diff --git a/.github/workflows/terraform_account_job.yml b/.github/workflows/terraform_account_job.yml index 0457b33d6f..c3acfcfe80 100644 --- a/.github/workflows/terraform_account_job.yml +++ b/.github/workflows/terraform_account_job.yml @@ -14,6 +14,10 @@ on: aws_secret_access_key: description: 'AWS Secret Access Key' required: true + +env: + TFLINT_VERSION: 0.50.1 + jobs: terraform_account_workflow: name: "${{ inputs.workspace_name }} account deployment" @@ -49,13 +53,22 @@ jobs: aws-region: eu-west-1 role-duration-seconds: 3600 role-session-name: OPGModernisingLPATerraformGithubAction + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v${{ env.TFLINT_VERSION }} - - name: Lint Terraform - id: tf_lint + - name: Check formatting + id: tf_fmt run: terraform fmt -check -recursive working-directory: ./terraform/account continue-on-error: true + - name: Lint Terraform + id: tf_lint + run: tflint --recursive + working-directory: ./terraform/account + - name: Terraform Init run: terraform init -input=false working-directory: ./terraform/account diff --git a/.github/workflows/terraform_environment_job.yml b/.github/workflows/terraform_environment_job.yml index dbf043921a..bb6d9dc0b8 100644 --- a/.github/workflows/terraform_environment_job.yml +++ b/.github/workflows/terraform_environment_job.yml @@ -55,6 +55,9 @@ permissions: pull-requests: write issues: write +env: + TFLINT_VERSION: 0.50.1 + jobs: terraform_environment_workflow: name: "${{ inputs.workspace_name }} environment deployment" @@ -97,13 +100,22 @@ jobs: - uses: webfactory/ssh-agent@v0.8.0 with: ssh-private-key: ${{ secrets.ssh_deploy_key }} + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v${{ env.TFLINT_VERSION }} - - name: Lint Terraform - id: tf_lint + - name: Check formatting + id: tf_fmt run: terraform fmt -check -recursive working-directory: ./terraform/environment continue-on-error: true + - name: Lint Terraform + id: tf_lint + run: tflint --recursive + working-directory: ./terraform/environment + - name: Terraform Init run: terraform init -input=false working-directory: ./terraform/environment diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index feb4885aab..3041631eb3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.5.0 hooks: - id: trailing-whitespace # trims trailing whitespace. - id: end-of-file-fixer # ensures that a file is either empty, or ends with one newline. @@ -19,11 +19,13 @@ repos: args: - --branch=main - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.86.0 hooks: - id: terraform_fmt - # - id: terraform_validate - # exclude: region/[^/]+$. + - id: terraform_tflint + args: + - --args=--recursive + - repo: https://github.com/dnephin/pre-commit-golang rev: v0.5.1 hooks: @@ -31,7 +33,7 @@ repos: - id: go-imports # Runs gofmt - id: go-mod-tidy # Tidies up and removes unused requires in go.mod using go mod tidy - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 32.221.1 + rev: 37.150.1 hooks: - id: renovate-config-validator - repo: https://github.com/Yelp/detect-secrets diff --git a/terraform/account/region/data_sources.tf b/terraform/account/region/data_sources.tf index edc4acad10..9542f15ce5 100644 --- a/terraform/account/region/data_sources.tf +++ b/terraform/account/region/data_sources.tf @@ -7,3 +7,15 @@ data "aws_kms_alias" "secrets_manager" { name = var.secrets_manager_kms_key_alias provider = aws.region } + +data "aws_region" "current" { + provider = aws.region +} + +data "aws_caller_identity" "current" { + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/account/region/modules/antivirus_definitions/main.tf b/terraform/account/region/modules/antivirus_definitions/main.tf index 15b9a8c425..0f6f59fca7 100644 --- a/terraform/account/region/modules/antivirus_definitions/main.tf +++ b/terraform/account/region/modules/antivirus_definitions/main.tf @@ -23,7 +23,7 @@ resource "aws_lambda_function" "lambda_function" { } vpc_config { - subnet_ids = data.aws_subnet.application.*.id + subnet_ids = data.aws_subnet.application[*].id security_group_ids = [ data.aws_security_group.lambda_egress.id ] diff --git a/terraform/account/region/modules/antivirus_definitions/variables.tf b/terraform/account/region/modules/antivirus_definitions/variables.tf index b81d81a9f6..6d9b0a518a 100644 --- a/terraform/account/region/modules/antivirus_definitions/variables.tf +++ b/terraform/account/region/modules/antivirus_definitions/variables.tf @@ -1,3 +1,4 @@ variable "ecr_image_uri" { + type = string description = "URI of ECR image to use for Lambda" } diff --git a/terraform/account/region/modules/antivirus_definitions/terraform.tf b/terraform/account/region/modules/antivirus_definitions/versions.tf similarity index 