From f78188cfbd215177ce693bddddda1795403daf07 Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Fri, 30 Aug 2024 09:29:12 +0100 Subject: [PATCH 1/3] CCM-6104 consolidating repo changes for AMET structure back to template --- .tool-versions | 11 ++- infrastructure/environments/dev/.gitkeep | 0 infrastructure/terraform/bin/terraform.sh | 19 +++--- .../terraform/bootstrap/.terraform-version | 1 - .../data_iam_policy_document_bucket.tf | 68 ------------------- .../data_iam_policy_document_kms_key_s3.tf | 46 ------------- .../terraform/bootstrap/dynamodb_table.tf | 26 ------- .../terraform/bootstrap/kms_key_s3.tf | 16 ----- infrastructure/terraform/bootstrap/locals.tf | 13 ---- infrastructure/terraform/bootstrap/outputs.tf | 23 ------- .../terraform/bootstrap/provider_aws.tf | 12 ---- .../terraform/bootstrap/s3_bucket.tf | 14 ---- .../s3_bucket_lifecycle_configuration.tf | 26 ------- .../bootstrap/s3_bucket_ownership_controls.tf | 7 -- .../terraform/bootstrap/s3_bucket_policy.tf | 8 --- .../s3_bucket_public_access_block.tf | 8 --- ...et_server_side_encryption_configuration.tf | 12 ---- .../bootstrap/s3_bucket_versioning.tf | 7 -- .../terraform/bootstrap/variables.tf | 37 ---------- .../terraform/bootstrap/versions.tf | 10 --- .../components/acct/.terraform-version | 1 - .../terraform/components/acct/.tool-versions | 1 + .../terraform/components/acct/README | 5 -- .../cloudwatch_log_group_route53_query_log.tf | 37 ++++++++++ .../components/acct/locals_tfscaffold.tf | 11 ++- .../terraform/components/acct/outputs.tf | 24 ++----- .../terraform/components/acct/provider_aws.tf | 22 +++--- .../components/acct/route53_delegation_set.tf | 3 + .../acct/route53_delegation_set_main.tf | 3 - .../components/acct/route53_query_log.tf | 9 +++ .../terraform/components/acct/route53_zone.tf | 5 ++ .../components/acct/route53_zone_subdomain.tf | 7 -- .../terraform/components/acct/variables.tf | 20 +++--- .../terraform/components/acct/versions.tf | 2 +- .../examplecomponent/.tool-versions | 1 + 35 files changed, 108 insertions(+), 407 deletions(-) delete mode 100644 infrastructure/environments/dev/.gitkeep delete mode 100644 infrastructure/terraform/bootstrap/.terraform-version delete mode 100644 infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf delete mode 100644 infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf delete mode 100644 infrastructure/terraform/bootstrap/dynamodb_table.tf delete mode 100644 infrastructure/terraform/bootstrap/kms_key_s3.tf delete mode 100644 infrastructure/terraform/bootstrap/locals.tf delete mode 100644 infrastructure/terraform/bootstrap/outputs.tf delete mode 100644 infrastructure/terraform/bootstrap/provider_aws.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_policy.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf delete mode 100644 infrastructure/terraform/bootstrap/s3_bucket_versioning.tf delete mode 100644 infrastructure/terraform/bootstrap/variables.tf delete mode 100644 infrastructure/terraform/bootstrap/versions.tf delete mode 100644 infrastructure/terraform/components/acct/.terraform-version create mode 100644 infrastructure/terraform/components/acct/.tool-versions delete mode 100644 infrastructure/terraform/components/acct/README create mode 100644 infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf create mode 100644 infrastructure/terraform/components/acct/route53_delegation_set.tf delete mode 100644 infrastructure/terraform/components/acct/route53_delegation_set_main.tf create mode 100644 infrastructure/terraform/components/acct/route53_query_log.tf create mode 100644 infrastructure/terraform/components/acct/route53_zone.tf delete mode 100644 infrastructure/terraform/components/acct/route53_zone_subdomain.tf create mode 100644 infrastructure/terraform/components/examplecomponent/.tool-versions diff --git a/.tool-versions b/.tool-versions index 5550ad2f..e3d09926 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,9 +1,8 @@ -# This file is for you! Please, updated to the versions agreed by your team. - -terraform 1.9.1 -pre-commit 3.6.0 -nodejs 18.18.2 +act 0.2.64 gitleaks 8.18.4 +pre-commit 3.6.0 +terraform 1.9.2 +vale 3.6.0 tfsec 1.28.10 # ============================================================================== @@ -18,7 +17,7 @@ tfsec 1.28.10 