From 6a6406435dc1fe041ba93fe3e44133228a65a5fe Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Wed, 5 Feb 2025 13:16:11 +0000
Subject: [PATCH] remove dns firewall

---
 terraform/account/region/dns_firewall.tf      |   8 --
 .../region/modules/dns_firewall/README.md     |  51 -------
 .../modules/dns_firewall/data_sources.tf      |   8 --
 .../region/modules/dns_firewall/main.tf       | 124 ------------------
 .../region/modules/dns_firewall/variables.tf  |   7 -
 .../region/modules/dns_firewall/versions.tf   |  13 --
 6 files changed, 211 deletions(-)
 delete mode 100644 terraform/account/region/dns_firewall.tf
 delete mode 100644 terraform/account/region/modules/dns_firewall/README.md
 delete mode 100644 terraform/account/region/modules/dns_firewall/data_sources.tf
 delete mode 100644 terraform/account/region/modules/dns_firewall/main.tf
 delete mode 100644 terraform/account/region/modules/dns_firewall/variables.tf
 delete mode 100644 terraform/account/region/modules/dns_firewall/versions.tf

diff --git a/terraform/account/region/dns_firewall.tf b/terraform/account/region/dns_firewall.tf
deleted file mode 100644
index 38b5185b97..0000000000
--- a/terraform/account/region/dns_firewall.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-module "dns_firewall" {
-  source                             = "./modules/dns_firewall"
-  vpc_id                             = module.network.vpc.id
-  cloudwatch_log_group_kms_key_alias = var.cloudwatch_log_group_kms_key_alias
-  providers = {
-    aws.region = aws.region
-  }
-}
diff --git a/terraform/account/region/modules/dns_firewall/README.md b/terraform/account/region/modules/dns_firewall/README.md
deleted file mode 100644
index 80a01ce32c..0000000000
--- a/terraform/account/region/modules/dns_firewall/README.md
+++ /dev/null
@@ -1,51 +0,0 @@
-# DNS Firewall
-
-This module creates a DNS Firewall rule group and  rule group associations.
-
-<!-- BEGIN_TF_DOCS -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.42.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.42.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_cloudwatch_log_group.aws_route53_resolver_query_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_query_definition.dns_firewall_statistics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_query_definition) | resource |
-| [aws_route53_resolver_firewall_domain_list.egress_allow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_domain_list) | resource |
-| [aws_route53_resolver_firewall_domain_list.egress_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_domain_list) | resource |
-| [aws_route53_resolver_firewall_rule.egress_allow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule) | resource |
-| [aws_route53_resolver_firewall_rule.egress_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule) | resource |
-| [aws_route53_resolver_firewall_rule_group.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule_group) | resource |
-| [aws_route53_resolver_firewall_rule_group_association.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule_group_association) | resource |
-| [aws_route53_resolver_query_log_config.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource |
-| [aws_route53_resolver_query_log_config_association.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource |
-| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_service.services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_cloudwatch_log_group_kms_key_alias"></a> [cloudwatch\_log\_group\_kms\_key\_alias](#input\_cloudwatch\_log\_group\_kms\_key\_alias) | n/a | `string` | n/a | yes |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
-
-## Outputs
-
-No outputs.
-<!-- END_TF_DOCS -->
diff --git a/terraform/account/region/modules/dns_firewall/data_sources.tf b/terraform/account/region/modules/dns_firewall/data_sources.tf
deleted file mode 100644
index e907193300..0000000000
--- a/terraform/account/region/modules/dns_firewall/data_sources.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-data "aws_kms_alias" "cloudwatch_application_logs_encryption" {
-  name     = var.cloudwatch_log_group_kms_key_alias
-  provider = aws.region
-}
-
-data "aws_region" "current" {
-  provider = aws.region
-}
diff --git a/terraform/account/region/modules/dns_firewall/main.tf b/terraform/account/region/modules/dns_firewall/main.tf
deleted file mode 100644
index f060907584..0000000000
--- a/terraform/account/region/modules/dns_firewall/main.tf
+++ /dev/null
@@ -1,124 +0,0 @@
-resource "aws_cloudwatch_log_group" "aws_route53_resolver_query_log" {
-  name              = "route53-resolver-query-log"
-  retention_in_days = 400
-  kms_key_id        = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn
-  tags = {
-    "Name" = "route53-resolver-query-log"
-  }
-  provider = aws.region
-}
-
-resource "aws_route53_resolver_query_log_config" "egress" {
-  name            = "egress"
-  destination_arn = aws_cloudwatch_log_group.aws_route53_resolver_query_log.arn
-  provider        = aws.region
-}
-
-resource "aws_route53_resolver_query_log_config_association" "egress" {
-  resolver_query_log_config_id = aws_route53_resolver_query_log_config.egress.id
-  resource_id                  = var.vpc_id
-  provider                     = aws.region
-}
-
-locals {
-  service_id = [
-    "dynamodb",
-    "ecr.api",
-    "ecr",
-    "events",
-    "kms",
-    "logs",
-    "s3",
-    "secretsmanager",
-    "xray",
-  ]
-}
-
-data "aws_service" "services" {
-  for_each   = toset(local.service_id)
-  region     = data.aws_region.current.name
-  service_id = each.value
-  provider   = aws.region
-}
-
-locals {
-  aws_service_dns_name = [for service in data.aws_service.services : "${service.dns_name}."]
