search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 291 forks source link

Add SSM as default to MP modules that create ec2s. #7412

Closed mikereiddigital closed 2 months ago

mikereiddigital commented 3 months ago

User Story

As a Modernisation Platform Engineer I need to enforce the use of SSM in all modules that creates ec2 instances, including:

So that users of this module will have ec2s that implement SSM without having to add it and so give us in the MP team certainty that SSM is used as widely as possible.

Value / Purpose

SSM provides a secure means to access ec2 instances without the need for SSH bastions and this is to be encouraged as the preferred means of connection. By adding SSM as a default to modules that generate ec2 instances, we have greater certainty that this feature is used by module users.

Useful Contacts

No response

Additional Information

No response

Definition of Done

Kudzai-moj commented 3 months ago

Bastion linux module already has SSM installed

Currently investigating our ECS module to see if we use Amazon ECS-Optimized AMI or Custom AMIs. The default ECS-Optimized AMIs comes with the SSM Agent pre-installed, if we are using custom AMI ECS instances, we need to ensure that the SSM Agent is installed on the instances

Kudzai-moj commented 2 months ago

Main instances which do not have SSM preinstalled are Redhat and Debian. We have not found a straightforward way to add a user data script to the modules that consistently runs while also allowing users to run their own scripts simultaneously.

We have updated the arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to be added as default whenever a new instance is created by the two modules below

https://github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance - Pull Request https://github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group Pull Request

We have also added the script that we created to the MPE repo. with the current script users are using only installs for rhel6. Update will install SSM on Rhel 7, 8,9 and Debian. - https://github.com/ministryofjustice/modernisation-platform-environments/pull/7296

https://github.com/ministryofjustice/modernisation-platform-environments/pull/7296

Khatraf commented 2 months ago

I've reviewed this ticket - SSM policy added as a default, tested it in cooker and a script update in the MPE repo ensures SSM installation on Rhel 7, 8, 9, and Debian, improving upon the previous version which only supported Rhel 6.