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags -# docker/jdkato/vale v2.29.7@sha256:5ccfac574231b006284513ac3e4e9f38833989d83f2a68db149932c09de85149 # SEE: https://hub.docker.com/r/jdkato/vale/tags +# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags # docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/infrastructure/environments/dev/.gitkeep b/infrastructure/environments/dev/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh index 22143d1a..756b4ef8 100755 --- a/infrastructure/terraform/bin/terraform.sh +++ b/infrastructure/terraform/bin/terraform.sh @@ -8,7 +8,7 @@ ## # Set Script Version ## -readonly script_ver="1.8.0"; +readonly script_ver="1.8.1"; ## # Standardised failure function @@ -399,13 +399,16 @@ fi; pushd "${component_path}"; readonly component_name=$(basename ${component_path}); -# Check for presence of tfenv (https://github.com/kamatama41/tfenv) -# and a .terraform-version file. If both present, ensure required -# version of terraform for this component is installed automagically. -tfenv_bin="$(which tfenv 2>/dev/null)"; -if [[ -n "${tfenv_bin}" && -x "${tfenv_bin}" && -f .terraform-version ]]; then - ${tfenv_bin} install; -fi; +# install terraform +# verify terraform version matches .tool-versions +echo ${PWD} +tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2) +asdf plugin-add terraform && asdf install terraform "${tool_version}" +current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2) + +if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then + error_and_die "Terraform version mismatch. Expected: ${tool_version}, Actual: ${current_version}" +fi # Regardless of bootstrapping or not, we'll be using this string. # If bootstrapping, we will fill it with variables, diff --git a/infrastructure/terraform/bootstrap/.terraform-version b/infrastructure/terraform/bootstrap/.terraform-version deleted file mode 100644 index 80e78df6..00000000 --- a/infrastructure/terraform/bootstrap/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -1.3.5 diff --git a/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf b/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf deleted file mode 100644 index dd231f57..00000000 --- a/infrastructure/terraform/bootstrap/data_iam_policy_document_bucket.tf +++ /dev/null @@ -1,68 +0,0 @@ -data "aws_iam_policy_document" "bucket" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - aws_s3_bucket.bucket.arn, - "${aws_s3_bucket.bucket.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - aws_s3_bucket.bucket.arn, - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${aws_s3_bucket.bucket.arn}/*", - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } -} diff --git a/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf b/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf deleted file mode 100644 index 9741a087..00000000 --- a/infrastructure/terraform/bootstrap/data_iam_policy_document_kms_key_s3.tf +++ /dev/null @@ -1,46 +0,0 @@ -data "aws_iam_policy_document" "kms_key_s3" { - statement { - sid = "AllowLocalIAMAdministration" - effect = "Allow" - - actions = [ - "*", - ] - - resources = [ - "*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root", - ] - } - } - - statement { - sid = "AllowManagedAccountsToUse" - effect = "Allow" - - actions = [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ReEncrypt", - ] - - resources = [ - "*", - ] - - principals { - type = "AWS" - identifiers = local.ro_principals - } - } -} diff --git a/infrastructure/terraform/bootstrap/dynamodb_table.tf b/infrastructure/terraform/bootstrap/dynamodb_table.tf deleted file mode 100644 index a5510f84..00000000 --- a/infrastructure/terraform/bootstrap/dynamodb_table.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_dynamodb_table" "tfscaffold" { - name = var.bucket_name - hash_key = "LockID" - billing_mode = "PAY_PER_REQUEST" - - attribute { - name = "LockID" - type = "S" - } - - point_in_time_recovery { - enabled = true - } - - server_side_encryption { - enabled = true - kms_key_arn = aws_kms_key.s3.arn - } - - tags = merge( - local.default_tags, - { - Name = var.bucket_name - }, - ) -} diff --git a/infrastructure/terraform/bootstrap/kms_key_s3.tf b/infrastructure/terraform/bootstrap/kms_key_s3.tf deleted file mode 100644 index d8a9ff42..00000000 --- a/infrastructure/terraform/bootstrap/kms_key_s3.