diff --git a/terraform/.terraform-docs.yml b/terraform/.terraform-docs.yml new file mode 100644 index 000000000..a6917808f --- /dev/null +++ b/terraform/.terraform-docs.yml @@ -0,0 +1,26 @@ +--- +formatter: "markdown table" +version: "~> 0.16" +settings: + anchor: true + default: true + description: false + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true +sort: + enabled: true + by: name +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + diff --git a/terraform/main.tf b/terraform/main.tf index 182f40333..6120e9e47 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,4 +1,3 @@ - terraform { required_version = ">=1.4" required_providers { @@ -13,7 +12,6 @@ terraform { } backend "s3" { - # bucket = "${var.backend_bucket}" key = "ds-infrastructure-enrichment-pipeline/backend.tfstate" region = "eu-west-2" } @@ -21,7 +19,8 @@ terraform { module "lambda_s3" { source = "./modules/lambda_s3" - name = "tna" + + name = "tna" environment = var.app_env @@ -32,9 +31,6 @@ module "lambda_s3" { postgress_master_password_secret_id = module.data.postgress_master_password postgress_hostname = module.data.postgress_hostname - # sparql_username = "${module.data.sparql_username}" - # sparql_password = "${module.data.sparql_password}" - default_security_group_id = module.network.default_security_group_id aws_subnets_private_ids = module.data.aws_subnets_private_ids @@ -48,7 +44,6 @@ module "network" { rds_security_group_id = module.data.rds_security_group_id } - module "data" { source = "./modules/data" diff --git a/terraform/modules/data/data.tf b/terraform/modules/data/data.tf index 59ed9d6be..63ca98fa1 100644 --- a/terraform/modules/data/data.tf +++ b/terraform/modules/data/data.tf @@ -52,15 +52,3 @@ data "aws_subnet" "database" { for_each = toset(data.aws_subnets.database.ids) id = each.value } - -# data "aws_subnets" "db" { -# filter { -# name = "vpc-id" -# values = [var.vpc_id] -# } - -# filter { -# name = "tag:Name" -# values = ["*-db-*"] -# } -# } diff --git a/terraform/modules/data/local.tf b/terraform/modules/data/local.tf deleted file mode 100644 index 3009ecfb7..000000000 --- a/terraform/modules/data/local.tf +++ /dev/null @@ -1,9 +0,0 @@ -locals { - name = "tna" - region = var.aws_region - environment = var.environment - tags = { - Environment = var.environment - Project = "TNA judgement enrichment" - } -} diff --git a/terraform/modules/data/locals.tf b/terraform/modules/data/locals.tf index aadb46d6a..7a2919501 100644 --- a/terraform/modules/data/locals.tf +++ b/terraform/modules/data/locals.tf @@ -1,4 +1,8 @@ locals { + name = "tna" + region = var.aws_region + environment = var.environment + db = { staging = { deletion_protection = true @@ -7,4 +11,9 @@ locals { deletion_protection = true } } + + tags = { + Environment = var.environment + Project = "TNA judgement enrichment" + } } diff --git a/terraform/modules/data/outputs.tf b/terraform/modules/data/outputs.tf index 30c0b5873..e2a389e90 100644 --- a/terraform/modules/data/outputs.tf +++ b/terraform/modules/data/outputs.tf @@ -1,6 +1,4 @@ - output "postgress_master_password" { - # value = aws_secretsmanager_secret.postgress_master_password.secret_id value = aws_secretsmanager_secret_version.postgress_master_password.secret_id } @@ -8,26 +6,11 @@ output "postgress_hostname" { value = module.metadata-db.rds_cluster_endpoint } -# output "sparql_username" { -# value = aws_secretsmanager_secret.sparql_username -# } - -# output "sparql_password" { -# value = aws_secretsmanager_secret.sparql_password -# } - output "aws_vpc" { value = data.aws_vpc.vpc.id } -# public_subnets = "${module.network.public_subnets}" -# for_each = toset(module.data.data.aws_subnets.private.ids) -# id = each.value -# subnet_ids = [each.value] output "aws_subnets_private_ids" { - # for_each = toset(data.aws_subnets.private.ids) - # value = [each.value] - # value = data.aws_subnet.private[each.key] value = toset(data.aws_subnets.private.ids) } diff --git a/terraform/modules/data/providers.tf b/terraform/modules/data/providers.tf deleted file mode 100644 index 1332abc3a..000000000 --- a/terraform/modules/data/providers.tf +++ /dev/null @@ -1,4 +0,0 @@ -# provider "aws" { -# region = var.aws_region -# profile = var.aws_profile -# } diff --git a/terraform/modules/data/rds.tf b/terraform/modules/data/rds.tf index c825b8dc9..bb1446d56 100644 --- a/terraform/modules/data/rds.tf +++ b/terraform/modules/data/rds.tf @@ -1,6 +1,6 @@ module "metadata-db" { source = "terraform-aws-modules/rds-aurora/aws" - version = ">=5.0.0,<6.0.0" + version = "5.3.0" name = "${local.name}-metadata-db-${local.environment}" @@ -15,14 +15,8 @@ module "metadata-db" { deletion_protection = local.db[local.environment].deletion_protection - # create_random_password = true - - # database_name = jsondecode(data.aws_secretsmanager_secret_version.postgress_master_password.secret_string)["db_name"] - # master_username = jsondecode(data.aws_secretsmanager_secret_version.postgress_master_password.secret_string)["db_username"] - # password = jsondecode(aws_secretsmanager_secret_version.postgress_master_password.secret_string)["db_password"] password = aws_secretsmanager_secret_version.postgress_master_password.secret_string - apply_immediately = true skip_final_snapshot = true diff --git a/terraform/modules/data/secrets.tf b/terraform/modules/data/secrets.tf index e926888e9..8d0358a10 100644 --- a/terraform/modules/data/secrets.tf +++ b/terraform/modules/data/secrets.tf @@ -1,8 +1,6 @@ resource "random_password" "password" { length = 50 special = true - # override_special = "_%@" - # override_special = "'/@\"_% " # Postgress passwords can't contain any of the following: # / (slash), '(single quote), "(double quote) and @ (at sign). override_special = "!#$%&*()-_=+[]" @@ -17,44 +15,3 @@ resource "aws_secretsmanager_secret_version" "postgress_master_password" { secret_id = aws_secretsmanager_secret.postgress_master_password.id secret_string = random_password.password.result } - -# resource "aws_secretsmanager_secret" "sparql_username" { -# name = "${local.name}-sparql-username-${local.environment}" -# recovery_window_in_days = 0 -# } - -# resource "aws_secretsmanager_secret_version" "sparql_username" { -# secret_id = aws_secretsmanager_secret.sparql_username.id -# secret_string = "" -# } - -# resource "aws_secretsmanager_secret" "sparql_password" { -# name = "${local.name}-sparql-password-${local.environment}" -# recovery_window_in_days = 0 -# } - -# resource "aws_secretsmanager_secret_version" "sparql_password" { -# secret_id = aws_secretsmanager_secret.sparql_password.id -# secret_string = "" -# } - -# resource "random_password" "app_secret" { -# length = 32 -# special = true -# upper = true -# lower = true -# min_upper = 3 -# min_special = 2 -# min_numeric = 3 -# min_lower = 3 -# } - -# module "secrets" { -# source = "../secrets" -# name = local.name -# environment = local.environment -# application-secrets = { -# "SECRET_KEY" = random_password.app_secret.result -# "SQLALCHEMY_DATABASE_URI" = "postgres://${module.metadata-db.rds_cluster_master_username}:${module.metadata-db.rds_cluster_master_password}@${module.metadata-db.rds_cluster_endpoint}:${module.metadata-db.rds_cluster_port}/${module.metadata-db.rds_cluster_database_name}" -# } -# } diff --git a/terraform/modules/data/variables.tf b/terraform/modules/data/variables.tf index be39fe7c1..441838e86 100644 --- a/terraform/modules/data/variables.tf +++ b/terraform/modules/data/variables.tf @@ -6,7 +6,6 @@ variable "aws_profile" { variable "aws_region" { type = string default = "eu-west-2" - # default = "eu-west-1" #for testing } variable "vpc_id" { @@ -18,8 +17,7 @@ variable "default_security_group_id" { } variable "environment" { - type = string - # default = "ucl" + type = string default = "development" } diff --git a/terraform/modules/lambda_s3/bucket.tf b/terraform/modules/lambda_s3/bucket.tf index 84fd6c00a..895df123c 100644 --- a/terraform/modules/lambda_s3/bucket.tf +++ b/terraform/modules/lambda_s3/bucket.tf @@ -1,4 +1,3 @@ - module "xml_original_bucket" { source = "../secure_bucket" diff --git a/terraform/modules/lambda_s3/iam.tf b/terraform/modules/lambda_s3/iam.tf deleted file mode 100644 index d4188c760..000000000 --- a/terraform/modules/lambda_s3/iam.tf +++ /dev/null @@ -1,35 +0,0 @@ -# data "aws_iam_policy_document" "dest_bucket_policy" { -# statement { -# principals { -# type = "AWS" -# identifiers = [ -# module.lambda.lambda_role_arn -# ] -# } - -# actions = ["s3:PutObject", "s3:PutObjectAcl"] -# resources = [ -# "${module.dest_bucket.s3_bucket_arn}/*" -# ] - -# } - -# } - -# data "aws_iam_policy_document" "xml_original_bucket_policy" { -# statement { -# principals { -# type = "AWS" -# identifiers = [ -# module.lambda.lambda_role_arn -# ] -# } - -# actions = ["s3:PutObject", "s3:PutObjectAcl"] -# resources = [ -# "${module.xml_original_bucket.s3_bucket_arn}/*" -# ] - -# } - -# } diff --git a/terraform/modules/lambda_s3/lambda.tf b/terraform/modules/lambda_s3/lambda.tf index 0ebe2f780..a0b27d81f 100644 --- a/terraform/modules/lambda_s3/lambda.tf +++ b/terraform/modules/lambda_s3/lambda.tf @@ -1,7 +1,6 @@ - module "lambda-extract-judgement-contents" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-extract-judgement-contents" package_type = var.use_container_image == true ? "Image" : "Zip" @@ -15,7 +14,6 @@ module "lambda-extract-judgement-contents" { timeout = 60 memory_size = 256 - # memory_size = var.memory_size attach_policy_statements = true policy_statements = { @@ -194,7 +192,7 @@ resource "random_pet" "this" { module "lambda-determine-replacements-caselaw" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-determine-replacements-caselaw" @@ -327,7 +325,7 @@ module "lambda-determine-replacements-caselaw" { module "lambda-determine-replacements-legislation" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-determine-replacements-legislation" @@ -462,7 +460,7 @@ module "lambda-determine-replacements-legislation" { module "lambda-determine-replacements-abbreviations" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-determine-replacements-abbreviations" @@ -573,7 +571,7 @@ module "lambda-determine-replacements-abbreviations" { module "lambda-determine-legislation-provisions" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-determine-legislation-provisions" package_type = "Image" @@ -668,7 +666,7 @@ module "lambda-determine-legislation-provisions" { module "lambda-determine-oblique-references" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-determine-oblique-references" package_type = "Image" @@ -762,7 +760,7 @@ module "lambda-determine-oblique-references" { module "lambda-make-replacements" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-make-replacements" package_type = var.use_container_image == true ? "Image" : "Zip" @@ -935,7 +933,7 @@ data "aws_secretsmanager_secret_version" "sparql_password_credentials" { module "lambda-update-legislation-table" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" # Lambda function declaration function_name = "${local.name}-${local.environment}-update-legislation-table" @@ -1020,7 +1018,7 @@ module "lambda-update-legislation-table" { module "lambda-update-rules-processor" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" # Lambda function declaration function_name = "${local.name}-${local.environment}-update-rules-processor" @@ -1145,7 +1143,7 @@ module "lambda-update-rules-processor" { module "lambda-validate-replacements" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-xml-validate" package_type = var.use_container_image == true ? "Image" : "Zip" @@ -1508,7 +1506,7 @@ resource "aws_ecr_lifecycle_policy" "pe_retention" { module "lambda-push-enriched-xml" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" # Lambda function declaration function_name = "${local.name}-${local.environment}-push-enriched-xml" @@ -1632,7 +1630,7 @@ module "lambda-push-enriched-xml" { module "db_backup_lambda" { source = "terraform-aws-modules/lambda/aws" - version = ">3.0.0,<4.0.0" + version = "3.3.1" function_name = "${local.name}-${local.environment}-db-backup" description = "Takes a snapshot each day" diff --git a/terraform/modules/lambda_s3/provider.tf b/terraform/modules/lambda_s3/provider.tf deleted file mode 100644 index ac6cccf76..000000000 --- a/terraform/modules/lambda_s3/provider.tf +++ /dev/null @@ -1,9 +0,0 @@ -# provider "aws" { -# region = var.aws_region -# profile = var.aws_profile -# } -# provider "docker" { -# host = "unix:///var/run/docker.sock" -# source = "kreuzwerker/docker" -# version = ">= 0.13" -# } diff --git a/terraform/modules/lambda_s3/queue.tf b/terraform/modules/lambda_s3/queue.tf index 084fe897c..5bd4a79e3 100644 --- a/terraform/modules/lambda_s3/queue.tf +++ b/terraform/modules/lambda_s3/queue.tf @@ -1,4 +1,3 @@ - resource "aws_sqs_queue" "replacement-caselaw-queue" { name = "${local.name}-${local.environment}-replacement-caselaw-event-notification-queue" delay_seconds = 90 @@ -38,13 +37,10 @@ resource "aws_sqs_queue" "replacements-caselaw_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } - - resource "aws_sqs_queue" "replacements_dlq_queue" { name = "${local.name}-${local.environment}-replacements-dlq-queue" delay_seconds = 90 @@ -52,7 +48,6 @@ resource "aws_sqs_queue" "replacements_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } @@ -65,7 +60,10 @@ resource "aws_sqs_queue" "replacements-queue" { message_retention_seconds = 86400 receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.replacements_dlq_queue.arn}\",\"maxReceiveCount\":4}" + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.replacements_dlq_queue.arn, + maxReceiveCount = 4, + }) tags = local.tags } @@ -90,9 +88,6 @@ resource "aws_sqs_queue_policy" "replacements-queue-policy" { POLICY } - - - resource "aws_sqs_queue" "replacement-legislation-queue" { name = "${local.name}-${local.environment}-replacement-legislation-event-notification-queue" delay_seconds = 90 @@ -101,8 +96,10 @@ resource "aws_sqs_queue" "replacement-legislation-queue" { message_retention_seconds = 86400 receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.replacements-legislation_dlq_queue.arn}\",\"maxReceiveCount\":4}" - + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.replacements-legislation_dlq_queue.arn, + maxReceiveCount = 4, + }) } resource "aws_sqs_queue_policy" "replacement-legislation-queue-policy" { @@ -132,15 +129,10 @@ resource "aws_sqs_queue" "replacements-legislation_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } - - - - resource "aws_sqs_queue" "replacement-abbreviations-queue" { name = "${local.name}-${local.environment}-replacement-abbreviations-event-notification-queue" delay_seconds = 90 @@ -149,8 +141,10 @@ resource "aws_sqs_queue" "replacement-abbreviations-queue" { message_retention_seconds = 86400 receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.replacements-abbreviations_dlq_queue.arn}\",\"maxReceiveCount\":4}" - + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.replacements-abbreviations_dlq_queue.arn, + maxReceiveCount = 4, + }) } resource "aws_sqs_queue_policy" "replacements-abbreviations-queue-policy" { @@ -180,13 +174,10 @@ resource "aws_sqs_queue" "replacements-abbreviations_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } - - resource "aws_sqs_queue" "validation-queue" { name = "${local.name}-${local.environment}-validation-event-notification-queue" @@ -195,7 +186,10 @@ resource "aws_sqs_queue" "validation-queue" { message_retention_seconds = 86400 receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.validation_dlq_queue.arn}\",\"maxReceiveCount\":4}" + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.validation_dlq_queue.arn, + maxReceiveCount = 4, + }) tags = local.tags } @@ -260,7 +254,6 @@ resource "aws_sqs_queue" "validation_updates_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } @@ -272,7 +265,6 @@ resource "aws_sqs_queue" "validation_updates_error_dlq_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - # redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}" tags = local.tags } @@ -285,8 +277,10 @@ resource "aws_sqs_queue" "xml-validated-queue" { message_retention_seconds = 86400 receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.xml-validated_dlq_queue.arn}\",\"maxReceiveCount\":4}" - + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.xml-validated_dlq_queue.arn, + maxReceiveCount = 4, + }) } resource "aws_sqs_queue_policy" "xml-validated-queue-policy" { @@ -433,7 +427,10 @@ resource "aws_sqs_queue" "fetch_xml_queue" { message_retention_seconds = 1209600 #max is 2 weeks or 1209600 secs receive_wait_time_seconds = 10 sqs_managed_sse_enabled = true - redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.fetch_xml_dlq_queue.arn}\",\"maxReceiveCount\":4}" + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.fetch_xml_dlq_queue.arn, + maxReceiveCount = 4, + }) tags = local.tags } @@ -468,7 +465,13 @@ resource "aws_sns_topic_subscription" "fetch_xml_queue_subscription" { protocol = "sqs" endpoint = aws_sqs_queue.fetch_xml_queue.arn filter_policy_scope = "MessageAttributes" - filter_policy = "{\"trigger_enrichment\": [{\"exists\": true}]}" + filter_policy = jsonencode({ + trigger_enrichment = [ + { + exists = true + } + ] + }) } resource "aws_sns_topic_subscription" "fetch_xml_queue_subscription_prod" { @@ -477,5 +480,11 @@ resource "aws_sns_topic_subscription" "fetch_xml_queue_subscription_prod" { protocol = "sqs" endpoint = aws_sqs_queue.fetch_xml_queue.arn filter_policy_scope = "MessageAttributes" - filter_policy = "{\"trigger_enrichment\": [{\"exists\": true}]}" + filter_policy = jsonencode({ + trigger_enrichment = [ + { + exists = true + } + ] + }) } diff --git a/terraform/modules/network/local.tf b/terraform/modules/network/local.tf deleted file mode 100644 index 32d1647ce..000000000 --- a/terraform/modules/network/local.tf +++ /dev/null @@ -1,18 +0,0 @@ -locals { - name = "tna-network" - region = var.aws_region - environment = var.environment - - tags = { - Environment = var.environment - Project = "tna" - } - environment_cidr_blocks = { - "dev" = 0 - "staging" = 1 - "production" = 2 - } - public_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 2), cidrsubnet(var.vpc_cidr_block, 4, 3)] - database_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 4), cidrsubnet(var.vpc_cidr_block, 4, 5)] - private_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 6), cidrsubnet(var.vpc_cidr_block, 4, 7)] -} diff --git a/terraform/modules/network/locals.tf b/terraform/modules/network/locals.tf index 366e332a4..a50f29260 100644 --- a/terraform/modules/network/locals.tf +++ b/terraform/modules/network/locals.tf @@ -1,4 +1,18 @@ locals { + name = "tna-network" + region = var.aws_region + environment = var.environment + + environment_cidr_blocks = { + "dev" = 0 + "staging" = 1 + "production" = 2 + } + + public_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 2), cidrsubnet(var.vpc_cidr_block, 4, 3)] + database_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 4), cidrsubnet(var.vpc_cidr_block, 