From e58f89359fa5bd479031186cdc589d520ce92ddb Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Tue, 23 Jul 2024 09:21:50 +0100 Subject: [PATCH] Bootstrap is in internal repo --- .../terraform/bootstrap/.terraform-version | 1 - .../data_iam_policy_document_bucket.tf | 68 ------------------- .../data_iam_policy_document_kms_key_s3.tf | 46 ------------- .../terraform/bootstrap/dynamodb_table.tf | 26 ------- .../terraform/bootstrap/kms_key_s3.tf | 16 ----- infrastructure/terraform/bootstrap/locals.tf | 13 ---- infrastructure/terraform/bootstrap/outputs.tf | 23 ------- .../terraform/bootstrap/provider_aws.tf | 12 ---- .../terraform/bootstrap/s3_bucket.tf | 14 ---- .../s3_bucket_lifecycle_configuration.tf | 26 ------- .../bootstrap/s3_bucket_ownership_controls.tf | 7 -- .../terraform/bootstrap/s3_bucket_policy.tf | 8 --- .../s3_bucket_public_access_block.tf | 8 --- ...et_server_side_encryption_configuration.tf | 12 ---- .../bootstrap/s3_bucket_versioning.tf | 7 -- .../terraform/bootstrap/variables.tf | 37 ---------- .../terraform/bootstrap/versions.tf | 10 --- 17 files changed, 334 deletions(-) delete mode 100644 infrastructure/terraform/bootstrap/.terraform-version delete mode 100644 infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf delete mode 100644 infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf delete mode 100644 infrastructure/terraform/bootstrap/dynamodb_table.tf delete mode 100644 infrastructure/terraform/bootstrap/kms_key_s3.tf delete mode 100644 infrastructure/terraform/bootstrap/locals.tf delete mode 100644 infrastructure/terraform/bootstrap/outputs.tf delete mode 100644 infrastructure/terraform/bootstrap/provider_aws.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_policy.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_versioning.tf delete mode 100644 infrastructure/terraform/bootstrap/variables.tf delete mode 100644 infrastructure/terraform/bootstrap/versions.tf diff --git a/infrastructure/terraform/bootstrap/.terraform-version b/infrastructure/terraform/bootstrap/.terraform-version deleted file mode 100644 index 80e78df..0000000 --- a/infrastructure/terraform/bootstrap/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -1.3.5 diff --git a/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf b/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf deleted file mode 100644 index dd231f5..0000000 --- a/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf +++ /dev/null @@ -1,68 +0,0 @@ -data "aws_iam_policy_document" "bucket" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - aws_s3_bucket.bucket.arn, - "${aws_s3_bucket.bucket.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - aws_s3_bucket.bucket.arn, - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${aws_s3_bucket.bucket.arn}/*", - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } -} diff --git a/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf b/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf deleted file mode 100644 index 9741a08..0000000 --- a/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf +++ /dev/null @@ -1,46 +0,0 @@ -data "aws_iam_policy_document" "kms_key_s3" { - statement { - sid = "AllowLocalIAMAdministration" - effect = "Allow" - - actions = [ - "*", - ] - - resources = [ - "*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root", - ] - } - } - - statement { - sid = "AllowManagedAccountsToUse" - effect = "Allow" - - actions = [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ReEncrypt", - ] - - resources = [ - "*", - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } -} diff --git a/infrastructure/terraform/bootstrap/dynamodb_table.tf b/infrastructure/terraform/bootstrap/dynamodb_table.tf deleted file mode 100644 index a5510f8..0000000 --- a/infrastructure/terraform/bootstrap/dynamodb_table.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_dynamodb_table" "tfscaffold" { - name = var.bucket_name - hash_key = "LockID" - billing_mode = "PAY_PER_REQUEST" - - attribute { - name = "LockID" - type = "S" - } - - point_in_time_recovery { - enabled = true - } - - server_side_encryption { - enabled = true - kms_key_arn = aws_kms_key.s3.arn - } - - tags = merge( - local.default_tags, - { - Name = var.bucket_name - }, - ) -} diff --git a/infrastructure/terraform/bootstrap/kms_key_s3.tf b/infrastructure/terraform/bootstrap/kms_key_s3.tf deleted file mode 100644 index d8a9ff4..0000000 --- a/infrastructure/terraform/bootstrap/kms_key_s3.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "aws_kms_key" "s3" { - description = "tfscaffold Bootstrap S3 Bucket" - deletion_window_in_days = 10 - enable_key_rotation = true - - policy = data.aws_iam_policy_document.kms_key_s3.json - - # This does not use default tag map merging because bootstrapping is special - # You should use default tag map merging elsewhere - tags = merge( - local.default_tags, - { - Name = "tfscaffold Bootstrap S3 Bucket" - } - ) -} diff --git a/infrastructure/terraform/bootstrap/locals.tf b/infrastructure/terraform/bootstrap/locals.tf deleted file mode 100644 index 1449f88..0000000 --- a/infrastructure/terraform/bootstrap/locals.