71% rename from terraform/account/region/modules/antivirus_definitions/terraform.tf rename to terraform/account/region/modules/antivirus_definitions/versions.tf index 627607ccd6..cd46c79b99 100644 --- a/terraform/account/region/modules/antivirus_definitions/terraform.tf +++ b/terraform/account/region/modules/antivirus_definitions/versions.tf @@ -3,7 +3,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = "~> 5.32.0" configuration_aliases = [ aws.region, ] diff --git a/terraform/account/region/modules/dns_firewall/terraform.tf b/terraform/account/region/modules/dns_firewall/versions.tf similarity index 71% rename from terraform/account/region/modules/dns_firewall/terraform.tf rename to terraform/account/region/modules/dns_firewall/versions.tf index 627607ccd6..cd46c79b99 100644 --- a/terraform/account/region/modules/dns_firewall/terraform.tf +++ b/terraform/account/region/modules/dns_firewall/versions.tf @@ -3,7 +3,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = "~> 5.32.0" configuration_aliases = [ aws.region, ] diff --git a/terraform/account/region/modules/s3_batch_manifests/data_sources.tf b/terraform/account/region/modules/s3_batch_manifests/data_sources.tf index 944db397df..147b0eb037 100644 --- a/terraform/account/region/modules/s3_batch_manifests/data_sources.tf +++ b/terraform/account/region/modules/s3_batch_manifests/data_sources.tf @@ -2,10 +2,6 @@ data "aws_region" "current" { provider = aws.region } -data "aws_caller_identity" "current" { - provider = aws.region -} - data "aws_default_tags" "current" { provider = aws.region } diff --git a/terraform/account/region/modules/s3_batch_manifests/terraform.tf b/terraform/account/region/modules/s3_batch_manifests/versions.tf similarity index 71% rename from terraform/account/region/modules/s3_batch_manifests/terraform.tf rename to terraform/account/region/modules/s3_batch_manifests/versions.tf index 627607ccd6..cd46c79b99 100644 --- a/terraform/account/region/modules/s3_batch_manifests/terraform.tf +++ b/terraform/account/region/modules/s3_batch_manifests/versions.tf @@ -3,7 +3,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = "~> 5.32.0" configuration_aliases = [ aws.region, ] diff --git a/terraform/account/region/modules/s3_bucket_event_notifications/terraform.tf b/terraform/account/region/modules/s3_bucket_event_notifications/versions.tf similarity index 60% rename from terraform/account/region/modules/s3_bucket_event_notifications/terraform.tf rename to terraform/account/region/modules/s3_bucket_event_notifications/versions.tf index bb14db318d..8858f6d690 100644 --- a/terraform/account/region/modules/s3_bucket_event_notifications/terraform.tf +++ b/terraform/account/region/modules/s3_bucket_event_notifications/versions.tf @@ -3,7 +3,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = "~> 5.32.0" } } } diff --git a/terraform/account/region/terraform.tf b/terraform/account/region/terraform.tf deleted file mode 100644 index 645027a00f..0000000000 --- a/terraform/account/region/terraform.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - aws.management, - aws.global, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/account/region/versions.tf b/terraform/account/region/versions.tf new file mode 100644 index 0000000000..f354449ed7 --- /dev/null +++ b/terraform/account/region/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + aws.management, + aws.global, + ] + } + } +} diff --git a/terraform/account/sqs_kms.tf b/terraform/account/sqs_kms.tf index 41055c06da..540697c699 100644 --- a/terraform/account/sqs_kms.tf +++ b/terraform/account/sqs_kms.tf @@ -2,7 +2,7 @@ resource "aws_kms_key" "sqs" { description = "${local.default_tags.application} SQS encryption key" deletion_window_in_days = 10 enable_key_rotation = true - policy = local.account.account_name == "development" ? data.aws_iam_policy_document.sns_kms_merged.json : data.aws_iam_policy_document.sns_kms.json + policy = local.account.account_name == "development" ? data.aws_iam_policy_document.sqs_kms_merged.json : data.aws_iam_policy_document.sns_kms.json multi_region = true provider = aws.eu_west_1 } diff --git a/terraform/account/terraform.tf b/terraform/account/terraform.tf index 0da25b858f..aed2089876 100644 --- a/terraform/account/terraform.tf +++ b/terraform/account/terraform.tf @@ -13,10 +13,6 @@ variable "default_role" { type = string default = "modernising-lpa-ci" } -variable "management_role" { - type = string - default = "modernising-lpa-ci" -} provider "aws" { alias = "eu_west_1" @@ -94,30 +90,10 @@ data "aws_region" "eu_west_1" { provider = aws.eu_west_1 } -data "aws_caller_identity" "eu_west_1" { - provider = aws.eu_west_1 -} - -data "aws_default_tags" "eu_west_1" { - provider = aws.eu_west_1 -} - data "aws_region" "eu_west_2" { provider = aws.eu_west_2 } -data "aws_caller_identity" "eu_west_2" { - provider = aws.eu_west_2 -} - -data "aws_default_tags" "eu_west_2" { - provider = aws.eu_west_2 -} - -data "aws_region" "global" { - provider = aws.global -} - data "aws_caller_identity" "global" { provider = aws.global } diff --git a/terraform/environment/global/data_sources.tf b/terraform/environment/global/data_sources.tf new file mode 100644 index 0000000000..591c6a74d6 --- /dev/null +++ b/terraform/environment/global/data_sources.tf @@ -0,0 +1,3 @@ +data "aws_default_tags" "current" { + provider = aws.global +} diff --git a/terraform/environment/global/terraform.tf b/terraform/environment/global/terraform.tf deleted file mode 100644 index 7538afc37e..0000000000 --- a/terraform/environment/global/terraform.tf +++ /dev/null @@ -1,28 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.global, - ] - } - pagerduty = { - source = "PagerDuty/pagerduty" - version = ">= 2.16.0" - } - } -} - -data "aws_default_tags" "current" { - provider = aws.global -} - -data "aws_caller_identity" "global" { - provider = aws.global -} - -data "aws_region" "global" { - provider = aws.global -} diff --git a/terraform/environment/global/versions.tf b/terraform/environment/global/versions.tf new file mode 100644 index 0000000000..9d3f1ca4d1 --- /dev/null +++ b/terraform/environment/global/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.global, + ] + } + pagerduty = { + source = "PagerDuty/pagerduty" + version = "~> 3.4.0" + } + } +} diff --git a/terraform/environment/parameters.tf b/terraform/environment/parameters.tf index ec6bc180b1..8513285ebc 100644 --- a/terraform/environment/parameters.tf +++ b/terraform/environment/parameters.tf @@ -14,8 +14,3 @@ resource "aws_ssm_parameter" "dns_target_region" { ignore_changes = [value] } } - -data "aws_ssm_parameter" "dns_target_region" { - provider = aws.management_global - name = aws_ssm_parameter.dns_target_region.name -} diff --git a/terraform/environment/region/data_sources.tf b/terraform/environment/region/data_sources.tf index 2e1ba956aa..2a7e7c2b83 100644 --- a/terraform/environment/region/data_sources.tf +++ b/terraform/environment/region/data_sources.tf @@ -12,3 +12,15 @@ data "aws_iam_role" "sns_failure_feedback" { name = "SNSFailureFeedback" provider = aws.global } + +data "aws_region" "current" { + provider = aws.region +} + +data "aws_caller_identity" "current" { + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/environment/region/ecs.tf b/terraform/environment/region/ecs.tf index 94d83c795d..90e957a9ae 100644 --- a/terraform/environment/region/ecs.tf +++ b/terraform/environment/region/ecs.tf @@ -39,8 +39,8 @@ module "app" { public_access_enabled = var.public_access_enabled network = { vpc_id = data.aws_vpc.main.id - application_subnets = data.aws_subnet.application.*.id - public_subnets = data.aws_subnet.public.*.id + application_subnets = data.aws_subnet.application[*].id + public_subnets = data.aws_subnet.public[*].id } uploads_s3_bucket = { bucket_name = module.uploads_s3_bucket.bucket.id @@ -78,8 +78,8 @@ module "mock_onelogin" { redirect_base_url = var.app_env_vars.auth_redirect_base_url network = { vpc_id = data.aws_vpc.main.id - application_subnets = data.aws_subnet.application.*.id - public_subnets = data.aws_subnet.public.*.id + application_subnets = data.aws_subnet.application[*].id + public_subnets = data.aws_subnet.public[*].id } aws_service_discovery_private_dns_namespace = { id = aws_service_discovery_private_dns_namespace.mock_one_login.id diff --git a/terraform/environment/region/event_received.tf b/terraform/environment/region/event_received.tf index cd6a44d3da..320c878193 100644 --- a/terraform/environment/region/event_received.tf +++ b/terraform/environment/region/event_received.tf @@ -5,7 +5,6 @@ data "aws_ecr_repository" "event_received" { module "event_received" { source = "./modules/event_received" - lambda_function_image_ecr_arn = data.aws_ecr_repository.event_received.arn lambda_function_image_ecr_url = data.aws_ecr_repository.event_received.repository_url lambda_function_image_tag = var.app_service_container_version event_bus_name = module.event_bus.event_bus.name diff --git a/terraform/environment/region/modules/app/data_sources.tf b/terraform/environment/region/modules/app/data_sources.tf new file mode 100644 index 0000000000..606b690309 --- /dev/null +++ b/terraform/environment/region/modules/app/data_sources.tf @@ -0,0 +1,7 @@ +data "aws_region" "current" { + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/environment/region/modules/app/terraform.tf b/terraform/environment/region/modules/app/terraform.tf deleted file mode 100644 index 13588602eb..0000000000 --- a/terraform/environment/region/modules/app/terraform.