4, 5)] + private_cidr_blocks = [cidrsubnet(var.vpc_cidr_block, 4, 6), cidrsubnet(var.vpc_cidr_block, 4, 7)] + vpc = { staging = { single_ngw = true @@ -7,4 +21,9 @@ locals { single_ngw = false } } + + tags = { + Environment = var.environment + Project = "tna" + } } diff --git a/terraform/modules/network/outputs.tf b/terraform/modules/network/outputs.tf index bdf889160..cdbc3940e 100644 --- a/terraform/modules/network/outputs.tf +++ b/terraform/modules/network/outputs.tf @@ -7,11 +7,6 @@ output "database_subnet_group_name" { } output "public_subnets" { - # value = "${element(tolist(module.vpc.public_subnets.ids))}" - # value = "${tolist(module.vpc.public_subnets.ids)}" - # for_each = module.vpc.public_subnets.ids - # value =each.value - # value = "${module.vpc.public_subnets.ids}" value = [] } diff --git a/terraform/modules/network/vpc.tf b/terraform/modules/network/vpc.tf index b3182eb52..d5c9a5059 100644 --- a/terraform/modules/network/vpc.tf +++ b/terraform/modules/network/vpc.tf @@ -1,6 +1,6 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = ">=5.0.0,<6.0.0" + version = "5.7.1" name = "${local.name}-vpc-${local.environment}" cidr = var.vpc_cidr_block @@ -9,12 +9,10 @@ module "vpc" { public_subnets = local.public_cidr_blocks database_subnets = local.database_cidr_blocks private_subnets = local.private_cidr_blocks - # redshift_subnets = local.redshift_cidr_blocks create_database_subnet_group = true create_database_subnet_route_table = true create_database_nat_gateway_route = true - #create_database_internet_gateway_route = true manage_default_security_group = true default_security_group_egress = [ @@ -38,9 +36,7 @@ module "vpc" { enable_vpn_gateway = false enable_dns_support = true enable_dns_hostnames = true - #single_nat_gateway = true - single_nat_gateway = local.vpc[local.environment].single_ngw - #one_nat_gateway_per_az = false + single_nat_gateway = local.vpc[local.environment].single_ngw tags = local.tags } @@ -64,265 +60,15 @@ data "aws_subnet" "private" { } resource "aws_vpc_endpoint" "secrets_manager" { + for_each = toset(data.aws_subnets.private.ids) + vpc_id = module.vpc.vpc_id service_name = "com.amazonaws.eu-west-2.secretsmanager" vpc_endpoint_type = "Interface" security_group_ids = [ - # aws_default_vpc.csx_default.default_security_group_id, module.vpc.default_security_group_id ] - # subnet_ids = local.private_cidr_blocks - # subnet_ids = [module.vpc.public_subnets] - # subnet_ids = ["subnet-0294f174fda94e874","subnet-0a75c1dc97fe38ac2"] - # for_each = toset(module.vpc.public_subnets) - # subnet_ids = "${element(var.subnet_azs, count.index)}" - # subnet_ids =each.key - - # count = "${length(module.vpc.public_subnets.ids)}" - #  subnet_ids = "${element(tolist(module.vpc.public_subnets.ids), count.index)}" - # subnet_ids = "${tolist(module.vpc.public_subnets.ids)}" - # subnet_ids = "${tolist(module.vpc.public_subnets).ids}" - # subnet_ids = ["${module.vpc.public_subnets}"] - - # "module": "module.data", - # "mode": "data", - # "type": "aws_subnet", - # "name": "private", - - # subnet_ids = [for value in module.vpc.public_subnets: value.id] - for_each = toset(data.aws_subnets.private.ids) - # id = each.value subnet_ids = [each.value] - - # private_dns_enabled = true } -# ": "sg-0216fc2f7477ed58d", - -# resource "aws_vpc_endpoint" "s3" { -# vpc_id = aws_default_vpc.csx_default.id -# service_name = "com.amazonaws.eu-west-2.s3" -# route_table_ids = [aws_default_vpc.csx_default.main_route_table_id] -# } - -# resource "aws_vpc_endpoint" "s3" { -# vpc_id = module.vpc.vpc_id -# service_name = "com.amazonaws.