Merge branch 'feature/6763-create-runbook-for-core-logging-production…

…-account' of https://github.com/ministryofjustice/modernisation-platform into feature/6763-create-runbook-for-core-logging-production-account
ministryofjustice · Sep 20, 2024 · 33b80d3 · 33b80d3
2 parents e7ab52e + 20d96bd
commit 33b80d3
Show file tree

Hide file tree

Showing 11 changed files with 246 additions and 59 deletions.
diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod
@@ -4,11 +4,11 @@ go 1.21
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.30.5
-	github.com/aws/aws-sdk-go-v2/config v1.27.34
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.32
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8
-	github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.4
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7
+	github.com/aws/aws-sdk-go-v2/config v1.27.35
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.33
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.5
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.8
 )
 
 require (
@@ -18,7 +18,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 // indirect
 	github.com/aws/smithy-go v1.20.4 // indirect
 )
diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum
@@ -1,9 +1,9 @@
 github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g=
 github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
-github.com/aws/aws-sdk-go-v2/config v1.27.34 h1:5sLceuETg/215nLtY/QIVB2O6cosS0iC/Tx5oyqUhbw=
-github.com/aws/aws-sdk-go-v2/config v1.27.34/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I=
+github.com/aws/aws-sdk-go-v2/config v1.27.35 h1:jeFgiWYNV0vrgdZqB4kZBjYNdy0IKkwrAjr2fwpHIig=
+github.com/aws/aws-sdk-go-v2/config v1.27.35/go.mod h1:qnpEvTq8ZfjrCqmJGRfWZuF+lGZ/vG8LK2K0L/TY1gQ=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.33 h1:lBHAQQznENv0gLHAZ73ONiTSkCtr8q3pSqWrpbBBZz0=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.33/go.mod h1:MBuqCUOT3ChfLuxNDGyra67eskx7ge9e3YKYBce7wpI=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ=
@@ -16,15 +16,15 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbL
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8 h1:HNXhQReFG2fbucvPRxDabbIGQf/6dieOfTnzoGPEqXI=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8/go.mod h1:BYr9P/rrcLNJ8A36nT15p8tpoVDZ5lroHuMn/njecBw=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.4 h1:I6H0CVDrwqQP6CtBsaaLgK/43H6UWgAlPId0zid5oks=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.4/go.mod h1:TccpGcVXrED4xcLhtYFs5qHJEzL8qXCCoQj+TDosCxQ=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9 h1:croIrE67fpV6wff+0M8jbrJZpKSlrqVGrCnqNU5rtoI=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9/go.mod h1:BYr9P/rrcLNJ8A36nT15p8tpoVDZ5lroHuMn/njecBw=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.5 h1:ADikN8FSQ7rd6wOfEuIOVK2uAIfpf/xt8S6uBMfbDgY=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.5/go.mod h1:TccpGcVXrED4xcLhtYFs5qHJEzL8qXCCoQj+TDosCxQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 h1:JRwuL+S1Qe1owZQoxblV7ORgRf2o0SrtzDVIbaVCdQ0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.8/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 h1:+HpGETD9463PFSj7lX5+eq7aLDs85QUIA+NBkeAsscA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 h1:bAi+4p5EKnni+jrfcAhb7iHFQ24bthOAV9t0taf3DCE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.8/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
 github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
 github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
diff --git a/scripts/internal/get-testing-ci-user-creds/go.mod b/scripts/internal/get-testing-ci-user-creds/go.mod
@@ -4,10 +4,10 @@ go 1.18
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.30.5
-	github.com/aws/aws-sdk-go-v2/config v1.27.34
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.32
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7
+	github.com/aws/aws-sdk-go-v2/config v1.27.35
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.33
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.8
 )
 