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "aws_kms_key" "s3" { - description = "tfscaffold Bootstrap S3 Bucket" - deletion_window_in_days = 10 - enable_key_rotation = true - - policy = data.aws_iam_policy_document.kms_key_s3.json - - # This does not use default tag map merging because bootstrapping is special - # You should use default tag map merging elsewhere - tags = merge( - local.default_tags, - { - Name = "tfscaffold Bootstrap S3 Bucket" - } - ) -} diff --git a/infrastructure/terraform/bootstrap/locals.tf b/infrastructure/terraform/bootstrap/locals.tf deleted file mode 100644 index 1449f889..00000000 --- a/infrastructure/terraform/bootstrap/locals.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - ro_principals = compact(distinct(flatten([ - var.tfscaffold_ro_principals, - "arn:aws:iam::${var.aws_account_id}:root", - ]))) - - default_tags = { - "tfscaffold:Environment" = var.environment - "tfscaffold:Project" = var.project - "tfscaffold:Component" = var.component - "tfscaffold:Account" = var.aws_account_id - } -} diff --git a/infrastructure/terraform/bootstrap/outputs.tf b/infrastructure/terraform/bootstrap/outputs.tf deleted file mode 100644 index 05b4902c..00000000 --- a/infrastructure/terraform/bootstrap/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "bucket_name" { - value = aws_s3_bucket.bucket.id -} - -output "bucket_policy" { - value = data.aws_iam_policy_document.bucket.json -} - -output "bucket_arn" { - value = aws_s3_bucket.bucket.arn -} - -output "kms_key_arn" { - value = aws_kms_key.s3.arn -} - -output "kms_key_id" { - value = aws_kms_key.s3.id -} - -output "kms_key_policy" { - value = data.aws_iam_policy_document.kms_key_s3.json -} diff --git a/infrastructure/terraform/bootstrap/provider_aws.tf b/infrastructure/terraform/bootstrap/provider_aws.tf deleted file mode 100644 index 02a88588..00000000 --- a/infrastructure/terraform/bootstrap/provider_aws.tf +++ /dev/null @@ -1,12 +0,0 @@ -# The default AWS provider in the default region -provider "aws" { - region = var.region - - # For no reason other than redundant safety - # we only allow the use of the AWS Account - # specified in the environment variables. - # This helps to prevent accidents. - allowed_account_ids = [ - var.aws_account_id, - ] -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket.tf b/infrastructure/terraform/bootstrap/s3_bucket.tf deleted file mode 100644 index 5d5e092f..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_s3_bucket" "bucket" { - bucket = var.bucket_name - - force_destroy = false - - # This does not use default tag map merging because bootstrapping is special - # You should use default tag map merging elsewhere - tags = merge( - local.default_tags, - { - Name = "Terraform Scaffold State File Bucket for account ${var.aws_account_id} in region ${var.region}" - } - ) -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf b/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf deleted file mode 100644 index 4e173b67..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_lifecycle_configuration.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_s3_bucket_lifecycle_configuration" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - id = "bootstrap" - status = "Enabled" - - filter { - prefix = "" - } - - noncurrent_version_transition { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - - noncurrent_version_transition { - noncurrent_days = "60" - storage_class = "GLACIER" - } - - noncurrent_version_expiration { - noncurrent_days = "90" - } - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf b/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf deleted file mode 100644 index fc4a359c..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_ownership_controls.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_s3_bucket_ownership_controls" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - object_ownership = "BucketOwnerEnforced" - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_policy.tf b/infrastructure/terraform/bootstrap/s3_bucket_policy.tf deleted file mode 100644 index d12922ac..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_policy.