diff --git a/terraform/iam/.terraform-version b/terraform/iam/.terraform-version
deleted file mode 100644
index f1ce147..0000000
--- a/terraform/iam/.terraform-version
+++ /dev/null
@@ -1 +0,0 @@
-latest:^1.5
diff --git a/terraform/iam/.terraform.lock.hcl b/terraform/iam/.terraform.lock.hcl
deleted file mode 100644
index c57b79b..0000000
--- a/terraform/iam/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
- version = "5.31.0"
- constraints = ">= 4.0.0"
- hashes = [
- "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=",
- "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d",
- "zh:2fe4884cb9642f48a5889f8dff8f5f511418a18537a9dfa77ada3bcdad391e4e",
- "zh:36d8bdd72fe61d816d0049c179f495bc6f1e54d8d7b07c45b62e5e1696882a89",
- "zh:539dd156e3ec608818eb21191697b230117437a58587cbd02ce533202a4dd520",
- "zh:6a53f4b57ac4eb3479fc0d8b6e301ca3a27efae4c55d9f8bd24071b12a03361c",
- "zh:6faeb8ff6792ca7af1c025255755ad764667a300291cc10cea0c615479488c87",
- "zh:7d9423149b323f6d0df5b90c4d9029e5455c670aea2a7eb6fef4684ba7eb2e0b",
- "zh:8235badd8a5d0993421cacf5ead48fac73d3b5a25c8a68599706a404b1f70730",
- "zh:860b4f60842b2879c5128b7e386c8b49adeda9287fed12c5cd74861bb659bbcd",
- "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:b021fceaf9382c8fe3c6eb608c24d01dce3d11ba7e65bb443d51ca9b90e9b237",
- "zh:b38b0bfc1c69e714e80cf1c9ea06e687ee86aa9f45694be28eb07adcebbe0489",
- "zh:c972d155f6c01af9690a72adfb99cfc24ef5ef311ca92ce46b9b13c5c153f572",
- "zh:e0dd29920ec84fdb6026acff44dcc1fb1a24a0caa093fa04cdbc713d384c651d",
- "zh:e3127ebd2cb0374cd1808f911e6bffe2f4ac4d84317061381242353f3a7bc27d",
- ]
-}
diff --git a/terraform/iam/README.md b/terraform/iam/README.md
deleted file mode 100644
index 8993ee7..0000000
--- a/terraform/iam/README.md
+++ /dev/null
@@ -1,55 +0,0 @@
-# Backstage: IAM
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.5 |
-| [aws](#requirement\_aws) | >= 4.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | 5.31.0 |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [tags](#module\_tags) | sourcefuse/arc-tags/aws | 1.2.3 |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_openid_connect_provider.github_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
-| [aws_iam_policy.backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.github_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.github_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.github_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | n/a | yes |
-| [github\_org\_name](#input\_github\_org\_name) | GitHub Organization name | `string` | `"sourcefuse"` | no |
-| [namespace](#input\_namespace) | Namespace for the resources. | `string` | `"arc"` | no |
-| [project\_name](#input\_project\_name) | Name of the project. | `string` | `"backstage"` | no |
-| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
-| [service\_roles](#input\_service\_roles) | Service Roles that will be used for the repos to access AWS resources.
If `repo_name` is set to "*" all repos in the GitHub Organization will be included.