 require (
@@ -17,7 +17,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 // indirect
 	github.com/aws/smithy-go v1.20.4 // indirect
 )
diff --git a/scripts/internal/get-testing-ci-user-creds/go.sum b/scripts/internal/get-testing-ci-user-creds/go.sum
@@ -1,9 +1,9 @@
 github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g=
 github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
-github.com/aws/aws-sdk-go-v2/config v1.27.34 h1:5sLceuETg/215nLtY/QIVB2O6cosS0iC/Tx5oyqUhbw=
-github.com/aws/aws-sdk-go-v2/config v1.27.34/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I=
+github.com/aws/aws-sdk-go-v2/config v1.27.35 h1:jeFgiWYNV0vrgdZqB4kZBjYNdy0IKkwrAjr2fwpHIig=
+github.com/aws/aws-sdk-go-v2/config v1.27.35/go.mod h1:qnpEvTq8ZfjrCqmJGRfWZuF+lGZ/vG8LK2K0L/TY1gQ=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.33 h1:lBHAQQznENv0gLHAZ73ONiTSkCtr8q3pSqWrpbBBZz0=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.33/go.mod h1:MBuqCUOT3ChfLuxNDGyra67eskx7ge9e3YKYBce7wpI=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ=
@@ -16,13 +16,13 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbL
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8 h1:HNXhQReFG2fbucvPRxDabbIGQf/6dieOfTnzoGPEqXI=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.8/go.mod h1:BYr9P/rrcLNJ8A36nT15p8tpoVDZ5lroHuMn/njecBw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9 h1:croIrE67fpV6wff+0M8jbrJZpKSlrqVGrCnqNU5rtoI=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.9/go.mod h1:BYr9P/rrcLNJ8A36nT15p8tpoVDZ5lroHuMn/njecBw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 h1:JRwuL+S1Qe1owZQoxblV7ORgRf2o0SrtzDVIbaVCdQ0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.8/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 h1:+HpGETD9463PFSj7lX5+eq7aLDs85QUIA+NBkeAsscA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 h1:bAi+4p5EKnni+jrfcAhb7iHFQ24bthOAV9t0taf3DCE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.8/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
 github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
 github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
diff --git a/source/index.html.md.erb b/source/index.html.md.erb
@@ -111,7 +111,6 @@ This documentation is for anyone interested in the Modernisation Platform and it
 - [Backup and Restore of Terraform Statefile & EC2](runbooks/backup-restore-process.html)
 - [Changing environment (AWS account) details](runbooks/changing-environment-details.html)
 - [CloudWatch networking alarms](runbooks/cloudwatch-networking-alarms.html)
-- [Core Shared Services Account Setup](runbooks/core-shared-services-production.html)
 - [Creating Automated Terraform Documentation](user-guide/creating-automated-terraform-documentation.html)
 - [Creating new DNS zones](runbooks/creating-new-dns-zones.html)
 - [Creating new Private DNS zones](runbooks/creating-new-private-dns-zones.html)
@@ -135,6 +134,8 @@ This documentation is for anyone interested in the Modernisation Platform and it
 - [Querying CloudTrail logs with Athena](runbooks/using-athena.html)
 - [Querying VPC flow logs](runbooks/querying-vpc-flow-logs.html)
 - [Recreating the core-logging-production account](runbooks/recreate-core-logging-production-account.html)
+- [Recreating the core-shared-services account](runbooks/recreate-core-shared-services-production.html)
+- [Recreating the modernisation-platform account](runbooks/recreate-modernisation-platform-account.html)
 - [Removing a team member from the Modernisation Platform](runbooks/removing-a-team-member.html)
 - [Reviewing Dependabot PRs](runbooks/reviewing-dependabot-prs.html)
 - [Reviewing MP Environments PRs](runbooks/reviewing-mp-environments-prs.html)

diff --git a/...re-shared-services-production.html.md.erb → ...re-shared-services-production.html.md.erb b/...re-shared-services-production.html.md.erb → ...re-shared-services-production.html.md.erb
@@ -1,7 +1,7 @@
 ---
 owner_slack: "#modernisation-platform"
 title: Core Shared Services Account Setup
-last_reviewed_on: 2024-07-29
+last_reviewed_on: 2024-09-19
 review_in: 6 months
 ---
 
@@ -52,7 +52,6 @@ Alternatively, this can be done as manual deployment:
 - Inform our members that the account has been recreated
 - Liaise with owning teams to validate any rebuilds
 