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "aws_s3_bucket_policy" "bucket" { - bucket = aws_s3_bucket.bucket.id - policy = data.aws_iam_policy_document.bucket.json - - depends_on = [ - aws_s3_bucket_public_access_block.bucket, - ] -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf b/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf deleted file mode 100644 index d134b312..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_public_access_block.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "aws_s3_bucket_public_access_block" "bucket" { - bucket = aws_s3_bucket.bucket.id - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf b/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf deleted file mode 100644 index 5733d983..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_server_side_encryption_configuration.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" { - bucket = aws_s3_bucket.bucket.id - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.s3.arn - sse_algorithm = "aws:kms" - } - - bucket_key_enabled = true - } -} diff --git a/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf b/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf deleted file mode 100644 index 80c1ab95..00000000 --- a/infrastructure/terraform/bootstrap/s3_bucket_versioning.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_s3_bucket_versioning" "bucket" { - bucket = aws_s3_bucket.bucket.id - - versioning_configuration { - status = "Enabled" - } -} diff --git a/infrastructure/terraform/bootstrap/variables.tf b/infrastructure/terraform/bootstrap/variables.tf deleted file mode 100644 index d7b1f44b..00000000 --- a/infrastructure/terraform/bootstrap/variables.tf +++ /dev/null @@ -1,37 +0,0 @@ -variable "project" { - type = string - description = "The name of the Project we are bootstrapping tfscaffold for" -} - -variable "aws_account_id" { - type = string - description = "The AWS Account ID into which we are bootstrapping tfscaffold" -} - -variable "region" { - type = string - description = "The AWS Region into which we are bootstrapping tfscaffold" -} - -variable "environment" { - type = string - description = "The name of the environment for the bootstrapping process; which is always bootstrap" - default = "bootstrap" -} - -variable "component" { - type = string - description = "The name of the component for the bootstrapping process; which is always bootstrap" - default = "bootstrap" -} - -variable "bucket_name" { - type = string - description = "The name to use for the tfscaffold bucket. This should be provided from tfscaffold shell, not environment or group tfvars" -} - -variable "tfscaffold_ro_principals" { - type = list(string) - description = "A list of Principals permitted to ListBucket and GetObject for Remote State purposes. Normally the root principal of the account" - default = [] -} diff --git a/infrastructure/terraform/bootstrap/versions.tf b/infrastructure/terraform/bootstrap/versions.tf deleted file mode 100644 index 87dc6a9d..00000000 --- a/infrastructure/terraform/bootstrap/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.61.0" - } - } - - required_version = ">= 0.14.7" -} diff --git a/infrastructure/terraform/components/acct/.terraform-version b/infrastructure/terraform/components/acct/.terraform-version deleted file mode 100644 index 631f7908..00000000 --- a/infrastructure/terraform/components/acct/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -latest:^1\.8\. diff --git a/infrastructure/terraform/components/acct/.tool-versions b/infrastructure/terraform/components/acct/.tool-versions new file mode 100644 index 00000000..3874604d --- /dev/null +++ b/infrastructure/terraform/components/acct/.tool-versions @@ -0,0 +1 @@ +terraform 1.9.2 diff --git a/infrastructure/terraform/components/acct/README b/infrastructure/terraform/components/acct/README deleted file mode 100644 index d2148877..00000000 --- a/infrastructure/terraform/components/acct/README +++ /dev/null @@ -1,5 +0,0 @@ -README for 'acct' component - Account-level resources - -This component is intended to be run to set up things (such as a DNS subdomain) at the account level, and this should be run for each account belonging to the Notify Domain - i.e. there should be a nonprod and prod environment .tfvars - -Copy the `env_eu-west-2_example.tfvars` file in the `etc` directory and adjust as needed for nonprod and prod for your NHS Notify Domain. diff --git