Merge branch 'main' into MLPAB-1685

.github/workflows/terraform_account_job.yml

@@ -14,6 +14,10 @@ on:
       aws_secret_access_key:
         description: 'AWS Secret Access Key'
         required: true
+
+env:
+  TFLINT_VERSION: 0.50.1
+
 jobs:
   terraform_account_workflow:
     name: "${{ inputs.workspace_name }} account deployment"
@@ -49,13 +53,22 @@ jobs:
           aws-region: eu-west-1
           role-duration-seconds: 3600
           role-session-name: OPGModernisingLPATerraformGithubAction
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v${{ env.TFLINT_VERSION }}
 
-      - name: Lint Terraform
-        id: tf_lint
+      - name: Check formatting
+        id: tf_fmt
         run: terraform fmt -check -recursive
         working-directory: ./terraform/account
         continue-on-error: true
 
+      - name: Lint Terraform
+        id: tf_lint
+        run: tflint --recursive
+        working-directory: ./terraform/account
+
       - name: Terraform Init
         run: terraform init -input=false
         working-directory: ./terraform/account

.github/workflows/terraform_environment_job.yml

@@ -55,6 +55,9 @@ permissions:
   pull-requests: write
   issues: write
 
+env:
+  TFLINT_VERSION: 0.50.1
+
 jobs:
   terraform_environment_workflow:
     name: "${{ inputs.workspace_name }} environment deployment"
@@ -97,13 +100,22 @@ jobs:
       - uses: webfactory/ssh-agent@v0.8.0
         with:
           ssh-private-key: ${{ secrets.ssh_deploy_key }}
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v${{ env.TFLINT_VERSION }}
 
-      - name: Lint Terraform
-        id: tf_lint
+      - name: Check formatting
+        id: tf_fmt
         run: terraform fmt -check -recursive
         working-directory: ./terraform/environment
         continue-on-error: true
 
+      - name: Lint Terraform
+        id: tf_lint
+        run: tflint --recursive
+        working-directory: ./terraform/environment
+
       - name: Terraform Init
         run: terraform init -input=false
         working-directory: ./terraform/environment

.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.5.0
     hooks:
       - id: trailing-whitespace # trims trailing whitespace.
       - id: end-of-file-fixer # ensures that a file is either empty, or ends with one newline.
@@ -19,19 +19,21 @@ repos:
         args:
         - --branch=main
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.86.0
     hooks:
       - id: terraform_fmt
-      # - id: terraform_validate
-      #   exclude: region/[^/]+$.
+      - id: terraform_tflint
+        args:
+          - --args=--recursive
+
   - repo: https://github.com/dnephin/pre-commit-golang
     rev: v0.5.1
     hooks:
       - id: go-fmt # Runs gofmt
       - id: go-imports # Runs gofmt
       - id: go-mod-tidy # Tidies up and removes unused requires in go.mod using go mod tidy
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 32.221.1
+    rev: 37.150.1
     hooks:
       - id: renovate-config-validator
   - repo: https://github.com/Yelp/detect-secrets

terraform/account/region/data_sources.tf

@@ -7,3 +7,15 @@ data "aws_kms_alias" "secrets_manager" {
   name     = var.secrets_manager_kms_key_alias
   provider = aws.region
 }
+
+data "aws_region" "current" {
+  provider = aws.region
+}
+
+data "aws_caller_identity" "current" {
+  provider = aws.region
+}
+
+data "aws_default_tags" "current" {
+  provider = aws.region
+}

terraform/account/region/modules/antivirus_definitions/main.tf

@@ -23,7 +23,7 @@ resource "aws_lambda_function" "lambda_function" {
   }
 
   vpc_config {
-    subnet_ids = data.aws_subnet.application.*.id
+    subnet_ids = data.aws_subnet.application[*].id
     security_group_ids = [
       data.aws_security_group.lambda_egress.id
     ]

terraform/account/region/modules/antivirus_definitions/variables.tf

@@ -1,3 +1,4 @@
 variable "ecr_image_uri" {
+  type        = string
   description = "URI of ECR image to use for Lambda"
 }

terraform/account/region/modules/antivirus_definitions/terraform.tf → terraform/account/region/modules/antivirus_definitions/versions.tf

@@ -3,7 +3,8 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
       configuration_aliases = [
         aws.region,
       ]

terraform/account/region/modules/dns_firewall/terraform.tf → terraform/account/region/modules/dns_firewall/versions.tf

@@ -3,7 +3,8 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
       configuration_aliases = [
         aws.region,
       ]

terraform/account/region/modules/s3_batch_manifests/data_sources.tf

@@ -2,10 +2,6 @@ data "aws_region" "current" {
   provider = aws.region
 }
 
-data "aws_caller_identity" "current" {
-  provider = aws.region
-}
-
 data "aws_default_tags" "current" {
   provider = aws.region
 }

terraform/account/region/modules/s3_batch_manifests/terraform.tf → terraform/account/region/modules/s3_batch_manifests/versions.tf

@@ -3,7 +3,8 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
       configuration_aliases = [
         aws.region,
       ]

terraform/account/region/modules/s3_bucket_event_notifications/terraform.tf → terraform/account/region/modules/s3_bucket_event_notifications/versions.tf