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - ro_principals = compact(distinct(flatten([ - var.tfscaffold_ro_principals, - "arn:aws:iam::${var.aws_account_id}:root", - ]))) - - default_tags = { - "tfscaffold:Environment" = var.environment - "tfscaffold:Project" = var.project - "tfscaffold:Component" = var.component - "tfscaffold:Account" = var.aws_account_id - } -} diff --git a/infrastructure/terraform/bootstrap/outputs.tf b/infrastructure/terraform/bootstrap/outputs.tf deleted file mode 100644 index 05b4902..0000000 --- a/infrastructure/terraform/bootstrap/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "bucket_name" { - value = aws_s3_bucket.bucket.id -} - -output "bucket_policy" { - value = data.aws_iam_policy_document.bucket.json -} - -output "bucket_arn" { - value = aws_s3_bucket.bucket.arn -} - -output "kms_key_arn" { - value = aws_kms_key.s3.arn -} - -output "kms_key_id" { - value = aws_kms_key.s3.id -} - -output "kms_key_policy" { - value = data.aws_iam_policy_document.kms_key_s3.json -} diff --git a/infrastructure/terraform/bootstrap/provider_aws.tf b/infrastructure/terraform/bootstrap/provider_aws.tf deleted file mode 100644 index 02a8858..0000000 --- a/infrastructure/terraform/bootstrap/provider_aws.tf +++ /dev/null @@ -1,12 +0,0 @@ -# The default AWS provider in the default region -provider "aws" { - region = var.region - - # For no reason other than redundant safety - # we only allow the use of the AWS Account - # specified in the environment variables. - # This helps to prevent accidents. - allowed_account_ids = [ - var.aws_account_id, - ] -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket.tf b/infrastructure/terraform/bootstrap/s3_bucket.tf deleted file mode 100644 index 5d5e092..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_s3_bucket" "bucket" { - bucket = var.bucket_name - - force_destroy = false - - # This does not use default tag map merging because bootstrapping is special - # You should use default tag map merging elsewhere - tags = merge( - local.default_tags, - { - Name = "Terraform Scaffold State File Bucket for account ${var.aws_account_id} in region ${var.region}" - } - ) -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf b/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf deleted file mode 100644 index 4e173b6..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_s3_bucket_lifecycle_configuration" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - id = "bootstrap" - status = "Enabled" - - filter { - prefix = "" - } - - noncurrent_version_transition { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - - noncurrent_version_transition { - noncurrent_days = "60" - storage_class = "GLACIER" - } - - noncurrent_version_expiration { - noncurrent_days = "90" - } - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf b/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf deleted file mode 100644 index fc4a359..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_s3_bucket_ownership_controls" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - object_ownership = "BucketOwnerEnforced" - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_policy.tf b/infrastructure/terraform/bootstrap/s3_bucket_policy.tf deleted file mode 100644 index d12922a..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_policy.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "aws_s3_bucket_policy" "bucket" { - bucket = aws_s3_bucket.bucket.id - policy = data.aws_iam_policy_document.bucket.json - - depends_on = [ - aws_s3_bucket_public_access_block.bucket, - ] -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf b/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf deleted file mode 100644 index d134b31..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "aws_s3_bucket_public_access_block" "bucket" { - bucket = aws_s3_bucket.bucket.id - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf b/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf deleted file mode 100644 index 5733d98..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.s3.arn - sse_algorithm = "aws:kms" - } - - bucket_key_enabled = true - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf b/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf deleted file mode 100644 index 80c1ab9..0000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_s3_bucket_versioning" "bucket" { - bucket = aws_s3_bucket.bucket.id - - versioning_configuration { - status = "Enabled" - } -} diff --git a/infrastructure/terraform/bootstrap/variables.tf b/infrastructure/terraform/bootstrap/variables.tf deleted file mode 100644 index d7b1f44..0000000 --- a/infrastructure/terraform/bootstrap/variables.tf +++ /dev/null @@ -1,37 +0,0 @@ -variable "project" { - type = string - description = "The name of the Project we are bootstrapping tfscaffold for" -} - -variable "aws_account_id" { - type = string - description = "The AWS Account ID into which we are bootstrapping tfscaffold" -} - -variable "region" { - type = string - description = "The AWS Region into which we are bootstrapping tfscaffold" -} - -variable "environment" { - type = string - description = "The name of the environment for the bootstrapping process; which is always bootstrap" - default = "bootstrap" -} - -variable "component" { - type = string - description = "The name of the component for the bootstrapping process; which is always bootstrap" - default = "bootstrap" -} - -variable "bucket_name" { - type = string - description = "The name to use for the tfscaffold bucket. This should be provided from tfscaffold shell, not environment or group tfvars" -} - -variable "tfscaffold_ro_principals" { - type = list(string) - description = "A list of Principals permitted to ListBucket and GetObject for Remote State purposes. Normally the root principal of the account" - default = [] -} diff --git a/infrastructure/terraform/bootstrap/versions.tf b/infrastructure/terraform/bootstrap/versions.tf deleted file mode 100644 index 87dc6a9..0000000 --- a/infrastructure/terraform/bootstrap/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.61.0" - } - } - - required_version = ">= 0.14.7" -}