a/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf b/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf new file mode 100644 index 00000000..e30e2087 --- /dev/null +++ b/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf @@ -0,0 +1,37 @@ +resource "aws_cloudwatch_log_group" "aws_route53_query_log" { + provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log + + name = "/aws/route53/${local.csi}" + retention_in_days = var.log_retention_in_days +} + +resource "aws_cloudwatch_log_resource_policy" "route53_query_logging_policy" { + provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log + + policy_document = data.aws_iam_policy_document.route53_logs.json + policy_name = "${local.csi}-route53-query-logging-policy" +} + +data "aws_iam_policy_document" "route53_logs" { + statement { + effect = "Allow" + + principals { + type = "Service" + + identifiers = [ + "route53.amazonaws.com" + ] + } + + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + + resources = [ + aws_cloudwatch_log_group.aws_route53_query_log.arn, + "${aws_cloudwatch_log_group.aws_route53_query_log.arn}:*" + ] + } +} diff --git a/infrastructure/terraform/components/acct/locals_tfscaffold.tf b/infrastructure/terraform/components/acct/locals_tfscaffold.tf index e5084cdf..b7cf3217 100644 --- a/infrastructure/terraform/components/acct/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/acct/locals_tfscaffold.tf @@ -34,12 +34,11 @@ locals { default_tags = merge( var.default_tags, { - Project = var.project - Environment = var.environment - Component = var.component - Group = var.group - NHSNotifyDomain = var.nhs_notify_domain - Name = local.csi + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + Name = local.csi }, ) } diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf index 5bc34180..58f3fefd 100644 --- a/infrastructure/terraform/components/acct/outputs.tf +++ b/infrastructure/terraform/components/acct/outputs.tf @@ -1,19 +1,7 @@ -output "aws_account_id" { - value = var.aws_account_id -} - -output "r53_delegation_set_id" { - value = aws_route53_delegation_set.main.id -} - -output "r53_delegation_set_nameservers" { - value = aws_route53_delegation_set.main.name_servers -} - -output "r53_subdomain_name" { - value = var.subdomain_name -} - -output "r53_subdomain_id" { - value = one(aws_route53_zone.subdomain[*].id) +output "dns_zone" { + value = { + id = aws_route53_zone.main.id + name = aws_route53_zone.main.name + nameservers = aws_route53_zone.main.name_servers + } } diff --git a/infrastructure/terraform/components/acct/provider_aws.tf b/infrastructure/terraform/components/acct/provider_aws.tf index a8058431..d694811e 100644 --- a/infrastructure/terraform/components/acct/provider_aws.tf +++ b/infrastructure/terraform/components/acct/provider_aws.tf @@ -6,13 +6,19 @@ provider "aws" { ] default_tags { - tags = { - Project = var.project - Environment = var.environment - Component = var.component - Group = var.group - NHSNotifyDomain = var.nhs_notify_domain - Name = local.csi - } + tags = local.default_tags } } + +provider "aws" { + alias = "us-east-1" + region = "us-east-1" + + default_tags { + tags = local.default_tags + } + + allowed_account_ids = [ + var.aws_account_id, + ] +} diff --git a/infrastructure/terraform/components/acct/route53_delegation_set.tf b/infrastructure/terraform/components/acct/route53_delegation_set.tf new file mode 100644 index 00000000..d3d0896b --- /dev/null +++ b/infrastructure/terraform/components/acct/route53_delegation_set.tf @@ -0,0 +1,3 @@ +resource "aws_route53_delegation_set" "main" { + reference_name = "unset.${var.root_domain_name}" +} diff --git a/infrastructure/terraform/components/acct/route53_delegation_set_main.tf b/infrastructure/terraform/components/acct/route53_delegation_set_main.tf deleted file mode 100644 index 76ad88e0..00000000 --- a/infrastructure/terraform/components/acct/route53_delegation_set_main.