terraform/account-wide-infrastructure/modules/ec2/outputs.tf create mode 100644 terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 create mode 100644 terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl delete mode 100644 terraform/account-wide-infrastructure/modules/ec2/userdata.txt diff --git a/terraform/account-wide-infrastructure/modules/ec2/data.tf b/terraform/account-wide-infrastructure/modules/ec2/data.tf index f6182d839..6b9f5ad75 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/data.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/data.tf @@ -1,53 +1,8 @@ -# Initial AMI to use -data "aws_ami" "windows" { +data "aws_ami" "windows-2019" { most_recent = true + owners = ["amazon"] filter { name = "name" - values = ["Windows_Server-2022-English-Full-Base-*"] + values = ["Windows_Server-2019-English-Full-Base*"] } - filter { - name = "virtualization-type" - values = ["hvm"] - } - owners = ["801119661308"] # Canonical -} - -# AMI to use -data "aws_ami" "final" { - most_recent = true - filter { - name = "name" - values = ["PowerBI-On-Premise-Gateway"] - } - filter { - name = "virtualization-type" - values = ["hvm"] - } - owners = ["self"] -} - -# Subnets -data "aws_subnets" "subnets" { - filter { - name = "tag:Type" - values = ["private"] - } -} - -# VPC -data "aws_vpc" "account_vpc" { - filter { - name = "tag:Name" - values = [var.account_name] - } -} - -# Security group of db -data "aws_security_group" "db_sg" { - filter { - name = "group-name" - values = [var.db_sg_name] - } - - vpc_id = data.aws_vpc.account_vpc.id } diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 36fd5ff13..fe8daee39 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,133 +1,11 @@ -module "autoscaling" { - source = "registry.terraform.io/terraform-aws-modules/autoscaling/aws" - version = "6.5.2" +# Create the Linux EC2 Web server +resource "aws_instance" "web" { + ami = data.aws_ami.windows-2019.id + instance_type = var.instance_type + key_name = var.instance_key + subnet_id = var.subnet_id + security_groups = var.security_groups - name = "PowerBI-On-Premise-Gateway" + user_data = file("./modules/web/userdata.tpl") - min_size = 0 - max_size = 1 - desired_capacity = 1 - - # Autoscaling Schedule - schedules = { - morning_start = { - min_size = -1 - max_size = -1 - desired_capacity = 1 - recurrence = "50 5 * * 0-6" - time_zone = "Europe/Paris" - } - - morning_stop = { - min_size = -1 - max_size = -1 - desired_capacity = 0 - recurrence = "30 6 * * 0-6" - time_zone = "Europe/Paris" - } - - noon_start = { - min_size = -1 - max_size = -1 - desired_capacity = 1 - recurrence = "50 11 * * 0-6" - time_zone = "Europe/Paris" - } - - noon_stop = { - min_size = -1 - max_size = -1 - desired_capacity = 0 - recurrence = "30 12 * * 0-6" - time_zone = "Europe/Paris" - } - - evening_start = { - min_size = -1 - max_size = -1 - desired_capacity = 1 - recurrence = "50 17 * * 0-6" - time_zone = "Europe/Paris" - } - - evening_stop = { - min_size = -1 - max_size = -1 - desired_capacity = 0 - recurrence = "30 18 * * 0-6" - time_zone = "Europe/Paris" - } - } - - wait_for_capacity_timeout = 0 - health_check_type = "EC2" - health_check_grace_period = 300 - enable_monitoring = false - - #image_id = data.aws_ami.windows.id // Phase 2 : we let the Auto Scaling Group use the AMI we've juste created. - image_id = data.aws_ami.final.id - launch_template_version = "$Latest" - instance_type = "m5a.large" - - instance_market_options = { - market_type = "spot" - } - - # Refresh instances when redeploying - instance_refresh = { - strategy = "Rolling" - triggers = ["tag"] - } - - # Assign a role to the instance - create_iam_instance_profile = true - iam_role_name = "powerbi-gateway-role" - iam_role_description = "Allow the Power BI Gateway to be managed by" - iam_role_policies = { - AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - } - key_name = aws_key_pair.ec2_key_pair.key_name - - vpc_zone_identifier = data.aws_subnets.subnets.ids - - security_groups = [module.security-group-outbound.security_group_id] - - user_data = filebase64("./userdata.txt") - update_default_version = true -} - -############################ -# Add rule to db managed group -############################ -# module "upgrade_db_sg" { -# source = "registry.terraform.io/terraform-aws-modules/security-group/aws" -# version = "4.13.1" - -# create_sg = false -# security_group_id = data.aws_security_group.db_sg.id -# ingress_with_source_security_group_id = [ -# { -# description = "Allow incoming connections from Power BI Gateway" -# rule = "postgresql-tcp" -# source_security_group_id = module.security-group-outbound.security_group_id -# }, -# ] -# } - -############################ -# Key pair for RDP access -############################ -resource "tls_private_key" "instance_key_pair" { - algorithm = "RSA" -} - -resource "aws_key_pair" "ec2_key_pair" { - key_name = "PowerBI-GateWay-Key" - public_key = tls_private_key.instance_key_pair.public_key_openssh -} - -# Saving Key Pair for ssh login for Client if needed -resource "local_file" "ssh_key" { - filename = "${aws_key_pair.ec2_key_pair.key_name}.pem" - content = tls_private_key.instance_key_pair.private_key_pem } diff --git a/terraform/account-wide-infrastructure/modules/ec2/outputs.tf b/terraform/account-wide-infrastructure/modules/ec2/outputs.tf new file mode 100644 index 000000000..10e5a82d1 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/outputs.tf @@ -0,0 +1,7 @@ +output "instance_id" { + value = aws_instance.web.id +} + +output "public_ip" { + value = aws_instance.web.public_ip +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 new file mode 100644 index 000000000..dc38473d9 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 @@ -0,0 +1,49 @@ +# Requires Module -Name DataGateway + +# Check if the required module is installed +try { + Import-Module DataGateway +} +catch { + Write-Warning "The DataGateway module is not installed. Please install it first using Install-Module -Name DataGateway." + return +} + +# Replace with your desired values +$GatewayName = "MyGatewayCluster" +$GatewayMemberName = "MyGatewayMember" +$GatewayAdminUser = "user@example.com" # Optional, replace with user's email + +# 1. Add a new gateway cluster +Write-Host "Adding a new gateway cluster..." +try { + Add-DataGatewayCluster -Name $GatewayName -OverwriteExistingGateway +} +catch { + Write-Error "Error adding gateway cluster: $($_.Exception.Message)" + return +} + +# 2. Add a member to the gateway cluster +Write-Host "Adding a gateway member to the cluster..." +try { + Add-DataGatewayClusterMember -ClusterId $GatewayName -Name $GatewayMemberName -OverwriteExistingGateway +} +catch { + Write-Error "Error adding gateway member: $($_.Exception.Message)" + return +} + +# 3. (Optional) Add users as gateway administrators +if ($GatewayAdminUser) { + Write-Host "Adding user as a gateway administrator..." + try { + Add-DataGatewayClusterUser -ClusterId $GatewayName -UserEmail $GatewayAdminUser -Permission "Admin" + } + catch { + Write-Error "Error adding gateway admin: $($_.Exception.Message)" + return + } +} + +Write-Host "Gateway cluster and member added successfully." diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl new file mode 100644 index 000000000..bf2e23ff0 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl @@ -0,0 +1,25 @@ + + + +Install-WindowsFeature -name Web-Server -IncludeManagementTools + +$instanceId = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id -UseBasicParsing).content +$instanceAZ = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/placement/availability-zone -UseBasicParsing).content +$pubHostName = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/public-hostname -UseBasicParsing).content +$pubIPv4 = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/public-ipv4 -UseBasicParsing).content +$privHostName = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/local-hostname -UseBasicParsing).content +$privIPv4 = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/local-ipv4 -UseBasicParsing).content + +New-Item -Path C:\inetpub\wwwroot\index.html -ItemType File -Force +Add-Content -Path C:\inetpub\wwwroot\index.html "" +Add-Content -Path C:\inetpub\wwwroot\index.html "

AWS Windows VM Deployed with Terraform

" +Add-Content -Path C:\inetpub\wwwroot\index.html "
EC2 Instance Metadata
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
Instance ID: $instanceId
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
AWS Availablity Zone: $instanceAZ
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
Public Hostname: $pubHostName
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
Public IPv4: $pubIPv4
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
Private Hostname: $privHostName
" +Add-Content -Path C:\inetpub\wwwroot\index.html "
Private IPv4: $privIPv4
" +Add-Content -Path C:\inetpub\wwwroot\index.html "" + + diff --git a/terraform/account-wide-infrastructure/modules/ec2/userdata.txt b/terraform/account-wide-infrastructure/modules/ec2/userdata.txt deleted file mode 100644 index 33f111f39..000000000 --- a/terraform/account-wide-infrastructure/modules/ec2/userdata.txt +++ /dev/null @@ -1,4 +0,0 @@ - -Start-Service AmazonSSMAgent - -true diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf index 593038735..eb69d136c 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -1,16 +1,9 @@ -variable "aws_region" { - description = "Default region where to deploy resources" - type = string -} - -## Account -variable "account_name" { - description = "Account where to deploy VPC" - type = string -} - -## Account -variable "db_sg_name" { - description = "Name of edeal security group" +variable "name_prefix" { type = string + description = "The prefix to apply to all resources in the module." } +variable "common_tags" {} +variable "instance_type" {} +variable "instance_key" {} +variable "security_groups" {} +variable "subnet_id" {} From bd836f3616a7ffb77cf4c5edb6d8eb547cb1aded Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 14:24:41 +0100 Subject: [PATCH 05/23] NRL-1385 create vpc module --- .../modules/vpc/outputs.tf | 7 ++ .../modules/vpc/vars.tf | 7 ++ .../modules/vpc/vpc.tf | 83 +++++++++++++++++++ 3 files changed, 97 insertions(+) create mode 100644 terraform/account-wide-infrastructure/modules/vpc/outputs.tf create mode 100644 terraform/account-wide-infrastructure/modules/vpc/vars.tf create mode 100644 terraform/account-wide-infrastructure/modules/vpc/vpc.tf diff --git a/terraform/account-wide-infrastructure/modules/vpc/outputs.tf b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf new file mode 100644 index 000000000..145e58bd1 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf @@ -0,0 +1,7 @@ +output "subnet_id" { + value = aws_subnet.public_subnet.id +} + +output "security_group" { + value = [aws_security_group.sg.id] +} diff --git a/terraform/account-wide-infrastructure/modules/vpc/vars.tf b/terraform/account-wide-infrastructure/modules/vpc/vars.tf new file mode 100644 index 000000000..ae6d47090 --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/vpc/vars.tf @@ -0,0 +1,7 @@ +variable "aws_region" {} +variable "aws_azs" {} +variable "enable_dns_hostnames" {} +variable "vpc_cidr_block" {} +variable "vpc_public_subnets_cidr_block" {} +variable "common_tags" {} +variable "name_prefix" {} diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf new file mode 100644 index 000000000..82a07db6d --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -0,0 +1,83 @@ +# Create the VPC +resource "aws_vpc" "app_vpc" { + cidr_block = var.vpc_cidr_block + enable_dns_hostnames = var.enable_dns_hostnames + + tags = merge(var.common_tags, { + Name = "${var.name_prefix}-vpc" + }) +} + +# Create the internet gateway +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.app_vpc.id + + tags = merge(var.common_tags, { + Name = "${var.name_prefix}-igw" + }) +} + +# Create the public subnet +resource "aws_subnet" "public_subnet" { + vpc_id = aws_vpc.app_vpc.id + cidr_block = var.vpc_public_subnets_cidr_block + map_public_ip_on_launch = true + availability_zone = var.aws_azs + + tags = merge(var.common_tags, { + Name = "${var.name_prefix}-pubsubnet" + }) + +} + +# Create the route table +resource "aws_route_table" "public_rt" { + vpc_id = aws_vpc.app_vpc.id + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + +} + +# Assign the public route table to the public subnet +resource "aws_route_table_association" "public_rt_asso" { + subnet_id = aws_subnet.public_subnet.id + route_table_id = aws_route_table.public_rt.id +} + + + +# Create the security group +resource "aws_security_group" "sg" { + name = "allow_ssh_http" + description = "Allow ssh http inbound traffic" + vpc_id = aws_vpc.app_vpc.id + + ingress { + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + ingress { + description = "HTTP from VPC" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} From b7bf44642b5cb8ed152c52e3cec18949de7d90db Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 14:25:09 +0100 Subject: [PATCH 06/23] NRL-1385 call modules --- .../account-wide-infrastructure/dev/ec2.tf | 20 +++++++++++ .../account-wide-infrastructure/dev/vars.tf | 34 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 terraform/account-wide-infrastructure/dev/ec2.tf diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf new file mode 100644 index 000000000..665adf3f2 --- /dev/null +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -0,0 +1,20 @@ +module "vpc" { + source = "../modules/vpc" + aws_region = var.aws_region + vpc_cidr_block = var.vpc_cidr_block + enable_dns_hostnames = var.enable_dns_hostnames + vpc_public_subnets_cidr_block = var.vpc_public_subnets_cidr_block + aws_azs = var.aws_azs + name_prefix = "nhsd-nrlf--dev" +} + + +module "web" { + source = "../modules/ec2" + instance_type = var.instance_type + instance_key = var.instance_key + name_prefix = "nhsd-nrlf--dev" + + subnet_id = module.vpc.subnet_id + security_groups = module.vpc.security_group +} diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index 24afb780a..c322ff4cc 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -13,3 +13,37 @@ variable "devsandbox_api_domain_name" { description = "The internal DNS name of the API Gateway for the dev sandbox environment" default = "dev-sandbox.api.record-locator.dev.national.nhs.uk" } + +variable "aws_azs" { + type = string + description = "AWS Availability Zones" + default = "eu-west-1a" +} + +variable "enable_dns_hostnames" { + type = bool + description = "Enable DNS hostnames in VPC" + default = true +} + +variable "vpc_cidr_block" { + type = string + description = "Base CIDR Block for VPC" + default = "10.0.0.0/16" +} + +variable "vpc_public_subnets_cidr_block" { + type = string + description = "CIDR Block for Public Subnets in VPC" + default = "10.0.0.0/24" +} + +variable "instance_type" { + type = string + description = "Type for EC2 Instance" + default = "t2.micro" +} + +variable "instance_key" { + default = "WorkshopKeyPair" +} From 4aebec24fc89b8c720fa9a96ff89718e531e5747 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 14:27:20 +0100 Subject: [PATCH 07/23] NRL-1385 add tags --- .../account-wide-infrastructure/modules/ec2/ec2.tf | 4 ++++ .../account-wide-infrastructure/modules/vpc/vpc.tf | 12 ++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index fe8daee39..97a1b1aa0 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -8,4 +8,8 @@ resource "aws_instance" "web" { user_data = file("./modules/web/userdata.tpl") + tags = { + Name = "${var.naming_prefix}-ec2" + } + } diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf index 82a07db6d..3b9517cd7 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -3,18 +3,18 @@ resource "aws_vpc" "app_vpc" { cidr_block = var.vpc_cidr_block enable_dns_hostnames = var.enable_dns_hostnames - tags = merge(var.common_tags, { + tags = { Name = "${var.name_prefix}-vpc" - }) + } } # Create the internet gateway resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.app_vpc.id - tags = merge(var.common_tags, { + tags = { Name = "${var.name_prefix}-igw" - }) + } } # Create the public subnet @@ -24,9 +24,9 @@ resource "aws_subnet" "public_subnet" { map_public_ip_on_launch = true availability_zone = var.aws_azs - tags = merge(var.common_tags, { + tags = { Name = "${var.name_prefix}-pubsubnet" - }) + } } From 5464f16c5b31960513c49eb172ad586dc96e5daf Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 14:43:35 +0100 Subject: [PATCH 08/23] NRL-1385 syntax fixes --- terraform/account-wide-infrastructure/dev/ec2.tf | 1 - terraform/account-wide-infrastructure/dev/vars.tf | 4 ++-- terraform/account-wide-infrastructure/modules/ec2/ec2.tf | 4 ++-- terraform/account-wide-infrastructure/modules/ec2/vars.tf | 1 - terraform/account-wide-infrastructure/modules/vpc/vars.tf | 2 -- 5 files changed, 4 insertions(+), 8 deletions(-) diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf index 665adf3f2..07a747ea5 100644 --- a/terraform/account-wide-infrastructure/dev/ec2.tf +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -1,6 +1,5 @@ module "vpc" { source = "../modules/vpc" - aws_region = var.aws_region vpc_cidr_block = var.vpc_cidr_block enable_dns_hostnames = var.enable_dns_hostnames vpc_public_subnets_cidr_block = var.vpc_public_subnets_cidr_block diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index c322ff4cc..606db4670 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -17,7 +17,7 @@ variable "devsandbox_api_domain_name" { variable "aws_azs" { type = string description = "AWS Availability Zones" - default = "eu-west-1a" + default = "eu-west-2a" } variable "enable_dns_hostnames" { @@ -45,5 +45,5 @@ variable "instance_type" { } variable "instance_key" { - default = "WorkshopKeyPair" + default = "PowerBIGateway" } diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 97a1b1aa0..241189397 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -6,10 +6,10 @@ resource "aws_instance" "web" { subnet_id = var.subnet_id security_groups = var.security_groups - user_data = file("./modules/web/userdata.tpl") + user_data = file("${path.module}/scripts/user_data.tpl") tags = { - Name = "${var.naming_prefix}-ec2" + Name = "${var.name_prefix}-ec2" } } diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf index eb69d136c..da663ca67 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -2,7 +2,6 @@ variable "name_prefix" { type = string description = "The prefix to apply to all resources in the module." } -variable "common_tags" {} variable "instance_type" {} variable "instance_key" {} variable "security_groups" {} diff --git a/terraform/account-wide-infrastructure/modules/vpc/vars.tf b/terraform/account-wide-infrastructure/modules/vpc/vars.tf index ae6d47090..e42ff0d3b 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vars.