@@ -3,7 +3,8 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
     }
   }
 }

terraform/account/region/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.5.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
+      configuration_aliases = [
+        aws.region,
+        aws.management,
+        aws.global,
+      ]
+    }
+  }
+}

terraform/account/sqs_kms.tf

@@ -2,7 +2,7 @@ resource "aws_kms_key" "sqs" {
   description             = "${local.default_tags.application} SQS encryption key"
   deletion_window_in_days = 10
   enable_key_rotation     = true
-  policy                  = local.account.account_name == "development" ? data.aws_iam_policy_document.sns_kms_merged.json : data.aws_iam_policy_document.sns_kms.json
+  policy                  = local.account.account_name == "development" ? data.aws_iam_policy_document.sqs_kms_merged.json : data.aws_iam_policy_document.sns_kms.json
   multi_region            = true
   provider                = aws.eu_west_1
 }

terraform/account/terraform.tf

@@ -13,10 +13,6 @@ variable "default_role" {
   type    = string
   default = "modernising-lpa-ci"
 }
-variable "management_role" {
-  type    = string
-  default = "modernising-lpa-ci"
-}
 
 provider "aws" {
   alias  = "eu_west_1"
@@ -94,30 +90,10 @@ data "aws_region" "eu_west_1" {
   provider = aws.eu_west_1
 }
 
-data "aws_caller_identity" "eu_west_1" {
-  provider = aws.eu_west_1
-}
-
-data "aws_default_tags" "eu_west_1" {
-  provider = aws.eu_west_1
-}
-
 data "aws_region" "eu_west_2" {
   provider = aws.eu_west_2
 }
 
-data "aws_caller_identity" "eu_west_2" {
-  provider = aws.eu_west_2
-}
-
-data "aws_default_tags" "eu_west_2" {
-  provider = aws.eu_west_2
-}
-
-data "aws_region" "global" {
-  provider = aws.global
-}
-
 data "aws_caller_identity" "global" {
   provider = aws.global
 }

terraform/environment/global/data_sources.tf

@@ -0,0 +1,3 @@
+data "aws_default_tags" "current" {
+  provider = aws.global
+}

terraform/environment/global/versions.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.5.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.32.0"
+      configuration_aliases = [
+        aws.global,
+      ]
+    }
+    pagerduty = {
+      source  = "PagerDuty/pagerduty"
+      version = "~> 3.4.0"
+    }
+  }
+}

terraform/environment/parameters.tf

@@ -14,8 +14,3 @@ resource "aws_ssm_parameter" "dns_target_region" {
     ignore_changes = [value]
   }
 }
-
-data "aws_ssm_parameter" "dns_target_region" {
-  provider = aws.management_global
-  name     = aws_ssm_parameter.dns_target_region.name
-}

terraform/environment/region/data_sources.tf

@@ -12,3 +12,15 @@ data "aws_iam_role" "sns_failure_feedback" {
   name     = "SNSFailureFeedback"
   provider = aws.global
 }
+
+data "aws_region" "current" {
+  provider = aws.region
+}
+
+data "aws_caller_identity" "current" {
+  provider = aws.region
+}
+
+data "aws_default_tags" "current" {
+  provider = aws.region
+}

terraform/environment/region/ecs.tf

@@ -39,8 +39,8 @@ module "app" {
   public_access_enabled           = var.public_access_enabled
   network = {
     vpc_id              = data.aws_vpc.main.id
-    application_subnets = data.aws_subnet.application.*.id
-    public_subnets      = data.aws_subnet.public.*.id
+    application_subnets = data.aws_subnet.application[*].id
+    public_subnets      = data.aws_subnet.public[*].id
   }
   uploads_s3_bucket = {
     bucket_name = module.uploads_s3_bucket.bucket.id
@@ -78,8 +78,8 @@ module "mock_onelogin" {
   redirect_base_url               = var.app_env_vars.auth_redirect_base_url
   network = {
     vpc_id              = data.aws_vpc.main.id
-    application_subnets = data.aws_subnet.application.*.id
-    public_subnets      = data.aws_subnet.public.*.id
+    application_subnets = data.aws_subnet.application[*].id
+    public_subnets      = data.aws_subnet.public[*].id
   }
   aws_service_discovery_private_dns_namespace = {
     id   = aws_service_discovery_private_dns_namespace.mock_one_login.id

terraform/environment/region/event_received.tf

@@ -5,7 +5,6 @@ data "aws_ecr_repository" "event_received" {
 
 module "event_received" {
   source                        = "./modules/event_received"
-  lambda_function_image_ecr_arn = data.aws_ecr_repository.event_received.arn
   lambda_function_image_ecr_url = data.aws_ecr_repository.event_received.repository_url
   lambda_function_image_tag     = var.app_service_container_version
   event_bus_name                = module.event_bus.event_bus.name

terraform/environment/region/modules/app/data_sources.tf

@@ -0,0 +1,7 @@
+data "aws_region" "current" {
+  provider = aws.region
+}
+
+data "aws_default_tags" "current" {
+  provider = aws.region
+}