From ba66f2401589a9e053ad597222c4874cd26649e1 Mon Sep 17 00:00:00 2001 From: Caleb VanGerpen Date: Wed, 29 Jan 2025 13:32:45 -0600 Subject: [PATCH 1/2] Create single CloudWatch log role for API Gateways API Gateway's CloudWatch logging role is account- and region-specific. This moves that role's creation to a single place rather than in both the cirrus and stac-server module as that leads to constant state drift. --- .../api_gateway_account.tf | 57 ++++++++++++++++++ .../base_infra/api_gateway_account/data.tf | 1 + .../base_infra/api_gateway_account/inputs.tf | 9 +++ .../api_gateway_account/providers.tf | 9 +++ modules/cirrus/builtin-functions/api.tf | 58 ------------------- modules/stac-server/api.tf | 8 --- modules/stac-server/iam.tf | 50 ---------------- profiles/base/main.tf | 12 ++++ 8 files changed, 88 insertions(+), 116 deletions(-) create mode 100644 modules/base_infra/api_gateway_account/api_gateway_account.tf create mode 100644 modules/base_infra/api_gateway_account/data.tf create mode 100644 modules/base_infra/api_gateway_account/inputs.tf create mode 100644 modules/base_infra/api_gateway_account/providers.tf diff --git a/modules/base_infra/api_gateway_account/api_gateway_account.tf b/modules/base_infra/api_gateway_account/api_gateway_account.tf new file mode 100644 index 00000000..040ad4e0 --- /dev/null +++ b/modules/base_infra/api_gateway_account/api_gateway_account.tf @@ -0,0 +1,57 @@ +locals { + name_prefix = "fd-${var.project_name}-${var.environment}" +} + + +resource "aws_iam_role" "shared_api_gw_logging_role" { + name_prefix = "${local.name_prefix}-${data.aws_region.current.name}-apigw-" + + assume_role_policy = <<-JSON_POLICY_STRING + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "apigateway.amazonaws.com" + }, + "Effect": "Allow" + } + ] + } + JSON_POLICY_STRING +} + +resource "aws_iam_policy" "shared_api_gw_logging_role" { + name_prefix = "${local.name_prefix}-${data.aws_region.current.name}-apigw-log-policy-" + + policy = <<-JSON_POLICY_STRING + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:FilterLogEvents" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } + JSON_POLICY_STRING +} + +resource "aws_iam_role_policy_attachment" "shared_api_gw_logging_role" { + role = aws_iam_role.shared_api_gw_logging_role.name + policy_arn = aws_iam_policy.shared_api_gw_logging_role.arn +} + +resource "aws_api_gateway_account" "shared_api_gw_logging_role" { + cloudwatch_role_arn = aws_iam_role.shared_api_gw_logging_role.arn +} diff --git a/modules/base_infra/api_gateway_account/data.tf b/modules/base_infra/api_gateway_account/data.tf new file mode 100644 index 00000000..2502393b --- /dev/null +++ b/modules/base_infra/api_gateway_account/data.tf @@ -0,0 +1 @@ +data "aws_region" "current" {} diff --git a/modules/base_infra/api_gateway_account/inputs.tf b/modules/base_infra/api_gateway_account/inputs.tf new file mode 100644 index 00000000..2fe46a0c --- /dev/null +++ b/modules/base_infra/api_gateway_account/inputs.tf @@ -0,0 +1,9 @@ +variable "project_name" { + description = "Project Name" + type = string +} + +variable "environment" { + description = "Project environment" + type = string +} diff --git a/modules/base_infra/api_gateway_account/providers.tf b/modules/base_infra/api_gateway_account/providers.tf new file mode 100644 index 00000000..d782dd6d --- /dev/null +++ b/modules/base_infra/api_gateway_account/providers.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.6.6, < 1.8.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.22" + } + } +} diff --git a/modules/cirrus/builtin-functions/api.tf b/modules/cirrus/builtin-functions/api.tf index 34b42df5..631d66ce 100644 --- a/modules/cirrus/builtin-functions/api.tf +++ b/modules/cirrus/builtin-functions/api.tf @@ -290,10 +290,6 @@ aws apigateway update-stage --rest-api-id ${aws_api_gateway_deployment.cirrus_ap EOF } - - depends_on = [ - aws_api_gateway_account.cirrus_api_gateway_cw_role - ] } resource "aws_lambda_permission" "cirrus_api_gateway_lambda_permission_root_resource" { @@ -314,60 +310,6 @@ resource "aws_lambda_permission" "cirrus_api_gateway_lambda_permission_proxy_res source_arn = "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.cirrus_api_gateway.id}/*/*${aws_api_gateway_resource.cirrus_api_gateway_proxy_resource.path}" } -resource "aws_api_gateway_account" "cirrus_api_gateway_cw_role" { - cloudwatch_role_arn = aws_iam_role.cirrus_api_gw_role.arn -} - -resource "aws_iam_role" "cirrus_api_gw_role" { - name_prefix = "${var.cirrus_prefix}-${data.aws_region.current.name}" - - assume_role_policy = < Date: Wed, 29 Jan 2025 14:00:58 -0600 Subject: [PATCH 2/2] Updated changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d42c3af0..0944d59b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Pushing messages to the Cirrus `publish` SNS topic - Creating objects in the Cirrus `payload` S3 bucket - Fixed Cirrus workflow state machine permissions to allow creating state transition events +- Fixed constant state drift caused by multiple `aws_api_gateway_account` resources (one in `stac-server`, one in `cirrus`) ### Removed