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vars.tf @@ -1,7 +1,5 @@ -variable "aws_region" {} variable "aws_azs" {} variable "enable_dns_hostnames" {} variable "vpc_cidr_block" {} variable "vpc_public_subnets_cidr_block" {} -variable "common_tags" {} variable "name_prefix" {} From d80addc0d274b164591a216666dd4d9e87b13aeb Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 15:37:27 +0100 Subject: [PATCH 09/23] NRL-1385 create key pair to rdp into ec2 --- .../account-wide-infrastructure/dev/ec2.tf | 1 - .../account-wide-infrastructure/dev/vars.tf | 4 ---- .../modules/ec2/ec2.tf | 18 +++++++++++++++++- .../modules/ec2/vars.tf | 1 - 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf index 07a747ea5..52f841f71 100644 --- a/terraform/account-wide-infrastructure/dev/ec2.tf +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -11,7 +11,6 @@ module "vpc" { module "web" { source = "../modules/ec2" instance_type = var.instance_type - instance_key = var.instance_key name_prefix = "nhsd-nrlf--dev" subnet_id = module.vpc.subnet_id diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index 606db4670..ae8ab1110 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -43,7 +43,3 @@ variable "instance_type" { description = "Type for EC2 Instance" default = "t2.micro" } - -variable "instance_key" { - default = "PowerBIGateway" -} diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 241189397..490de5292 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -2,7 +2,7 @@ resource "aws_instance" "web" { ami = data.aws_ami.windows-2019.id instance_type = var.instance_type - key_name = var.instance_key + key_name = aws_key_pair.ec2_key_pair.key_name subnet_id = var.subnet_id security_groups = var.security_groups @@ -13,3 +13,19 @@ resource "aws_instance" "web" { } } + +# Key pair for RDP access +resource "tls_private_key" "instance_key_pair" { + algorithm = "RSA" +} + +resource "aws_key_pair" "ec2_key_pair" { + key_name = "PowerBI-GateWay-Key" + public_key = tls_private_key.instance_key_pair.public_key_openssh +} + +# Saving Key Pair for ssh login for Client if needed +resource "local_file" "ssh_key" { + filename = "${aws_key_pair.ec2_key_pair.key_name}.pem" + content = tls_private_key.instance_key_pair.private_key_pem +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf index da663ca67..01d5bc7ec 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -3,6 +3,5 @@ variable "name_prefix" { description = "The prefix to apply to all resources in the module." } variable "instance_type" {} -variable "instance_key" {} variable "security_groups" {} variable "subnet_id" {} From d9fa802a16dbe18ffd7cc2931f062e0ac49551b7 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 15:45:56 +0100 Subject: [PATCH 10/23] NRL-1385 update script --- .../modules/ec2/scripts/gateway_install.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 index dc38473d9..2d79c2f95 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 @@ -10,9 +10,9 @@ catch { } # Replace with your desired values -$GatewayName = "MyGatewayCluster" -$GatewayMemberName = "MyGatewayMember" -$GatewayAdminUser = "user@example.com" # Optional, replace with user's email +$GatewayName = "AthenaCluster" +$GatewayMemberName = "AthenaClusterMember" +$GatewayAdminUser = "jack.leary1@nhs.net"l # 1. Add a new gateway cluster Write-Host "Adding a new gateway cluster..." From 20daf5a33865eaac3d2c54e954c60bb857afbb99 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 15:48:21 +0100 Subject: [PATCH 11/23] NRL-1385 update script --- .../modules/ec2/scripts/gateway_install.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 index 2d79c2f95..88bdeaf36 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 @@ -9,7 +9,7 @@ catch { return } -# Replace with your desired values +# Set vars $GatewayName = "AthenaCluster" $GatewayMemberName = "AthenaClusterMember" $GatewayAdminUser = "jack.leary1@nhs.net"l From b873b7a37a7ac10548a1a05ccc80017b28188002 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 15:52:05 +0100 Subject: [PATCH 12/23] NRL-1385 security fix --- .../account-wide-infrastructure/modules/ec2/ec2.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 490de5292..badb6e4da 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,10 +1,11 @@ # Create the Linux EC2 Web server resource "aws_instance" "web" { - ami = data.aws_ami.windows-2019.id - instance_type = var.instance_type - key_name = aws_key_pair.ec2_key_pair.key_name - subnet_id = var.subnet_id - security_groups = var.security_groups + associate_public_ip_address = false + ami = data.aws_ami.windows-2019.id + instance_type = var.instance_type + key_name = aws_key_pair.ec2_key_pair.key_name + subnet_id = var.subnet_id + security_groups = var.security_groups user_data = file("${path.module}/scripts/user_data.tpl") From f8dc52028931e32e6e912b79240f4c989ef6f0b0 Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 16:26:49 +0100 Subject: [PATCH 13/23] NRL-1385 security fix --- terraform/account-wide-infrastructure/modules/vpc/vpc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf index 3b9517cd7..b2e6f5ce6 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -59,7 +59,7 @@ resource "aws_security_group" "sg" { from_port = 3389 to_port = 3389 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [var.vpc_public_subnets_cidr_block] ipv6_cidr_blocks = ["::/0"] } From 1f027c912baa9afac3bae5459ace31bf98e872dc Mon Sep 17 00:00:00 2001 From: jackleary Date: Sun, 11 May 2025 16:46:35 +0100 Subject: [PATCH 14/23] NRL-1385 make public temporarily. Will revert later --- .../account-wide-infrastructure/modules/ec2/ec2.tf | 12 ++++++------ .../account-wide-infrastructure/modules/vpc/vpc.tf | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index badb6e4da..d2d2b2e5f 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,11 +1,11 @@ # Create the Linux EC2 Web server resource "aws_instance" "web" { - associate_public_ip_address = false - ami = data.aws_ami.windows-2019.id - instance_type = var.instance_type - key_name = aws_key_pair.ec2_key_pair.key_name - subnet_id = var.subnet_id - security_groups = var.security_groups + # associate_public_ip_address = false + ami = data.aws_ami.windows-2019.id + instance_type = var.instance_type + key_name = aws_key_pair.ec2_key_pair.key_name + subnet_id = var.subnet_id + security_groups = var.security_groups user_data = file("${path.module}/scripts/user_data.tpl") diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf index b2e6f5ce6..3b9517cd7 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -59,7 +59,7 @@ resource "aws_security_group" "sg" { from_port = 3389 to_port = 3389 protocol = "tcp" - cidr_blocks = [var.vpc_public_subnets_cidr_block] + cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } From 779b838186f9e378306736a764503d5c8b6a6e14 Mon Sep 17 00:00:00 2001 From: jackleary Date: Thu, 15 May 2025 22:48:18 +0100 Subject: [PATCH 15/23] NRL-1385 sort iam policies to allow ec2 access to Athena --- .../account-wide-infrastructure/dev/ec2.tf | 13 ++- .../modules/athena/outputs.tf | 8 ++ .../modules/athena/s3.tf | 17 +++ .../modules/ec2/data.tf | 9 ++ .../modules/ec2/ec2.tf | 16 +-- .../modules/ec2/iam.tf | 105 ++++++++++++++++++ .../modules/ec2/vars.tf | 9 +- .../modules/glue/outputs.tf | 10 ++ 8 files changed, 171 insertions(+), 16 deletions(-) create mode 100644 terraform/account-wide-infrastructure/modules/ec2/iam.tf diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf index 