Merge pull request #1445 from ministryofjustice/MLPAB-2431-investigat…

…e-demo-healthchecks-reporting-site-down MLPAB-2431 investigate demo healthchecks reporting site down
ministryofjustice · Aug 22, 2024 · 63e1788 · 63e1788
2 parents 4fb0206 + 961c375
commit 63e1788
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 35 deletions.
diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl
diff --git a/terraform/environment/region/modules/app/alb.tf b/terraform/environment/region/modules/app/alb.tf
@@ -150,10 +150,18 @@ resource "aws_security_group" "app_loadbalancer" {
 
 data "aws_ip_ranges" "route53_healthchecks" {
   services = ["route53_healthchecks"]
-  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "ap-southeast-1"]
+  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "us-west-2"]
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
@@ -201,7 +209,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.app_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "app_loadbalancer_public_access_ingress" {

diff --git a/terraform/environment/region/modules/mock_onelogin/alb.tf b/terraform/environment/region/modules/mock_onelogin/alb.tf
@@ -86,15 +86,24 @@ resource "aws_security_group" "mock_onelogin_loadbalancer" {
 
 data "aws_ip_ranges" "route53_healthchecks" {
   services = ["route53_healthchecks"]
-  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "ap-southeast-1"]
+  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "us-west-2"]
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_port_80_redirect_ingress" {
+  count             = var.public_access_enabled ? 0 : 1
   description       = "Port 80 ingress for redirection to port 443"
   type              = "ingress"
   from_port         = 80
@@ -111,6 +120,7 @@ resource "aws_security_group_rule" "mock_onelogin_loadbalancer_port_80_redirect_
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_ingress" {
+  count             = var.public_access_enabled ? 0 : 1
   description       = "Port 443 ingress from the allow list to the application load balancer"
   type              = "ingress"
   from_port         = 443
@@ -135,7 +145,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.mock_onelogin_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_public_access_ingress" {

diff --git a/terraform/environment/region/modules/mock_pay/alb.tf b/terraform/environment/region/modules/mock_pay/alb.tf
@@ -86,10 +86,18 @@ resource "aws_security_group" "mock_pay_loadbalancer" {
 
 data "aws_ip_ranges" "route53_healthchecks" {
   services = ["route53_healthchecks"]
-  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "ap-southeast-1"]
+  regions  = ["GLOBAL", "us-east-1", "eu-west-1", "us-west-2"]
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
@@ -135,7 +143,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.mock_pay_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "mock_pay_loadbalancer_public_access_ingress" {