`ref` is optional, the default being "*" which allows any branch, pull request merge branch, or environment to assume role | list(object({
role_name = string
max_session_duration = optional(number, 3600)
repo_name = string
ref = optional(string, "*")
# `*` allows any branch, pull request merge branch, or environment to assume role
policy = any
})) | `[]` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [service\_role\_arns](#output\_service\_role\_arns) | The ARNs of the IAM roles created by the aws\_iam\_role.github\_oidc resource block. |
-| [service\_role\_ids](#output\_service\_role\_ids) | The IDs of the IAM roles created by the aws\_iam\_role.github\_oidc resource block. |
-| [service\_role\_names](#output\_service\_role\_names) | The names of the IAM roles created by the aws\_iam\_role.github\_oidc resource block. |
-
diff --git a/terraform/iam/config.poc.hcl b/terraform/iam/config.poc.hcl
deleted file mode 100644
index 55a8c4f..0000000
--- a/terraform/iam/config.poc.hcl
+++ /dev/null
@@ -1,5 +0,0 @@
-region = "us-east-1"
-key = "sourcefuse-backstage-iam/terraform.tfstate"
-bucket = "sf-arc-poc-terraform-state-bucket"
-dynamodb_table = "sf-arc-poc-terraform-state-lock-table"
-encrypt = true
diff --git a/terraform/iam/config.prod.hcl b/terraform/iam/config.prod.hcl
deleted file mode 100644
index a23d860..0000000
--- a/terraform/iam/config.prod.hcl
+++ /dev/null
@@ -1,5 +0,0 @@
-region = "us-east-1"
-key = "sourcefuse-backstage-iam/terraform.tfstate"
-bucket = "sf-arc-prod-terraform-state-bucket"
-dynamodb_table = "sf-arc-prod-terraform-state-lock-table"
-encrypt = true
diff --git a/terraform/iam/data.tf b/terraform/iam/data.tf
deleted file mode 100644
index 8e043bf..0000000
--- a/terraform/iam/data.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-data "aws_caller_identity" "this" {}
-
-data "aws_partition" "this" {}
diff --git a/terraform/iam/locals.tf b/terraform/iam/locals.tf
deleted file mode 100644
index a2081e7..0000000
--- a/terraform/iam/locals.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-locals {
- service_roles = [
- {
- role_name = "${var.namespace}-${var.environment}-terraform-backstage-deploy"
- max_session_duration = 7200
- repo_name = "backstage"
- ref = "*"
- policy = {
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Action" : [
- "*"
- ],
- "Effect" : "Allow",
- "Resource" : ["*"]
- }
- ]
- }
- },
- ]
-}
diff --git a/terraform/iam/main.tf b/terraform/iam/main.tf
deleted file mode 100644
index 3ef361b..0000000
--- a/terraform/iam/main.tf
+++ /dev/null
@@ -1,165 +0,0 @@
-################################################################################
-## defaults
-################################################################################
-terraform {
- required_version = ">= 1.5"
-
- required_providers {
- aws = {
- version = ">= 4.0"
- source = "hashicorp/aws"
- }
- }
-
- backend "s3" {}
-}
-
-module "tags" {
- source = "sourcefuse/arc-tags/aws"
- version = "1.2.3"
-
- environment = var.environment
- project = var.project_name
-
- extra_tags = {
- Repo = "github.com/sourcefuse/backstage"
- Path = "terraform/iam"
- }
-}
-
-provider "aws" {
- region = var.region
-}
-
-################################################################################
-## backend
-################################################################################
-data "aws_iam_policy_document" "backend" {
- version = "2012-10-17"
-
- ## backend state
- statement {
- effect = "Allow"
- actions = [
- "s3:ListBucket"
- ]
- resources = [
- "arn:${data.aws_partition.this.partition}:s3:::sf-${var.namespace}-${var.environment}-terraform-state-bucket"
- ]
- }
-
- statement {
- effect = "Allow"
- actions = [
- "s3:GetObject",
- "s3:PutObject",
- "s3:DeleteObject"
- ]
- resources = [
- "arn:${data.aws_partition.this.partition}:s3:::sf-${var.namespace}-${var.environment}-terraform-state-bucket/env:/${var.environment}/sourcefuse-backstage/terraform.tfstate"
- ]
- }
-
- statement {
- effect = "Allow"
- actions = [
- "dynamodb:DescribeTable",
- "dynamodb:GetItem",
- "dynamodb:PutItem",
- "dynamodb:DeleteItem"
- ]
- resources = [
- "arn:${data.aws_partition.this.partition}:dynamodb:*:*:table/sf-${var.namespace}-${var.environment}-terraform-state-lock-table"
- ]
- }
-}
-
-resource "aws_iam_policy" "backend" {
- name = "${var.namespace}-${var.environment}-backend-access"
- path = "/"
- description = "Backend access policy"
-
- policy = data.aws_iam_policy_document.backend.json
-}
-
-resource "aws_iam_role_policy_attachment" "this" {
- for_each = { for x in local.service_roles : x.role_name => x }
-
- role = each.value.role_name
- policy_arn = aws_iam_policy.backend.arn
-
- depends_on = [
- aws_iam_role.github_oidc
- ]
-}
-
-################################################################################
-## openid connect
-################################################################################