52f841f71..364ab3df6 100644 --- a/terraform/account-wide-infrastructure/dev/ec2.tf +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -8,10 +8,15 @@ module "vpc" { } -module "web" { - source = "../modules/ec2" - instance_type = var.instance_type - name_prefix = "nhsd-nrlf--dev" +module "ec2" { + source = "../modules/ec2" + instance_type = var.instance_type + name_prefix = "nhsd-nrlf--dev" + target_bucket_arn = module.dev-glue.target_bucket_arn + glue_kms_key_arn = module.dev-glue.aws_kms_key_arn + athena_kms_key_arn = module.dev-athena.kms_key_arn + athena_bucket_arn = module.dev-athena.bucket_arn + subnet_id = module.vpc.subnet_id security_groups = module.vpc.security_group diff --git a/terraform/account-wide-infrastructure/modules/athena/outputs.tf b/terraform/account-wide-infrastructure/modules/athena/outputs.tf index 40a8c7961..72aaa879c 100644 --- a/terraform/account-wide-infrastructure/modules/athena/outputs.tf +++ b/terraform/account-wide-infrastructure/modules/athena/outputs.tf @@ -5,3 +5,11 @@ output "workgroup" { output "bucket" { value = aws_s3_bucket.athena } + +output "bucket_arn" { + value = aws_s3_bucket.athena.arn +} + +output "kms_key_arn" { + value = aws_kms_key.athena.arn +} diff --git a/terraform/account-wide-infrastructure/modules/athena/s3.tf b/terraform/account-wide-infrastructure/modules/athena/s3.tf index ea0d144c1..294e7bd62 100644 --- a/terraform/account-wide-infrastructure/modules/athena/s3.tf +++ b/terraform/account-wide-infrastructure/modules/athena/s3.tf @@ -26,6 +26,23 @@ resource "aws_s3_bucket_policy" "athena" { } } }, + { + Sid : "AllowAthenaAccess", + Effect : "Allow", + Principal : { + Service : "athena.amazonaws.com" + }, + Action : [ + "s3:PutObject", + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket" + ], + Resource : [ + aws_s3_bucket.athena.arn, + "${aws_s3_bucket.athena.arn}/*", + ] + }, ] }) } diff --git a/terraform/account-wide-infrastructure/modules/ec2/data.tf b/terraform/account-wide-infrastructure/modules/ec2/data.tf index 6b9f5ad75..6eba1f815 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/data.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/data.tf @@ -6,3 +6,12 @@ data "aws_ami" "windows-2019" { values = ["Windows_Server-2019-English-Full-Base*"] } } + +data "aws_ami" "PowerBI_Gateway" { + most_recent = true + owners = ["self"] + filter { + name = "name" + values = ["PowerBI_Gateway"] + } +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index d2d2b2e5f..5e6dad826 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,11 +1,11 @@ -# Create the Linux EC2 Web server resource "aws_instance" "web" { - # associate_public_ip_address = false - ami = data.aws_ami.windows-2019.id - instance_type = var.instance_type - key_name = aws_key_pair.ec2_key_pair.key_name - subnet_id = var.subnet_id - security_groups = var.security_groups + # associate_public_ip_address = + iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name + ami = data.aws_ami.PowerBI_Gateway.id + instance_type = var.instance_type + key_name = aws_key_pair.ec2_key_pair.key_name + subnet_id = var.subnet_id + security_groups = var.security_groups user_data = file("${path.module}/scripts/user_data.tpl") @@ -27,6 +27,6 @@ resource "aws_key_pair" "ec2_key_pair" { # Saving Key Pair for ssh login for Client if needed resource "local_file" "ssh_key" { - filename = "${aws_key_pair.ec2_key_pair.key_name}.pem" + filename = "${path.module}/keys/${aws_key_pair.ec2_key_pair.key_name}.pem" content = tls_private_key.instance_key_pair.private_key_pem } diff --git a/terraform/account-wide-infrastructure/modules/ec2/iam.tf b/terraform/account-wide-infrastructure/modules/ec2/iam.tf new file mode 100644 index 000000000..5113138ce --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/iam.tf @@ -0,0 +1,105 @@ +resource "aws_iam_role" "ec2_service_role" { + name = "${var.name_prefix}-ec2_service_role" + + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "ec2.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) +} + +data "aws_iam_policy_document" "ec2_service" { + statement { + actions = [ + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutBucketPublicAccessBlock" + ] + + resources = compact([ + var.target_bucket_arn, + "${var.target_bucket_arn}/*", + var.athena_bucket_arn, + "${var.athena_bucket_arn}/*", + ]) + effect = "Allow" + } + + statement { + actions = [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListAllMyBuckets" + ] + + resources = compact([ + "*" + ]) + effect = "Allow" + } + + statement { + actions = [ + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:Decrypt", + ] + + resources = [ + var.glue_kms_key_arn, + var.athena_kms_key_arn, + ] + + effect = "Allow" + } + + statement { + actions = [ + "athena:*", + ] + effect = "Allow" + resources = [ + "*" + ] + } + + statement { + actions = [ + "glue:*", + ] + effect = "Allow" + resources = [ + "*" + ] + } +} + +resource "aws_iam_policy" "ec2_service" { + name = "${var.name_prefix}-ec2" + policy = data.aws_iam_policy_document.ec2_service.json +} + +resource "aws_iam_role_policy_attachment" "ec2_service" { + role = aws_iam_role.ec2_service_role.name + policy_arn = aws_iam_policy.ec2_service.arn +} + +resource "aws_iam_instance_profile" "powerbi_profile" { + name = "powerbi_profile" + role = aws_iam_role.ec2_service_role.name +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf index 01d5bc7ec..bc95ccf46 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -1,7 +1,8 @@ -variable "name_prefix" { - type = string - description = "The prefix to apply to all resources in the module." -} +variable "name_prefix" {} variable "instance_type" {} variable "security_groups" {} variable "subnet_id" {} +variable "glue_kms_key_arn" {} +variable "athena_kms_key_arn" {} +variable "target_bucket_arn" {} +variable "athena_bucket_arn" {} diff --git a/terraform/account-wide-infrastructure/modules/glue/outputs.tf b/terraform/account-wide-infrastructure/modules/glue/outputs.tf index d17fc4d09..dfc12029b 100644 --- a/terraform/account-wide-infrastructure/modules/glue/outputs.tf +++ b/terraform/account-wide-infrastructure/modules/glue/outputs.tf @@ -3,11 +3,21 @@ output "target_bucket_name" { value = aws_s3_bucket.target-data-bucket.id } +output "target_bucket_arn" { + description = "Arn of destination bucket" + value = aws_s3_bucket.target-data-bucket.arn +} + output "source_bucket_name" { description = "Name of source bucket" value = aws_s3_bucket.source-data-bucket.id } +output "aws_kms_key_arn" { + description = "Arn of kms key" + value = aws_kms_key.glue.arn +} + output "glue_crawler_name" { value = "s3//${aws_s3_bucket.source-data-bucket.id}/" } From 77a7179532e02284a6525a3e274dedfd1c80f063 Mon Sep 17 00:00:00 2001 From: jackleary Date: Fri, 16 May 2025 09:56:07 +0100 Subject: [PATCH 16/23] NRL-1385 remove unused script --- .../modules/ec2/scripts/gateway_install.ps1 | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 b/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 deleted file mode 100644 index 88bdeaf36..000000000 --- a/terraform/account-wide-infrastructure/modules/ec2/scripts/gateway_install.ps1 +++ /dev/null @@ -1,49 +0,0 @@ -# Requires Module -Name DataGateway - -# Check if the required module is installed -try { - Import-Module DataGateway -} -catch { - Write-Warning "The DataGateway module is not installed. Please install it first using Install-Module -Name DataGateway." - return -} - -# Set vars -$GatewayName = "AthenaCluster" -$GatewayMemberName = "AthenaClusterMember" -$GatewayAdminUser = "jack.leary1@nhs.net"l - -# 1. Add a new gateway cluster -Write-Host "Adding a new gateway cluster..." -try { - Add-DataGatewayCluster -Name $GatewayName -OverwriteExistingGateway -} -catch { - Write-Error "Error adding gateway cluster: $($_.Exception.Message)" - return -} - -# 2. Add a member to the gateway cluster -Write-Host "Adding a gateway member to the cluster..." -try { - Add-DataGatewayClusterMember -ClusterId $GatewayName -Name $GatewayMemberName -OverwriteExistingGateway -} -catch { - Write-Error "Error adding gateway member: $($_.Exception.Message)" - return -} - -# 3. (Optional) Add users as gateway administrators -if ($GatewayAdminUser) { - Write-Host "Adding user as a gateway administrator..." - try { - Add-DataGatewayClusterUser -ClusterId $GatewayName -UserEmail $GatewayAdminUser -Permission "Admin" - } - catch { - Write-Error "Error adding gateway admin: $($_.Exception.Message)" - return - } -} - -Write-Host "Gateway cluster and member added successfully." From 387342e4430a08cc8d67d4501614aab6ae4dd645 Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 28 May 2025 10:10:45 +0100 Subject: [PATCH 17/23] NRL-1385 Make VPC private --- .../account-wide-infrastructure/dev/ec2.tf | 43 ++++++++++++--- .../account-wide-infrastructure/dev/vars.tf | 12 +++++ .../modules/ec2/ec2.tf | 8 ++- .../modules/ec2/iam.tf | 9 +++- .../modules/ec2/locals.tf | 3 ++ .../modules/ec2/scripts/user_data.tpl | 2 + .../modules/ec2/vars.tf | 1 + .../modules/vpc/outputs.tf | 8 +++ .../modules/vpc/vars.tf | 1 + .../modules/vpc/vpc.tf | 54 ++++++++++++++++--- 10 files changed, 120 insertions(+), 21 deletions(-) create mode 100644 terraform/account-wide-infrastructure/modules/ec2/locals.tf diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf index 364ab3df6..4ff264e11 100644 --- a/terraform/account-wide-infrastructure/dev/ec2.tf +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -1,15 +1,16 @@ module "vpc" { - source = "../modules/vpc" - vpc_cidr_block = var.vpc_cidr_block - enable_dns_hostnames = var.enable_dns_hostnames - vpc_public_subnets_cidr_block = var.vpc_public_subnets_cidr_block - aws_azs = var.aws_azs - name_prefix = "nhsd-nrlf--dev" + source = "../modules/vpc" + vpc_cidr_block = var.vpc_cidr_block + enable_dns_hostnames = var.enable_dns_hostnames + vpc_public_subnets_cidr_block = var.vpc_public_subnets_cidr_block + vpc_private_subnets_cidr_block = var.vpc_private_subnets_cidr_block + aws_azs = var.aws_azs + name_prefix = "nhsd-nrlf--dev" } - module "ec2" { source = "../modules/ec2" + use_custom_ami = true instance_type = var.instance_type name_prefix = "nhsd-nrlf--dev" target_bucket_arn = module.dev-glue.target_bucket_arn @@ -21,3 +22,31 @@ module "ec2" { subnet_id = module.vpc.subnet_id security_groups = module.vpc.security_group } + +module "powerbi_gw_instance" { + source = "../modules/ec2" + use_custom_ami = true + instance_type = var.instance_type + name_prefix = "nhsd-nrlf--dev-powerbi-gw" + target_bucket_arn = module.dev-glue.target_bucket_arn + glue_kms_key_arn = module.dev-glue.aws_kms_key_arn + athena_kms_key_arn = module.dev-athena.kms_key_arn + athena_bucket_arn = module.dev-athena.bucket_arn + + subnet_id = module.vpc.private_subnet_id + security_groups = [module.vpc.powerbi_gw_security_group_id] +} + +module "powerbi_gw_instance_v2" { + source = "../modules/ec2" + use_custom_ami = false + instance_type = var.instance_type + name_prefix = "nhsd-nrlf--dev-powerbi-gw-v2" + target_bucket_arn = module.dev-glue.target_bucket_arn + glue_kms_key_arn = module.dev-glue.aws_kms_key_arn + athena_kms_key_arn = module.dev-athena.kms_key_arn + athena_bucket_arn = module.dev-athena.bucket_arn + + subnet_id = module.vpc.private_subnet_id + security_groups = [module.vpc.powerbi_gw_security_group_id] +} diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index ae8ab1110..dcbbfd78b 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -38,8 +38,20 @@ variable "vpc_public_subnets_cidr_block" { default = "10.0.0.0/24" } +variable "vpc_private_subnets_cidr_block" { + type = string + description = "CIDR Block for Private Subnets in VPC" + default = "10.0.1.0/24" +} + variable "instance_type" { type = string description = "Type for EC2 Instance" default = "t2.micro" } + +variable "use_custom_ami" { + type = bool + description = "Use custom image" + default = false +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 5e6dad826..61b5a9851 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,7 +1,7 @@ resource "aws_instance" "web" { # associate_public_ip_address = iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name - ami = data.aws_ami.PowerBI_Gateway.id + ami = local.selected_ami_id instance_type = var.instance_type key_name = aws_key_pair.ec2_key_pair.key_name subnet_id = var.subnet_id @@ -15,18 +15,16 @@ resource "aws_instance" "web" { } -# Key pair for RDP access resource "tls_private_key" "instance_key_pair" { algorithm = "RSA" } resource "aws_key_pair" "ec2_key_pair" { - key_name = "PowerBI-GateWay-Key" + key_name = "${var.name_prefix}_PowerBI-GateWay-Key" public_key = tls_private_key.instance_key_pair.public_key_openssh } -# Saving Key Pair for ssh login for Client if needed -resource "local_file" "ssh_key" { +resource "local_file" "ssh_key_priv" { filename = "${path.module}/keys/${aws_key_pair.ec2_key_pair.key_name}.pem" content = tls_private_key.instance_key_pair.private_key_pem } diff --git a/terraform/account-wide-infrastructure/modules/ec2/iam.tf b/terraform/account-wide-infrastructure/modules/ec2/iam.tf index 5113138ce..c9de70541 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/iam.