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_route53_delegation_set" "main" { - reference_name = "main" -} diff --git a/infrastructure/terraform/components/acct/route53_query_log.tf b/infrastructure/terraform/components/acct/route53_query_log.tf new file mode 100644 index 00000000..305ebb44 --- /dev/null +++ b/infrastructure/terraform/components/acct/route53_query_log.tf @@ -0,0 +1,9 @@ +resource "aws_route53_query_log" "main" { + zone_id = aws_route53_zone.main.zone_id + + cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_query_log.arn + + depends_on = [ + aws_cloudwatch_log_resource_policy.route53_query_logging_policy + ] +} diff --git a/infrastructure/terraform/components/acct/route53_zone.tf b/infrastructure/terraform/components/acct/route53_zone.tf new file mode 100644 index 00000000..cfd7be29 --- /dev/null +++ b/infrastructure/terraform/components/acct/route53_zone.tf @@ -0,0 +1,5 @@ +resource "aws_route53_zone" "main" { + name = "unset.${var.root_domain_name}" + + delegation_set_id = aws_route53_delegation_set.main.id +} diff --git a/infrastructure/terraform/components/acct/route53_zone_subdomain.tf b/infrastructure/terraform/components/acct/route53_zone_subdomain.tf deleted file mode 100644 index cc52061b..00000000 --- a/infrastructure/terraform/components/acct/route53_zone_subdomain.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_route53_zone" "subdomain" { - count = var.subdomain_name != "" ? 1 : 0 - - name = var.subdomain_name - - delegation_set_id = aws_route53_delegation_set.main.id -} diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf index f625501d..14cf64df 100644 --- a/infrastructure/terraform/components/acct/variables.tf +++ b/infrastructure/terraform/components/acct/variables.tf @@ -41,24 +41,24 @@ variable "component" { default = "acct" } -variable "nhs_notify_domain" { - type = string - description = "The name of the NHS Notify Domain that this is deploying to" -} - variable "default_tags" { type = map(string) description = "A map of default tags to apply to all taggable resources within the component" default = {} } - ## -# Variables specific to the "acct" component +# Variables specific to the "dnsroot"component ## -variable "subdomain_name" { +variable "log_retention_in_days" { + type = number + description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite" + default = 0 +} + +variable "root_domain_name" { type = string - description = "The subdomain name to create a Route53 zone for" - default = "" + description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk" + default = "nonprod.nhsnotify.national.nhs.uk" } diff --git a/infrastructure/terraform/components/acct/versions.tf b/infrastructure/terraform/components/acct/versions.tf index ee15bad7..5fba18d2 100644 --- a/infrastructure/terraform/components/acct/versions.tf +++ b/infrastructure/terraform/components/acct/versions.tf @@ -6,5 +6,5 @@ terraform { } } - required_version = "~> 1.8.4" + required_version = ">= 1.9.0" } diff --git a/infrastructure/terraform/components/examplecomponent/.tool-versions b/infrastructure/terraform/components/examplecomponent/.tool-versions new file mode 100644 index 00000000..3874604d --- /dev/null +++ b/infrastructure/terraform/components/examplecomponent/.tool-versions @@ -0,0 +1 @@ +terraform 1.9.2 From b2f48dd18052940d56fd332a3f642075364d0f4c Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Fri, 30 Aug 2024 09:44:44 +0100 Subject: [PATCH 2/3] CCM-6104 consolidating repo changes for AMET structure back to template --- .../vocabularies}/words/accept.txt | 30 +++++++++---------- .../vocabularies}/words/reject.txt | 0 2 files changed, 15 insertions(+), 15 deletions(-) rename scripts/config/vale/styles/{Vocab => config/vocabularies}/words/accept.txt (100%) rename scripts/config/vale/styles/{Vocab => config/vocabularies}/words/reject.txt (100%) diff --git a/scripts/config/vale/styles/Vocab/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt similarity index 100% rename from scripts/config/vale/styles/Vocab/words/accept.txt rename to scripts/config/vale/styles/config/vocabularies/words/accept.txt index 43298b29..3b07d50c 100644 --- a/scripts/config/vale/styles/Vocab/words/accept.txt +++ b/scripts/config/vale/styles/config/vocabularies/words/accept.txt @@ -1,27 +1,27 @@ +[A-Z]+s Bitwarden +bot +Cognito Cyber Dependabot +draw.io +drawio +endcapture +endfor +endraw +GitHub Gitleaks Grype +idempotence +Jira OAuth Octokit +onboarding Podman Python +rawContent +sed Syft Terraform -Trufflehog -bot -idempotence -onboarding -sed toolchain -[A-Z]+s -GitHub -endraw -draw.io -endfor -drawio -rawContent -endcapture -Cognito -Jira +Trufflehog diff --git a/scripts/config/vale/styles/Vocab/words/reject.txt