-resource "aws_iam_openid_connect_provider" "github_oidc" {
- url = "https://token.actions.githubusercontent.com"
-
- client_id_list = [
- "sts.amazonaws.com"
- ]
-
- thumbprint_list = [
- "6938fd4d98bab03faadb97b34396831e3780aea1",
- "1c58a3a8518e8759bf075b76b750d4f2df264fcd" # Refer to: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
- ]
-
- tags = module.tags.tags
-}
-
-################################################################################
-## role
-################################################################################
-resource "aws_iam_role" "github_oidc" {
- for_each = { for x in local.service_roles : x.role_name => x }
-
- name = each.value.role_name
- max_session_duration = each.value.max_session_duration
-
- assume_role_policy = jsonencode({
- Version = "2012-10-17"
- Statement = [
- {
- Action = "sts:AssumeRoleWithWebIdentity",
- Effect = "Allow"
- Principal = {
- Federated = aws_iam_openid_connect_provider.github_oidc.arn
- }
- Condition = {
- StringLike = {
- "token.actions.githubusercontent.com:sub" = "repo:${var.github_org_name}/${each.value.repo_name}:${each.value.ref}"
- },
- StringEquals = {
- "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
- }
- }
- },
- ]
- })
-
- tags = merge(module.tags.tags, tomap({
- Name = each.value.role_name
- }))
-}
-
-resource "aws_iam_policy" "github_oidc" {
- for_each = { for x in local.service_roles : x.role_name => x }
-
- name = each.value.role_name
- policy = jsonencode(each.value.policy)
-
- depends_on = [
- aws_iam_role.github_oidc
- ]
-}
-
-resource "aws_iam_role_policy_attachment" "github_oidc" {
- for_each = { for x in local.service_roles : x.role_name => x }
-
- policy_arn = aws_iam_policy.github_oidc[each.value.role_name].arn
- role = aws_iam_role.github_oidc[each.value.role_name].id
-}
diff --git a/terraform/iam/outputs.tf b/terraform/iam/outputs.tf
deleted file mode 100644
index 5e60e91..0000000
--- a/terraform/iam/outputs.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-################################################################################
-## Service Roles
-################################################################################
-output "service_role_arns" {
- description = "The ARNs of the IAM roles created by the aws_iam_role.github_oidc resource block."
- value = [for role in aws_iam_role.github_oidc : role.arn]
-}
-
-output "service_role_ids" {
- description = "The IDs of the IAM roles created by the aws_iam_role.github_oidc resource block."
- value = [for role in aws_iam_role.github_oidc : role.id]
-}
-
-output "service_role_names" {
- description = "The names of the IAM roles created by the aws_iam_role.github_oidc resource block."
- value = [for role in aws_iam_role.github_oidc : role.name]
-}
diff --git a/terraform/iam/poc.tfvars b/terraform/iam/poc.tfvars
deleted file mode 100644
index a25e506..0000000
--- a/terraform/iam/poc.tfvars
+++ /dev/null
@@ -1 +0,0 @@
-environment = "poc"
diff --git a/terraform/iam/prod.tfvars b/terraform/iam/prod.tfvars
deleted file mode 100644
index 23a817b..0000000
--- a/terraform/iam/prod.tfvars
+++ /dev/null
@@ -1 +0,0 @@
-environment = "prod"
diff --git a/terraform/iam/variables.tf b/terraform/iam/variables.tf
deleted file mode 100644
index 70a5d64..0000000
--- a/terraform/iam/variables.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-################################################################
-## shared
-################################################################
-variable "project_name" {
- type = string
- description = "Name of the project."
- default = "backstage"
-}
-
-variable "region" {
- type = string
- default = "us-east-1"
- description = "AWS region"
-}
-
-variable "environment" {
- type = string
- description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
-}
-
-variable "namespace" {
- type = string
- description = "Namespace for the resources."
- default = "arc"
-}
-
-################################################################################
-## github
-################################################################################
-variable "github_org_name" {
- type = string
- description = "GitHub Organization name"
- default = "sourcefuse"
-}
-
-variable "service_roles" {
- type = list(object({
- role_name = string
- max_session_duration = optional(number, 3600)
- repo_name = string
- ref = optional(string, "*")
- # `*` allows any branch, pull request merge branch, or environment to assume role
- policy = any
- }))
- description = <<-EOT
- Service Roles that will be used for the repos to access AWS resources.
- If `repo_name` is set to "*" all repos in the GitHub Organization will be included.
- `ref` is optional, the default being "*" which allows any branch, pull request merge branch, or environment to assume role
- EOT
- default = []
-}