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/iam.tf @@ -94,12 +94,17 @@ resource "aws_iam_policy" "ec2_service" { policy = data.aws_iam_policy_document.ec2_service.json } -resource "aws_iam_role_policy_attachment" "ec2_service" { +resource "aws_iam_role_policy_attachment" "ec2_role_policy" { role = aws_iam_role.ec2_service_role.name policy_arn = aws_iam_policy.ec2_service.arn } +resource "aws_iam_role_policy_attachment" "ec2_role_policy_ssm" { + role = aws_iam_role.ec2_service_role.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + resource "aws_iam_instance_profile" "powerbi_profile" { - name = "powerbi_profile" + name = "${var.name_prefix}-powerbi_instance_profile" role = aws_iam_role.ec2_service_role.name } diff --git a/terraform/account-wide-infrastructure/modules/ec2/locals.tf b/terraform/account-wide-infrastructure/modules/ec2/locals.tf new file mode 100644 index 000000000..ebc33c56a --- /dev/null +++ b/terraform/account-wide-infrastructure/modules/ec2/locals.tf @@ -0,0 +1,3 @@ +locals { + selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway.id : data.aws_ami.windows-2019.id +} diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl index bf2e23ff0..69a5c5704 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl @@ -1,6 +1,8 @@ +C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 + Install-WindowsFeature -name Web-Server -IncludeManagementTools $instanceId = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id -UseBasicParsing).content diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf index bc95ccf46..baa457ede 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/vars.tf @@ -6,3 +6,4 @@ variable "glue_kms_key_arn" {} variable "athena_kms_key_arn" {} variable "target_bucket_arn" {} variable "athena_bucket_arn" {} +variable "use_custom_ami" {} diff --git a/terraform/account-wide-infrastructure/modules/vpc/outputs.tf b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf index 145e58bd1..a67711159 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/outputs.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf @@ -2,6 +2,14 @@ output "subnet_id" { value = aws_subnet.public_subnet.id } +output "private_subnet_id" { + value = aws_subnet.private_subnet.id +} + output "security_group" { value = [aws_security_group.sg.id] } + +output "powerbi_gw_security_group_id" { + value = aws_security_group.powerbi_gw_sg.id +} diff --git a/terraform/account-wide-infrastructure/modules/vpc/vars.tf b/terraform/account-wide-infrastructure/modules/vpc/vars.tf index e42ff0d3b..d7a91c521 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vars.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vars.tf @@ -2,4 +2,5 @@ variable "aws_azs" {} variable "enable_dns_hostnames" {} variable "vpc_cidr_block" {} variable "vpc_public_subnets_cidr_block" {} +variable "vpc_private_subnets_cidr_block" {} variable "name_prefix" {} diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf index 3b9517cd7..eb8f01924 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -1,4 +1,3 @@ -# Create the VPC resource "aws_vpc" "app_vpc" { cidr_block = var.vpc_cidr_block enable_dns_hostnames = var.enable_dns_hostnames @@ -8,7 +7,6 @@ resource "aws_vpc" "app_vpc" { } } -# Create the internet gateway resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.app_vpc.id @@ -17,7 +15,6 @@ resource "aws_internet_gateway" "igw" { } } -# Create the public subnet resource "aws_subnet" "public_subnet" { vpc_id = aws_vpc.app_vpc.id cidr_block = var.vpc_public_subnets_cidr_block @@ -27,10 +24,18 @@ resource "aws_subnet" "public_subnet" { tags = { Name = "${var.name_prefix}-pubsubnet" } +} + +resource "aws_subnet" "private_subnet" { + vpc_id = aws_vpc.app_vpc.id + cidr_block = var.vpc_private_subnets_cidr_block + availability_zone = var.aws_azs + tags = { + Name = "${var.name_prefix}-privsubnet" + } } -# Create the route table resource "aws_route_table" "public_rt" { vpc_id = aws_vpc.app_vpc.id @@ -38,18 +43,40 @@ resource "aws_route_table" "public_rt" { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw.id } +} + +resource "aws_route_table" "private_rt" { + vpc_id = aws_vpc.app_vpc.id + + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat.id + } +} + +resource "aws_eip" "natgw-ip" { + domain = "vpc" +} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.natgw-ip.id + subnet_id = aws_subnet.public_subnet.id + tags = { + Name = "${var.name_prefix}-nat" + } } -# Assign the public route table to the public subnet resource "aws_route_table_association" "public_rt_asso" { subnet_id = aws_subnet.public_subnet.id route_table_id = aws_route_table.public_rt.id } +resource "aws_route_table_association" "private_rt_asso" { + subnet_id = aws_subnet.private_subnet.id + route_table_id = aws_route_table.private_rt.id +} - -# Create the security group resource "aws_security_group" "sg" { name = "allow_ssh_http" description = "Allow ssh http inbound traffic" @@ -79,5 +106,18 @@ resource "aws_security_group" "sg" { cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } +} + +resource "aws_security_group" "powerbi_gw_sg" { + name = "powerbi-gw-sg" + description = "Only allow egress traffic" + vpc_id = aws_vpc.app_vpc.id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } } From dcce04135247ed0cff9f9be35dec5a4373016d69 Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 28 May 2025 11:13:58 +0100 Subject: [PATCH 18/23] NRL-1385 Point EC2 at custom AMI --- .../account-wide-infrastructure/dev/ec2.tf | 31 +------------------ .../modules/ec2/data.tf | 2 +- 2 files changed, 2 insertions(+), 31 deletions(-) diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf index 4ff264e11..2ed6a2246 100644 --- a/terraform/account-wide-infrastructure/dev/ec2.tf +++ b/terraform/account-wide-infrastructure/dev/ec2.tf @@ -8,38 +8,9 @@ module "vpc" { name_prefix = "nhsd-nrlf--dev" } -module "ec2" { - source = "../modules/ec2" - use_custom_ami = true - instance_type = var.instance_type - name_prefix = "nhsd-nrlf--dev" - target_bucket_arn = module.dev-glue.target_bucket_arn - glue_kms_key_arn = module.dev-glue.aws_kms_key_arn - athena_kms_key_arn = module.dev-athena.kms_key_arn - athena_bucket_arn = module.dev-athena.bucket_arn - - - subnet_id = module.vpc.subnet_id - security_groups = module.vpc.security_group -} - -module "powerbi_gw_instance" { - source = "../modules/ec2" - use_custom_ami = true - instance_type = var.instance_type - name_prefix = "nhsd-nrlf--dev-powerbi-gw" - target_bucket_arn = module.dev-glue.target_bucket_arn - glue_kms_key_arn = module.dev-glue.aws_kms_key_arn - athena_kms_key_arn = module.dev-athena.kms_key_arn - athena_bucket_arn = module.dev-athena.bucket_arn - - subnet_id = module.vpc.private_subnet_id - security_groups = [module.vpc.powerbi_gw_security_group_id] -} - module "powerbi_gw_instance_v2" { source = "../modules/ec2" - use_custom_ami = false + use_custom_ami = true instance_type = var.instance_type name_prefix = "nhsd-nrlf--dev-powerbi-gw-v2" target_bucket_arn = module.dev-glue.target_bucket_arn diff --git a/terraform/account-wide-infrastructure/modules/ec2/data.tf b/terraform/account-wide-infrastructure/modules/ec2/data.tf index 6eba1f815..dfbb5b881 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/data.