-
 ## References
 
 * [Accessing the AWS Console](https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-the-aws-console.html)

diff --git a/source/runbooks/recreate-modernisation-platform-account.html.md.erb b/source/runbooks/recreate-modernisation-platform-account.html.md.erb
@@ -0,0 +1,64 @@
+---
+owner_slack: "#modernisation-platform"
+title: Modernisation Platform Account Setup
+last_reviewed_on: 2024-09-19
+review_in: 6 months
+---
+
+<!-- Google tag (gtag.js) -->
+<script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script>
+<script>
+  window.dataLayer = window.dataLayer || [];
+  function gtag(){dataLayer.push(arguments);}
+  gtag('js', new Date());
+  gtag('config', 'G-NXTCMQ7ZX6');
+</script>
+
+# <%= current_page.data.title %>
+
+## Overview
+
+The `Modernisation Platform` AWS account hosts resources used by other Modernisation Platform accounts.
+
+| Resource        | Description                                                                                                   |
+|-----------------|---------------------------------------------------------------------------------------------------------------|
+| S3              | Stores Terraform state files for Modernisation Platform accounts, account-local AWS Config info, cost reports |
+| DynamoDB        | Holds state locking table for Terraform                                                                       |
+| Secrets Manager | Stores values used by Modernisation Platform accounts                                                         |
+| IAM             | Contains accounts for external collaborators                                                                  |
+| KMS             | Encryption keys, some account local, but one used to secure PagerDuty secrets                                 |
+
+## Steps
+## 1. Account Creation 
+
+Configuration to create the `Modernisation Platform` account is stored in code in the [aws-root-account](https://github.com/ministryofjustice/aws-root-account/blob/main/management-account/terraform/organizations-accounts-platforms-and-architecture-modernisation-platform.tf) repository.
+
+To recreate the `Modernisation Platform` account, a person with appropriate access can run GitHub actions in [aws-root-account](https://github.com/ministryofjustice/aws-root-account/actions) repository.
+
+## 2. Deploy Modernisation Platform Resources
+
+Configuration of resources in the `Modernisation Platform` account is stored in code in [modernisation-platform](https://github.com/ministryofjustice/modernisation-platform/tree/main/terraform/modernisation-platform-account) repository.
+
+To recreate these resources you can run the [Terraform: modernisation-platform-account](https://github.com/ministryofjustice/modernisation-platform/actions/workflows/modernisation-platform-account.yml) action in GitHub.
+
+Alternatively, this can be done as manual deployment: 
+- Navigate to the `modernisation-platfom` repository and access the `terraform/modernisation-platform-account` directory
+- Run `terraform plan` in the default workspace
+- Using admin credentials, execute `terraform apply`
+
+## 3. Verify Resources
+
+- Log into the AWS Console for the `Modernisation Platform` account.
+- Verify that resources have been correctly configured.
+- Confirm that Modernisation Platform member accounts can retrieve information such as AWS Secrets Manager secret values.
+
+## 4. Notify customers
+
+- Inform Modernisation Platform team of rebuild process
+- Inform customers that account has been recreated
+- Work with customers to import cached Terraform statefile objects into S3
+
+## References
+
+* [Accessing the AWS Console](https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-the-aws-console.html)
+* [Disaster Recovery Process](https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/dr-process.html)
diff --git a/terraform/environments/cooker/s3.tf b/terraform/environments/cooker/s3.tf
@@ -1,6 +1,6 @@
 module "s3-bucket" {
   # checkov:skip=CKV_TF_1:
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0"
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0"
 
   bucket_prefix      = "s3-security-testing-bucket"
   versioning_enabled = true

diff --git a/terraform/environments/core-network-services/data.tf b/terraform/environments/core-network-services/data.tf
@@ -20,4 +20,44 @@ data "aws_route" "live_data" {
 
