From 3cb5fe2a1ad6cfe31550ffcdb4e0c1a48c2baf64 Mon Sep 17 00:00:00 2001
From: Ross Buggins <ross.buggins@nhs.net>
Date: Fri, 17 May 2024 09:40:41 +0100
Subject: [PATCH] Starting on some DNS.

---
 README.md                          | 25 ++++++++++------
 scripts/terraform/dns/.gitignore   | 41 ++++++++++++++++++++++++++
 scripts/terraform/dns/README.md    |  1 +
 scripts/terraform/dns/main.tf      | 46 ++++++++++++++++++++++++++++++
 scripts/terraform/dns/provider.tf  |  3 ++
 scripts/terraform/dns/variables.tf |  9 ++++++
 scripts/terraform/dns/versions.tf  |  8 ++++++
 7 files changed, 125 insertions(+), 8 deletions(-)
 create mode 100644 scripts/terraform/dns/.gitignore
 create mode 100644 scripts/terraform/dns/README.md
 create mode 100644 scripts/terraform/dns/main.tf
 create mode 100644 scripts/terraform/dns/provider.tf
 create mode 100644 scripts/terraform/dns/variables.tf
 create mode 100644 scripts/terraform/dns/versions.tf

diff --git a/README.md b/README.md
index 726cea3..fa747d4 100644
--- a/README.md
+++ b/README.md
@@ -1,18 +1,27 @@
 # NHS Notify DNS
 
-[![CI/CD Pull Request](https://github.com/nhs-england-tools/repository-template/actions/workflows/cicd-1-pull-request.yaml/badge.svg)](https://github.com/nhs-england-tools/repository-template/actions/workflows/cicd-1-pull-request.yaml)
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=repository-template&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=repository-template)
+NHS Notify DNS Zones.
 
-Start with an overview or a brief description of what the project is about and what it does. For example -
+Variables:
+- parent domain eg nhsnotify.abc.com
+- EnvType
+- EnvName
+- Destinations:
+  - eg 192.168.1.1
 
-Welcome to our repository template designed to streamline your project setup! This robust template provides a reliable starting point for your new projects, covering an essential tech stack and encouraging best practices in documenting.
+EG when deployed:
+- parent domain nhsnotify.abc.co,m
+- envType: prod
+- envname: prod1
+- billingDnsZone: 192.168.1.1
 
-This repository template aims to foster a user-friendly development environment by ensuring that every included file is concise and adequately self-documented. By adhering to this standard, we can promote increased clarity and maintainability throughout your project's lifecycle. Bundled within this template are resources that pave the way for seamless repository creation. Currently supported technologies are:
+DNS record would be:
 
-- Terraform
-- Docker
+billing.prod1.prod.nhsnotify.abc.com => NS => 192.168.1.1
 
-Make use of this repository template to expedite your project setup and enhance your productivity right from the get-go. Enjoy the advantage of having a well-structured, self-documented project that reduces overhead and increases focus on what truly matters - coding!
+Format:
+
+[NotifyDomainBoundary].[EnvName].[EnvType].[ParentDomain]
 
 ## Table of Contents
 
diff --git a/scripts/terraform/dns/.gitignore b/scripts/terraform/dns/.gitignore
new file mode 100644
index 0000000..c831140
--- /dev/null
+++ b/scripts/terraform/dns/.gitignore
@@ -0,0 +1,41 @@
+# Ignore the lock file as this is just an example
+.terraform.lock.hcl
+# Ignore Terraform plan
+*tfplan*
+
+# SEE: https://github.com/github/gitignore/blob/main/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/scripts/terraform/dns/README.md b/scripts/terraform/dns/README.md
new file mode 100644
index 0000000..1757fcc
--- /dev/null
+++ b/scripts/terraform/dns/README.md
@@ -0,0 +1 @@
+# Notify DNS
diff --git a/scripts/terraform/dns/main.tf b/scripts/terraform/dns/main.tf
new file mode 100644
index 0000000..a4ca5b0
--- /dev/null
+++ b/scripts/terraform/dns/main.tf
@@ -0,0 +1,46 @@
+resource "aws_s3_bucket" "terraform_state_store" {
+  bucket = var.terraform_state_bucket_name
+  lifecycle {
+    prevent_destroy = false // FIXME: Normally, this should be 'true' - this is just an example
+  }
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.terraform_state_store.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.terraform_state_store.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.terraform_state_store.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" {
+  name         = var.terraform_state_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  server_side_encryption {
+    enabled = true
+  }
+  point_in_time_recovery {
+    enabled = true
+  }
+}
diff --git a/scripts/terraform/dns/provider.tf b/scripts/terraform/dns/provider.tf
new file mode 100644
index 0000000..b64be2a
--- /dev/null
+++ b/scripts/terraform/dns/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "eu-west-2"
+}
diff --git a/scripts/terraform/dns/variables.tf b/scripts/terraform/dns/variables.tf
new file mode 100644
index 0000000..07f60cb
--- /dev/null
+++ b/scripts/terraform/dns/variables.tf
@@ -0,0 +1,9 @@
+variable "terraform_state_bucket_name" {
+  description = "The S3 bucket name to store Terraform state"
+  default     = "repository-template-example-terraform-state-store"
+}
+
+variable "terraform_state_table_name" {
+  description = "The DynamoDB table name to acquire Terraform lock"
+  default     = "repository-template-example-terraform-state-lock"
+}
diff --git a/scripts/terraform/dns/versions.tf b/scripts/terraform/dns/versions.tf
new file mode 100644
index 0000000..18fd04a
--- /dev/null
+++ b/scripts/terraform/dns/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      version = ">= 5.14.0"
+    }
+  }
+}