${var.aws_region}.s3" -# vpc_endpoint_type = "Interface" - -# security_group_ids = [ -# module.s3_gateway_endpoint_sg.security_group_id -# ] - -# private_dns_enabled = false - -# tags = merge(local.tags, { -# Name = "${local.name}-s3-gateway-endpoint-${local.environment}" -# }) -# } - -# resource "aws_vpc_endpoint_subnet_association" "s3_gateway_subnet" { -# vpc_endpoint_id = aws_vpc_endpoint.s3.id -# subnet_id = aws_subnet.storage_gateway_subnet.id -# } - -# resource "aws_subnet" "storage_gateway_subnet" { -# vpc_id = module.vpc.vpc_id -# cidr_block = local.gateway_cidr_block - -# tags = merge(local.tags, { -# Name = "${local.name}-storage-gateway-subnet-${local.environment}" -# }) -# } - -# resource "aws_route_table" "storage_gateway_vpn" { -# vpc_id = module.vpc.vpc_id - -# tags = merge(local.tags, { -# Name = "${local.name}-storage-gateway-vpn-route-${local.environment}" -# }) -# } - -# resource "aws_route_table_association" "storage_gateway_vpn" { -# subnet_id = aws_subnet.storage_gateway_subnet.id -# route_table_id = aws_route_table.storage_gateway_vpn.id -# } - -# module "storage_gateway_endpoint_sg" { -# source = "terraform-aws-modules/security-group/aws" -# version = ">=4.0.0,<=5.0.0" - -# name = "${local.name}-storage-gateway-sg-${local.environment}" -# vpc_id = module.vpc.vpc_id - -# ingress_with_cidr_blocks = [ -# { -# rule = "ssh-tcp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# rule = "rdp-tcp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# rule = "all-icmp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# rule = "https-443-tcp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# protocol = 6 -# from_port = 1026 -# to_port = 1028 -# cidr_blocks = var.azure_cidr_block -# }, -# { -# protocol = 6 -# from_port = 1031 -# to_port = 1031 -# cidr_blocks = var.azure_cidr_block -# }, -# { -# protocol = 6 -# from_port = 2222 -# to_port = 2222 -# cidr_blocks = var.azure_cidr_block -# } -# ] - -# egress_with_cidr_blocks = [ -# { -# protocol = "-1" -# from_port = 0 -# to_port = 0 -# cidr_blocks = var.azure_cidr_block -# } -# ] -# } - -# resource "aws_vpc_endpoint" "storage_gateway" { -# vpc_id = module.vpc.vpc_id -# service_name = "com.amazonaws.${var.aws_region}.storagegateway" -# vpc_endpoint_type = "Interface" - -# security_group_ids = [ -# module.storage_gateway_endpoint_sg.security_group_id -# ] - -# private_dns_enabled = false - -# tags = merge(local.tags, { -# Name = "${local.name}-storage-gateway-endpoint-${local.environment}" -# }) -# } - -# resource "aws_vpc_endpoint_subnet_association" "storage_gateway_subnet" { -# vpc_endpoint_id = aws_vpc_endpoint.storage_gateway.id -# subnet_id = aws_subnet.storage_gateway_subnet.id -# } - -# module "s3_gateway_endpoint_sg" { -# source = "terraform-aws-modules/security-group/aws" -# version = ">=4.0.0,<=5.0.0" - -# name = "${local.name}-s3-gateway-sg-${local.environment}" -# vpc_id = module.vpc.vpc_id - -# ingress_with_cidr_blocks = [ -# { -# rule = "ssh-tcp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# rule = "https-443-tcp" -# cidr_blocks = var.azure_cidr_block -# } -# ] - -# egress_with_cidr_blocks = [ -# { -# rule = "ssh-tcp" -# cidr_blocks = var.azure_cidr_block -# }, -# { -# rule = "https-443-tcp" -# cidr_blocks = var.azure_cidr_block -# } -# ] -# } - - -# resource "aws_vpc_endpoint" "s3" { -# vpc_id = module.vpc.vpc_id -# service_name = "com.amazonaws.${var.aws_region}.s3" -# vpc_endpoint_type = "Interface" - -# security_group_ids = [ -# module.s3_gateway_endpoint_sg.security_group_id -# ] - -# private_dns_enabled = false - -# tags = merge(local.tags, { -# Name = "${local.name}-s3-gateway-endpoint-${local.environment}" -# }) -# } - -# resource "aws_vpc_endpoint_subnet_association" "s3_gateway_subnet" { -# vpc_endpoint_id = aws_vpc_endpoint.s3.id -# subnet_id = aws_subnet.storage_gateway_subnet.id -# } - -# module "fargate_endpoints_sg" { -# source = "terraform-aws-modules/security-group/aws" -# version = ">=4.0.0,<=5.0.0" - -# name = "${local.name}-fargate-endpoints-sg-${local.environment}" -# vpc_id = module.vpc.vpc_id - -# ingress_with_cidr_blocks = [ -# { -# rule = "https-443-tcp" -# cidr_blocks = module.vpc.vpc_cidr_block -# } -# ] - -# egress_with_cidr_blocks = [ -# { -# rule = "https-443-tcp" -# cidr_blocks = "0.0.0.0/0" -# } -# ] -# } - -# locals { -# fargate_vpc_endpoints = [ -# "secretsmanager", -# "ecr.dkr", -# "ecr.api", -# "logs" -# ] -# } - -# resource "aws_vpc_endpoint" "fargate" { -# for_each = toset(local.fargate_vpc_endpoints) - -# vpc_id = module.vpc.vpc_id -# service_name = "com.amazonaws.