Merge pull request #3778 from nhsuk/dms_post_migration_config

Remove old db resources or dms migration resources

Author: TheOneFromNorway

terraform/app/db_migration_configuration.tf

@@ -1,95 +0,0 @@
-module "dms_custom_kms_migration" {
-  source      = "./modules/dms"
-  environment = var.environment
-
-  ecs_sg_ids           = concat(local.ecs_sg_ids, [module.prepare_new_db_service.security_group_id])
-  source_endpoint      = aws_rds_cluster.aurora_cluster.endpoint
-  source_port          = aws_rds_cluster.aurora_cluster.port
-  source_database_name = aws_rds_cluster.aurora_cluster.database_name
-  source_db_secret_arn = var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn
-
-  target_endpoint        = aws_rds_cluster.core.endpoint
-  target_port            = aws_rds_cluster.core.port
-  target_database_name   = aws_rds_cluster.core.database_name
-  target_db_secret_arn   = aws_rds_cluster.core.master_user_secret[0].secret_arn
-  target_db_rotation_arn = aws_secretsmanager_secret_rotation.target.id
-
-  engine_name = aws_rds_cluster.aurora_cluster.engine
-  subnet_ids  = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
-
-  rds_cluster_security_group_id = aws_security_group.rds_security_group.id
-  vpc_id                        = aws_vpc.application_vpc.id
-}
-
-module "prepare_new_db_service" {
-  source = "./modules/ecs_service"
-
-  cluster_id            = aws_ecs_cluster.cluster.id
-  cluster_name          = aws_ecs_cluster.cluster.name
-  environment           = var.environment
-  maximum_replica_count = 1
-  minimum_replica_count = 1
-  network_params = {
-    subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
-    vpc_id  = aws_vpc.application_vpc.id
-  }
-  server_type      = "none"
-  server_type_name = "prepare_new_db"
-  task_config = {
-    environment = [{
-      name  = "DB_HOST"
-      value = aws_rds_cluster.core.endpoint
-      },
-      {
-        name  = "DB_NAME"
-        value = aws_rds_cluster.core.database_name
-      },
-      {
-        name  = "RAILS_ENV"
-        value = var.rails_env
-      },
-      {
-        name  = "SENTRY_ENVIRONMENT"
-        value = var.environment
-      },
-      {
-        name  = "MAVIS__CIS2__ENABLED"
-        value = "false"
-      },
-      {
-        name  = "MAVIS__SPLUNK__ENABLED"
-        value = "false"
-      }
-    ]
-    secrets = [
-      {
-        name      = "DB_CREDENTIALS"
-        valueFrom = aws_rds_cluster.core.master_user_secret[0].secret_arn
-      },
-      {
-        name      = "RAILS_MASTER_KEY"
-        valueFrom = var.rails_master_key_path
-      }
-    ]
-    cpu                  = 1024
-    memory               = 2048
-    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
-    execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
-    task_role_arn        = aws_iam_role.ecs_task_role.arn
-    log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
-    region               = var.region
-    health_check_command = ["CMD-SHELL", "echo 'alive' || exit 1"]
-  }
-  depends_on = [aws_rds_cluster_instance.core]
-}
-
-resource "aws_security_group_rule" "db_prepare_access_to_db" {
-  type                     = "ingress"
-  from_port                = aws_rds_cluster.core.port
-  to_port                  = aws_rds_cluster.core.port
-  protocol                 = "tcp"
-  security_group_id        = aws_security_group.rds_security_group.id
-  source_security_group_id = module.prepare_new_db_service.security_group_id
-
-  description = "Allow access from the prepare_new_db ECS service to the core RDS cluster"
-}

terraform/app/env/preview.tfvars

@@ -1,11 +1,7 @@
 environment         = "preview"
-db_secret_arn       = "arn:aws:secretsmanager:eu-west-2:393416225559:secret:dbAuroraSecret-ysKvF5RMbWMr-lnpooZ"
 dns_certificate_arn = null
 docker_image        = "mavis/webapp"
 resource_name = {
-  dbsubnet_group           = "mavis-preview-addonsstack-1pd6pksn106rk-dbdbsubnetgroup-8pkydanicgra"
-  db_cluster               = "mavis-preview-addonsstack-1pd6pksn106r-dbdbcluster-lrf8p5py9wfb"
-  db_instance              = "mavis-preview-addonsstack-1pd6p-dbdbwriterinstance-aozmqfwfm2va"
   rds_security_group       = "mavis-preview-AddonsStack-1PD6PKSN106RK-dbDBClusterSecurityGroup-7cmoQwi6uv8e"
   loadbalancer             = "mavis-preview-pub-lb"
   lb_security_group        = "mavis-preview-PublicHTTPLoadBalancerSecurityGroup-qfHAKWH39OY3"