 data "aws_kms_key" "general_shared" {
   key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/general-platforms"
+}
+
+# Data source to fetch information about the live VPC
+data "aws_vpc" "live" {
+  filter {
+    name   = "tag:Name"
+    values = ["live_data"]
+  }
+}
+
+# Data source to fetch information about the non-live VPC
+data "aws_vpc" "non_live" {
+  filter {
+    name   = "tag:Name"
+    values = ["non_live_data"]
+  }
+}
+
+# Data source to fetch existing NAT gateways in the live VPC
+data "aws_nat_gateways" "live" {
+  vpc_id = data.aws_vpc.live.id
+
+  filter {
+    name   = "state"
+    values = ["available"]
+  }
+}
+
+# Data source to fetch existing NAT gateways in the non-live VPC
+data "aws_nat_gateways" "non_live" {
+  vpc_id = data.aws_vpc.non_live.id
+
+  filter {
+    name   = "state"
+    values = ["available"]
+  }
+}
+
+data "aws_sns_topic" "security_hub_arn" {
+  name = "securityhub-alarms"
 }
diff --git a/terraform/environments/core-network-services/monitoring.tf b/terraform/environments/core-network-services/monitoring.tf
@@ -186,3 +186,86 @@ module "pagerduty_networking_general" {
   sns_topics                = [aws_sns_topic.networking_general.name]
   pagerduty_integration_key = local.pagerduty_integration_keys["networking_cloudwatch"]
 }
+
+# Create map of NAT gateway IDs
+locals {
+  nat_gateway_ids = {
+    live     = data.aws_nat_gateways.live.ids
+    non_live = data.aws_nat_gateways.non_live.ids
+  }
+
+  # Flatten the map for easier iteration
+  all_nat_gateways = flatten([
+    for env, ids in local.nat_gateway_ids : [
+      for id in ids : {
+        env = env
+        id  = id
+      }
+    ]
+  ])
+}
+
+# Create CloudWatch alarms for each NAT gateway's packet drop count
+resource "aws_cloudwatch_metric_alarm" "nat_packets_drop_count" {
+  for_each = { for nat in local.all_nat_gateways : "${nat.env}_${nat.id}" => nat }
+
+  alarm_name          = "nat_packets_drop_count_${each.key}"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 5
+  threshold           = 100 # Adjust this threshold as needed
+  alarm_description   = "NAT Gateway ${each.value.id} in ${each.value.env} environment is dropping packets. This might indicate an issue with the NAT Gateway."
+
+  metric_query {
+    id          = "e1"
+    expression  = "m1"
+    label       = "Dropped Packets"
+    return_data = "true"
+  }
+
+  metric_query {
+    id = "m1"
+    metric {
+      metric_name = "PacketsDropCount"
+      namespace   = "AWS/NATGateway"
+      period      = 60
+      stat        = "Sum"
+      dimensions = {
+        NatGatewayId = each.value.id
+      }
+    }
+  }
+
+  alarm_actions = [data.aws_sns_topic.security_hub_arn.arn]
+  tags          = local.tags
+}
+
+# CloudTrail log metric filter for NAT Gateway port allocation errors
+resource "aws_cloudwatch_log_metric_filter" "NATGatewayErrorPortAllocation" {
+  name           = "nat_gateway_error_port_allocation_filter"
+  pattern        = "{ $.eventSource = \"ec2.amazonaws.com\" && $.eventName = \"CreateNatGateway\" && $.errorCode = \"*\" && $.errorMessage = \"*Port Allocation*\" }"
+  log_group_name = "cloudtrail"
+
+  metric_transformation {
+    name      = "ErrorPortAllocation"
+    namespace = "NAT/Gateway"
+    value     = "1"
+  }
+}
+
+# CloudWatch alarm for NAT Gateway port allocation errors
+resource "aws_cloudwatch_metric_alarm" "ErrorPortAllocation" {
+  alarm_name        = "nat_gateway_error_port_allocation"
+  alarm_description = "This alarm detects when the NAT Gateway is unable to allocate ports to new connections."
+  alarm_actions     = [data.aws_sns_topic.security_hub_arn.arn]
+
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = "1"
+  metric_name         = "ErrorPortAllocation"
+  namespace           = "NAT/Gateway"
+  period              = "300"
+  statistic           = "Sum"
+  threshold           = "0"
+  treat_missing_data  = "notBreaching"
+
+  tags = local.tags
+}