-  interpolated_dns = [
-    "311462405659.dkr.ecr.${data.aws_region.current.name}.amazonaws.com.",
-    "prod-${data.aws_region.current.name}-starport-layer-bucket.s3.${data.aws_region.current.name}.amazonaws.com.",
-    "public-keys.auth.elb.${data.aws_region.current.name}.amazonaws.com.",
-    "public.ecr.aws.",
-  ]
-  endpoints_dns = [
-    "api.notifications.service.gov.uk.",
-    "api.os.uk.",
-    "current.cvd.clamav.net.",
-    "database.clamav.net.",
-    "development.lpa-uid.api.opg.service.justice.gov.uk.",
-    "integration.lpa-uid.api.opg.service.justice.gov.uk.",
-    "oidc.integration.account.gov.uk.",
-    "publicapi.payments.service.gov.uk.",
-  ]
-}
-resource "aws_route53_resolver_firewall_domain_list" "egress_allow" {
-  name = "egress_allowed"
-  domains = concat(
-    local.interpolated_dns,
-    local.aws_service_dns_name,
-    local.endpoints_dns,
-  )
-  provider = aws.region
-}
-
-resource "aws_route53_resolver_firewall_domain_list" "egress_block" {
-  name     = "egress_blocked"
-  domains  = ["*."]
-  provider = aws.region
-}
-
-resource "aws_route53_resolver_firewall_rule_group" "egress" {
-  name     = "egress"
-  provider = aws.region
-}
-
-resource "aws_route53_resolver_firewall_rule" "egress_allow" {
-  name                    = "egress_allowed"
-  action                  = "ALLOW"
-  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.egress_allow.id
-  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.egress.id
-  priority                = 1
-  provider                = aws.region
-}
-
-resource "aws_route53_resolver_firewall_rule" "egress_block" {
-  name   = "egress_blocked"
-  action = "ALERT"
-  # action                  = "BLOCK"
-  # block_response          = "NODATA"
-  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.egress_block.id
-  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.egress.id
-  priority                = 2
-  provider                = aws.region
-}
-
-resource "aws_route53_resolver_firewall_rule_group_association" "egress" {
-  name                   = "egress"
-  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.egress.id
-  priority               = 101
-  vpc_id                 = var.vpc_id
-  provider               = aws.region
-}
-
-
-resource "aws_cloudwatch_query_definition" "dns_firewall_statistics" {
-  name = "DNS Firewall Queries/DNS Firewall Statistics"
-
-  log_group_names = [aws_cloudwatch_log_group.aws_route53_resolver_query_log.name]
-
-  query_string = <<EOF
-fields @timestamp, query_name, firewall_rule_action
-| sort @timestamp desc
-| stats count() as frequency by query_name, firewall_rule_action
-EOF
-  provider     = aws.region
-}
diff --git a/terraform/account/region/modules/dns_firewall/variables.tf b/terraform/account/region/modules/dns_firewall/variables.tf
deleted file mode 100644
index 37914e22f5..0000000000
--- a/terraform/account/region/modules/dns_firewall/variables.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-variable "vpc_id" {
-  type = string
-}
-
-variable "cloudwatch_log_group_kms_key_alias" {
-  type = string
-}
diff --git a/terraform/account/region/modules/dns_firewall/versions.tf b/terraform/account/region/modules/dns_firewall/versions.tf
deleted file mode 100644
index 0402c34940..0000000000
--- a/terraform/account/region/modules/dns_firewall/versions.tf
+++ /dev/null
@@ -1,13 +0,0 @@
-terraform {
-  required_version = ">= 1.5.2"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.84.0"
-      configuration_aliases = [
-        aws.region,
-      ]
-    }
-  }
-}