terraform/app/env/production.tfvars

@@ -1,11 +1,7 @@
 environment         = "production"
-db_secret_arn       = "arn:aws:secretsmanager:eu-west-2:820242920762:secret:dbAuroraSecret-zjL6LdCCIV5c-oSfy6Y"
 dns_certificate_arn = ["arn:aws:acm:eu-west-2:820242920762:certificate/dd00edc0-b305-45bd-83aa-7c7f298b0a68"]
 docker_image        = "mavis/webapp"
 resource_name = {
-  dbsubnet_group           = "mavis-production-addonsstack-h6b1986bq928-dbdbsubnetgroup-1dpsuyglv1es"
-  db_cluster               = "mavis-production-addonsstack-h6b1986bq-dbdbcluster-actkuhui4ce7"
-  db_instance              = "mavis-production-addonsstack-h6-dbdbwriterinstance-l8rqm5mbgilx"
   rds_security_group       = "mavis-production-AddonsStack-H6B1986BQ928-dbDBClusterSecurityGroup-dEt2cEtcHBMo"
   loadbalancer             = "mavis-production-pub-lb"
   lb_security_group        = "mavis-production-PublicHTTPLoadBalancerSecurityGroup-G7umbZTkvkwK"
@@ -26,10 +22,9 @@ ecs_log_retention_days    = 30
 backup_retention_period   = 7
 ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
 access_logs_bucket        = "nhse-mavis-access-logs-production"
-max_aurora_capacity_units = 32
+max_aurora_capacity_units = 16
 minimum_web_replicas      = 2
 maximum_web_replicas      = 4
 container_insights        = "enhanced"
 
 enable_backup_to_vault = true
-

terraform/app/env/qa.tfvars

@@ -1,11 +1,7 @@
 environment         = "qa"
-db_secret_arn       = "arn:aws:secretsmanager:eu-west-2:393416225559:secret:dbAuroraSecret-GBwVtQEAmugK-wPubjU"
 dns_certificate_arn = ["arn:aws:acm:eu-west-2:393416225559:certificate/dafb0f10-ee18-45e2-8971-28d4ab434375"]
 docker_image        = "mavis/webapp"
 resource_name = {
-  dbsubnet_group           = "mavis-qa-addonsstack-z0l4gx5euv3i-dbdbsubnetgroup-fgvafc16exxw"
-  db_cluster               = "mavis-qa-addonsstack-z0l4gx5euv3i-dbdbcluster-ysszxsdiq1ka"
-  db_instance              = "mavis-qa-addonsstack-z0l4gx5euv-dbdbwriterinstance-sstfvcbqdcwa"
   rds_security_group       = "mavis-qa-AddonsStack-Z0L4GX5EUV3I-dbDBClusterSecurityGroup-vd2Avaw4JIgr"
   loadbalancer             = "mavis-qa-pub-lb"
   lb_security_group        = "mavis-qa-PublicHTTPLoadBalancerSecurityGroup-ml4lZT5ey5ih"
@@ -24,7 +20,7 @@ http_hosts = {
 appspec_bucket            = "nhse-mavis-appspec-bucket-qa"
 minimum_web_replicas      = 2
 maximum_web_replicas      = 4
-max_aurora_capacity_units = 32
+max_aurora_capacity_units = 16
 container_insights        = "enhanced"
 
 enable_backup_to_vault = true

terraform/app/env/sandbox-alpha.tfvars

@@ -1,11 +1,7 @@
 environment           = "sandbox-alpha"
 rails_master_key_path = "/copilot/mavis/secrets/STAGING_RAILS_MASTER_KEY"
-db_secret_arn         = null
 dns_certificate_arn   = null
 resource_name = {
-  dbsubnet_group           = "mavis-sandbox-alpha-rds-subnet"
-  db_cluster               = "mavis-sandbox-alpha-rds-cluster"
-  db_instance              = "mavis-sandbox-alpha-rds-instance"
   rds_security_group       = "mavis-sandbox-alpha-rds-sg"
   loadbalancer             = "mavis-sandbox-alpha-alb"
   lb_security_group        = "mavis-sandbox-alpha-alb-sg"
@@ -24,4 +20,3 @@ appspec_bucket       = "nhse-mavis-appspec-bucket-sandbox-alpha"
 minimum_web_replicas = 1
 maximum_web_replicas = 2
 good_job_replicas    = 1
-

terraform/app/env/sandbox-beta.tfvars

@@ -1,11 +1,7 @@
 environment           = "sandbox-beta"
 rails_master_key_path = "/copilot/mavis/secrets/STAGING_RAILS_MASTER_KEY"
-db_secret_arn         = null
 dns_certificate_arn   = null
 resource_name = {
-  dbsubnet_group           = "mavis-sandbox-beta-rds-subnet"
-  db_cluster               = "mavis-sandbox-beta-rds-cluster"
-  db_instance              = "mavis-sandbox-beta-rds-instance"
   rds_security_group       = "mavis-sandbox-beta-rds-sg"
   loadbalancer             = "mavis-sandbox-beta-alb"
   lb_security_group        = "mavis-sandbox-beta-alb-sg"

