search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
681 stars 289 forks source link

SPIKE: AWS directory as a service - cross network connectivity #5737

Closed SimonPPledger closed 11 months ago

SimonPPledger commented 11 months ago

User Story

Review the current MP architecture and evaluate if it can host an Active Directory that will be able to be used in other accounts.

Value / Purpose

Currently 2 DSO applications (PlanetFM and CSR) are authenticated via AD that is also running on the same basic infrastructure. So as all DSO is migrated either to ModP or CP, they will also need to move the AD (or replace it). A couple of the options would see it being relocated to ModP.

We also need to check that by putting it in there, it would mean that the networky bits/base connectivity is there to allow for the AD to be consumed in the member accounts (if it is hosted in another member account, we would have to break the rule of no east-west traffic allowed)

Useful Contacts

No response

Additional Information

The AD will require the connectivity to core-VPC accounts and member accounts and would have to be cross-envrionemnt as well (e.g. the AD hosted in the core-shared-service would need to access multiple prod and preprod member accounts).

Proposal / Unknowns

The proposal is to host the AD it in the core-shared-services. It would either be an AWS Managed AD or an EC2 instance if the first option is not possible.

Connectivity from outside of MP: The traffic will come from DOM1 devices (internal) and perhaps other devices (MOJO?).

Definition of Done

[ ] ADR created/updated
[ ] Presentation to team [ ] decision made [ ] tickets raised to do the work (if agreed)

dms1981 commented 11 months ago

We've discussed this in https://github.com/ministryofjustice/modernisation-platform/issues/5736 and our expectation is that we'll deploy AWS Managed AD in core-shared-services for preprod/prod in the live_data VPC, and for dev/test in the non_live_data VPC.

In terms of internal MP connectivity this would mean that all internal traffic would pass from the core-vpc account $business-unit-$environment VPC via the MP Transit Gateway to the domain controller in the core-shared-services account live_data / non_live_data VPC as appropriate.

For traffic trying to traverse from dev to a DC in non_live_data, the flow would go via the MP external-inspection Network Firewall and ought to be denied by default.

For traffic trying to traverse from a DC in core-shared-services to somewhere inside MOJ the flow would go via external-inspection Network Firewall and then through the peering connection to the MOJ TGW.

For traffic trying to join a DC in core-shared-services any inbound flow would come via the Transit Gateway and external-inspection Network Firewall.