${var.aws_region}.${each.value}" -# vpc_endpoint_type = "Interface" - -# security_group_ids = [ -# module.fargate_endpoints_sg.security_group_id -# ] - -# subnet_ids = module.vpc.public_subnets - -# private_dns_enabled = true - -# tags = merge(local.tags, { -# Name = "${local.name}-${each.value}-endpoint-${local.environment}" -# }) -# } diff --git a/terraform/modules/secure_bucket/kms.tf b/terraform/modules/secure_bucket/kms.tf index 71a6d35f6..ad34b6183 100644 --- a/terraform/modules/secure_bucket/kms.tf +++ b/terraform/modules/secure_bucket/kms.tf @@ -4,7 +4,7 @@ resource "aws_kms_key" "this" { description = "KMS key used to encrypt bucket ${var.bucket_name}" deletion_window_in_days = 7 enable_key_rotation = true - policy = var.vcite_enriched ? var.kms_policy_json : null #data.aws_iam_policy_document.vcite_kms_policy.json : null + policy = var.vcite_enriched ? var.kms_policy_json : null } resource "aws_kms_alias" "this" { diff --git a/terraform/modules/secure_bucket/main.tf b/terraform/modules/secure_bucket/main.tf index 4c151a5a1..3ee674e6d 100644 --- a/terraform/modules/secure_bucket/main.tf +++ b/terraform/modules/secure_bucket/main.tf @@ -1,6 +1,6 @@ module "this" { source = "terraform-aws-modules/s3-bucket/aws" - version = ">=3.13.0, <4.0.0" + version = "3.15.2" bucket = var.bucket_name diff --git a/terraform/network/main.tf b/terraform/network/main.tf deleted file mode 100644 index a7e941107..000000000 --- a/terraform/network/main.tf +++ /dev/null @@ -1,18 +0,0 @@ -terraform { - required_version = ">=1.4" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">=5.3.0,<6.0.0" - } - } - -} - -module "network" { - source = "../modules/network" - - environment = "production" - aws_profile = var.aws_profile - aws_region = var.aws_region -} diff --git a/terraform/network/outputs.tf b/terraform/network/outputs.tf deleted file mode 100644 index 59f6a6721..000000000 --- a/terraform/network/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "vpc_id" { - value = module.network.vpc_id -} - -output "database_subnet_group_name" { - value = module.network.database_subnet_group_name -} diff --git a/terraform/network/provider.tf b/terraform/network/provider.tf deleted file mode 100644 index 9e8a8a762..000000000 --- a/terraform/network/provider.tf +++ /dev/null @@ -1,4 +0,0 @@ -provider "aws" { - region = var.aws_region - profile = var.aws_profile -} diff --git a/terraform/network/variables.tf b/terraform/network/variables.tf deleted file mode 100644 index 7c18c647b..000000000 --- a/terraform/network/variables.tf +++ /dev/null @@ -1,10 +0,0 @@ -variable "aws_profile" { - type = string - default = "default" -} - -variable "aws_region" { - type = string - # default = "eu-west-2" - default = "eu-west-1" -} diff --git a/terraform/provider.tf b/terraform/provider.tf index f00bd76eb..dc58d9a25 100644 --- a/terraform/provider.tf +++ b/terraform/provider.tf @@ -1,5 +1,3 @@ -# AWS provider configuration provider "aws" { region = var.region - # profile = "tna-mxt-staging" } diff --git a/terraform/s3.tf b/terraform/s3.tf deleted file mode 100644 index e3b183238..000000000 --- a/terraform/s3.tf +++ /dev/null @@ -1,44 +0,0 @@ -# SQS queue -# resource "aws_sqs_queue" "queue" { -# name = "${var.app_env}-s3-event-notification-queue" - -# policy = <