terraform/app/env/test.tfvars

@@ -1,11 +1,7 @@
 environment         = "test"
-db_secret_arn       = "arn:aws:secretsmanager:eu-west-2:393416225559:secret:dbAuroraSecret-LwdZBGzdPMq6-PkAjKC"
 dns_certificate_arn = ["arn:aws:acm:eu-west-2:393416225559:certificate/7e80f006-e9d8-488f-b950-d97f3cc41e4f"]
 docker_image        = "mavis/webapp"
 resource_name = {
-  dbsubnet_group           = "mavis-test-addonsstack-gb8z9lqvo8of-dbdbsubnetgroup-8hrfkmuyp4c4"
-  db_cluster               = "mavis-test-addonsstack-gb8z9lqvo8of-dbdbcluster-0ed2hxoxu1v1"
-  db_instance              = "mavis-test-addonsstack-gb8z9lqv-dbdbwriterinstance-mq40ycdtxcan"
   rds_security_group       = "mavis-test-AddonsStack-GB8Z9LQVO8OF-dbDBClusterSecurityGroup-1KSO3O1CL4NI5"
   loadbalancer             = "mavis--Publi-W19xy2QLULZ4"
   lb_security_group        = "mavis-test-PublicHTTPLoadBalancerSecurityGroup-15LE48D6JYPML"
@@ -21,5 +17,3 @@ http_hosts = {
 appspec_bucket       = "nhse-mavis-appspec-bucket-test"
 minimum_web_replicas = 2
 maximum_web_replicas = 4
-
-max_aurora_capacity_units = 32

terraform/app/env/training.tfvars

@@ -1,14 +1,10 @@
-environment   = "training"
-db_secret_arn = "arn:aws:secretsmanager:eu-west-2:393416225559:secret:dbAuroraSecret-3bG6y4wn5Enz-YvireA"
+environment = "training"
 dns_certificate_arn = [
   "arn:aws:acm:eu-west-2:393416225559:certificate/368edbcb-37c5-4146-9087-ff011bef5e05",
   "arn:aws:acm:eu-west-2:393416225559:certificate/e93e3912-eee4-4f6e-826d-c628bff58527",
 ]
 docker_image = "mavis/webapp"
 resource_name = {
-  dbsubnet_group           = "mavis-training-addonsstack-1jzsxp7p84221-dbdbsubnetgroup-ybdt5wfbx9jl"
-  db_cluster               = "mavis-training-addonsstack-1jzsxp7p842-dbdbcluster-dojxjwailzmh"
-  db_instance              = "mavis-training-addonsstack-1jzs-dbdbwriterinstance-pbl8rjktgtmp"
   rds_security_group       = "mavis-training-AddonsStack-1JZSXP7P84221-dbDBClusterSecurityGroup-A5NL1GFJ83LX"
   loadbalancer             = "mavis--Publi-w1wzc4E2jrl6"
   lb_security_group        = "mavis-training-PublicHTTPLoadBalancerSecurityGroup-L8GOGS04ARYI"
@@ -28,5 +24,3 @@ http_hosts = {
 appspec_bucket       = "nhse-mavis-appspec-bucket-training"
 minimum_web_replicas = 2
 maximum_web_replicas = 4
-
-max_aurora_capacity_units = 32

terraform/app/iam_policy_documents.tf

@@ -60,7 +60,6 @@ data "aws_iam_policy_document" "ecs_secrets_access" {
     sid     = "dbSecretSid"
     actions = ["secretsmanager:GetSecretValue"]
     resources = [
-      var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn,
       aws_rds_cluster.core.master_user_secret[0].secret_arn
     ]
     effect = "Allow"

terraform/app/kms.tf

@@ -1,7 +1,3 @@
-data "aws_iam_role" "dms_service_linked_role" {
-  name = "AWSServiceRoleForDMSServerless"
-}
-
 resource "aws_kms_key" "rds_cluster" {
   description = "Custom KMS key for new Aurora cluster"
   policy = jsonencode({
@@ -11,25 +7,10 @@ resource "aws_kms_key" "rds_cluster" {
         Sid    = "AllowAccount"
         Effect = "Allow"
         Principal = {
-          AWS = ["arn:aws:iam::${var.account_id}:root", "arn:aws:iam::${var.backup_account_id}:root"]
+          AWS = ["arn:aws:iam::${var.account_id}:root"]
         }
         Action   = "kms:*"
         Resource = "*"
-      },
-      {
-        Sid    = "AllowDMS"
-        Effect = "Allow"
-        Principal = {
-          AWS = data.aws_iam_role.dms_service_linked_role.arn
-        }
-        Action = [
-          "kms:Encrypt",
-          "kms:Decrypt",
-          "kms:ReEncrypt*",
-          "kms:GenerateDataKey*",
-          "kms:DescribeKey"
-        ]
-        Resource = "*"
       }
     ]
   })