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/data.tf @@ -12,6 +12,6 @@ data "aws_ami" "PowerBI_Gateway" { owners = ["self"] filter { name = "name" - values = ["PowerBI_Gateway"] + values = ["PowerBI_GW"] } } From 1ea3038f56a2940e8d53bf0272b93be610a2408f Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 28 May 2025 12:19:04 +0100 Subject: [PATCH 19/23] NRL-1385 Update readme --- terraform/account-wide-infrastructure/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/terraform/account-wide-infrastructure/README.md b/terraform/account-wide-infrastructure/README.md index 5efb6f79b..54c5dffea 100644 --- a/terraform/account-wide-infrastructure/README.md +++ b/terraform/account-wide-infrastructure/README.md @@ -124,6 +124,20 @@ $ terraform apply \ Replacing AWS_ACCOUNT_ID with the AWS account number of your account. +### Reporting Resources + +If deploying the EC2 set up to a new environment, these steps need to be followed: + +1. Run the below CLI command, and RDP into the newly created EC2 instance (localhost:13389) + +``` +aws ssm start-session --target --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389" +``` + +2. Install Athena ODBC driver and Power BI personal on premesis gateway +3. Configure ODBC driver to connect to relevant Athena instance and log in to the gateway using NHS email +4. Log into power bi and test the refresh on the relevant data sources + ## Tear down account wide resources WARNING - This action will destroy all account-wide resources from the AWS account. This should From 9e72ff32ff959aa33486c5592ed354e32ff9f459 Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 28 May 2025 14:47:03 +0100 Subject: [PATCH 20/23] NRL-1385 rmeove public ip from ec2 --- .../account-wide-infrastructure/modules/ec2/ec2.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf index 61b5a9851..e5016f13f 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf +++ b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf @@ -1,11 +1,11 @@ resource "aws_instance" "web" { - # associate_public_ip_address = - iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name - ami = local.selected_ami_id - instance_type = var.instance_type - key_name = aws_key_pair.ec2_key_pair.key_name - subnet_id = var.subnet_id - security_groups = var.security_groups + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name + ami = local.selected_ami_id + instance_type = var.instance_type + key_name = aws_key_pair.ec2_key_pair.key_name + subnet_id = var.subnet_id + security_groups = var.security_groups user_data = file("${path.module}/scripts/user_data.tpl") From 1bbcbd381f47cb83a79bba80985ee1f836cc1229 Mon Sep 17 00:00:00 2001 From: jackleary Date: Wed, 28 May 2025 15:00:32 +0100 Subject: [PATCH 21/23] NRL-1385 remove unused security group --- .../modules/vpc/outputs.tf | 4 --- .../modules/vpc/vpc.tf | 31 ------------------- 2 files changed, 35 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/vpc/outputs.tf b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf index a67711159..deb923afe 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/outputs.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/outputs.tf @@ -6,10 +6,6 @@ output "private_subnet_id" { value = aws_subnet.private_subnet.id } -output "security_group" { - value = [aws_security_group.sg.id] -} - output "powerbi_gw_security_group_id" { value = aws_security_group.powerbi_gw_sg.id } diff --git a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf index eb8f01924..b1fa293ea 100644 --- a/terraform/account-wide-infrastructure/modules/vpc/vpc.tf +++ b/terraform/account-wide-infrastructure/modules/vpc/vpc.tf @@ -77,37 +77,6 @@ resource "aws_route_table_association" "private_rt_asso" { route_table_id = aws_route_table.private_rt.id } -resource "aws_security_group" "sg" { - name = "allow_ssh_http" - description = "Allow ssh http inbound traffic" - vpc_id = aws_vpc.app_vpc.id - - ingress { - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } - - ingress { - description = "HTTP from VPC" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } -} - resource "aws_security_group" "powerbi_gw_sg" { name = "powerbi-gw-sg" description = "Only allow egress traffic" From f8485c05254e2e2653d0be728ffe458d0d44d46e Mon Sep 17 00:00:00 2001 From: jackleary Date: Thu, 29 May 2025 09:49:40 +0100 Subject: [PATCH 22/23] NRL-1385 Spelling --- terraform/account-wide-infrastructure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/account-wide-infrastructure/README.md b/terraform/account-wide-infrastructure/README.md index 54c5dffea..7e8881a6d 100644 --- a/terraform/account-wide-infrastructure/README.md +++ b/terraform/account-wide-infrastructure/README.md @@ -134,7 +134,7 @@ If deploying the EC2 set up to a new environment, these steps need to be followe aws ssm start-session --target --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389" ``` -2. Install Athena ODBC driver and Power BI personal on premesis gateway +2. Install Athena ODBC driver and Power BI personal on premises gateway 3. Configure ODBC driver to connect to relevant Athena instance and log in to the gateway using NHS email 4. Log into power bi and test the refresh on the relevant data sources From 2b1e371eb8a0c84146ca08b887d31609a015212b Mon Sep 17 00:00:00 2001 From: jackleary Date: Thu, 29 May 2025 16:01:00 +0100 Subject: [PATCH 23/23] NRL-1385 remove invocation of init script in user data --- .../modules/ec2/scripts/user_data.tpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl index 69a5c5704..bf2e23ff0 100644 --- a/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl +++ b/terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl @@ -1,8 +1,6 @@ -C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 - Install-WindowsFeature -name Web-Server -IncludeManagementTools $instanceId = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id -UseBasicParsing).content