b/scripts/config/vale/styles/config/vocabularies/words/reject.txt similarity index 100% rename from scripts/config/vale/styles/Vocab/words/reject.txt rename to scripts/config/vale/styles/config/vocabularies/words/reject.txt From 8c34b83a29eb5bab664361f2e426eec14ee9989a Mon Sep 17 00:00:00 2001 From: aidenvaines-bjss Date: Fri, 30 Aug 2024 09:55:59 +0100 Subject: [PATCH 3/3] CCM-6104 consolidating repo changes for AMET structure back to template --- scripts/terraform/terraform.lib.sh | 6 ++++- scripts/terraform/terraform.mk | 39 ++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/scripts/terraform/terraform.lib.sh b/scripts/terraform/terraform.lib.sh index 7793b9b0..d94213e8 100644 --- a/scripts/terraform/terraform.lib.sh +++ b/scripts/terraform/terraform.lib.sh @@ -53,8 +53,12 @@ function terraform-destroy() { # dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is '.'] # opts=[options to pass to the Terraform fmt command, default is '-recursive'] function terraform-fmt() { + for d in "${PWD}infrastructure/"*; do + if [ -d "$d" ]; then + terraform fmt --recursive "${d}" + fi + done - _terraform fmt -recursive # 'dir' and 'opts' are passed to the function as environment variables, if set } # Validate Terraform code. diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk index 111acda9..4a2783a1 100644 --- a/scripts/terraform/terraform.mk +++ b/scripts/terraform/terraform.mk @@ -4,11 +4,6 @@ # Custom implementation - implementation of a make target should not exceed 5 lines of effective code. # In most cases there should be no need to modify the existing make targets. -TF_ENV ?= dev -STACK ?= ${stack} -TERRAFORM_STACK ?= $(or ${STACK}, infrastructure/environments/${TF_ENV}) -dir ?= ${TERRAFORM_STACK} - terraform-init: # Initialise Terraform - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform init command, default is none/empty] @Development make _terraform cmd="init" \ dir=$(or ${terraform_dir}, ${dir}) \ @@ -46,9 +41,11 @@ clean:: # Remove Terraform files (terraform) - optional: terraform_dir|dir=[path opts=$(or ${terraform_opts}, ${opts}) _terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty] + # 'TERRAFORM_STACK' is passed to the functions as environment variable + TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, ${stack}))) dir=$(or ${dir}, ${TERRAFORM_STACK}) - . scripts/terraform/terraform.lib.sh && \ - terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set + . "scripts/terraform/terraform.lib.sh"; \ + terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set # ============================================================================== # Quality checks - please DO NOT edit this section! @@ -58,6 +55,31 @@ terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality file=$${file} scripts/shellscript-linter.sh done +terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality + tfsec infrastructure/terraform \ + --force-all-dirs \ + --exclude-downloaded-modules \ + --tfvars-file infrastructure/terraform/etc/global.tfvars \ + --tfvars-file infrastructure/terraform/etc/env_eu-west-2_main.tfvars \ + --config-file scripts/config/tfsec.yml + +# ============================================================================== +# Module tests and examples - please DO NOT edit this section! + +terraform-example-provision-aws-infrastructure: # Provision example of AWS infrastructure @ExamplesAndTests + make terraform-init + make terraform-plan opts="-out=terraform.tfplan" + make terraform-apply opts="-auto-approve terraform.tfplan" + +terraform-example-destroy-aws-infrastructure: # Destroy example of AWS infrastructure @ExamplesAndTests + make terraform-destroy opts="-auto-approve" + +terraform-example-clean: # Remove Terraform example files @ExamplesAndTests + dir=$(or ${dir}, ${TERRAFORM_STACK}) + . "scripts/terraform/terraform.lib.sh"; \ + terraform-clean + rm -f ${TERRAFORM_STACK}/.terraform.lock.hcl + # ============================================================================== # Configuration - please DO NOT edit this section! @@ -71,6 +93,9 @@ ${VERBOSE}.SILENT: \ clean \ terraform-apply \ terraform-destroy \ + terraform-example-clean \ + terraform-example-destroy-aws-infrastructure \ + terraform-example-provision-aws-infrastructure \ terraform-fmt \ terraform-init \ terraform-install \