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/app/variables.tf b/terraform/environment/region/modules/app/variables.tf index 81437ea859..41fc5d69a2 100644 --- a/terraform/environment/region/modules/app/variables.tf +++ b/terraform/environment/region/modules/app/variables.tf @@ -41,6 +41,7 @@ variable "ecs_capacity_provider" { } variable "ecs_application_log_group_name" { + type = string description = "The AWS Cloudwatch Log Group resource for application logging" } diff --git a/terraform/environment/region/modules/event_received/terraform.tf b/terraform/environment/region/modules/app/versions.tf similarity index 71% rename from terraform/environment/region/modules/event_received/terraform.tf rename to terraform/environment/region/modules/app/versions.tf index 627607ccd6..cd46c79b99 100644 --- a/terraform/environment/region/modules/event_received/terraform.tf +++ b/terraform/environment/region/modules/app/versions.tf @@ -3,7 +3,8 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = "~> 5.32.0" configuration_aliases = [ aws.region, ] diff --git a/terraform/environment/region/modules/application_logs/data_sources.tf b/terraform/environment/region/modules/application_logs/data_sources.tf new file mode 100644 index 0000000000..bff69f8510 --- /dev/null +++ b/terraform/environment/region/modules/application_logs/data_sources.tf @@ -0,0 +1,3 @@ +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/environment/region/modules/application_logs/terraform.tf b/terraform/environment/region/modules/application_logs/terraform.tf deleted file mode 100644 index 13588602eb..0000000000 --- a/terraform/environment/region/modules/application_logs/terraform.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/application_logs/variables.tf b/terraform/environment/region/modules/application_logs/variables.tf index 51990b1485..d9f68e837d 100644 --- a/terraform/environment/region/modules/application_logs/variables.tf +++ b/terraform/environment/region/modules/application_logs/variables.tf @@ -1,7 +1,3 @@ -locals { - name_prefix = "${data.aws_default_tags.current.tags.environment-name}-${data.aws_region.current.name}" -} - variable "application_log_retention_days" { type = number description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire." diff --git a/terraform/environment/region/modules/application_logs/versions.tf b/terraform/environment/region/modules/application_logs/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/application_logs/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/ecs_autoscaling/terraform.tf b/terraform/environment/region/modules/ecs_autoscaling/terraform.tf deleted file mode 100644 index 13588602eb..0000000000 --- a/terraform/environment/region/modules/ecs_autoscaling/terraform.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/ecs_autoscaling/versions.tf b/terraform/environment/region/modules/ecs_autoscaling/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/ecs_autoscaling/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/event_bus/data_sources.tf b/terraform/environment/region/modules/event_bus/data_sources.tf index f2e4b70248..b0be674d95 100644 --- a/terraform/environment/region/modules/event_bus/data_sources.tf +++ b/terraform/environment/region/modules/event_bus/data_sources.tf @@ -2,3 +2,11 @@ data "aws_sns_topic" "custom_cloudwatch_alarms" { name = "custom_cloudwatch_alarms" provider = aws.region } + +data "aws_region" "current" { + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/environment/region/modules/event_bus/terraform.tf b/terraform/environment/region/modules/event_bus/terraform.tf deleted file mode 100644 index 6facc6da53..0000000000 --- a/terraform/environment/region/modules/event_bus/terraform.tf +++ /dev/null @@ -1,22 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/event_bus/versions.tf b/terraform/environment/region/modules/event_bus/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/event_bus/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/event_received/lambda.tf b/terraform/environment/region/modules/event_received/lambda.tf index bfbb5eb25a..0f284b09d1 100644 --- a/terraform/environment/region/modules/event_received/lambda.tf +++ b/terraform/environment/region/modules/event_received/lambda.tf @@ -10,7 +10,6 @@ module "event_received" { UID_BASE_URL = var.uid_base_url } image_uri = "${var.lambda_function_image_ecr_url}:${var.lambda_function_image_tag}" - ecr_arn = var.lambda_function_image_ecr_arn environment = data.aws_default_tags.current.tags.environment-name kms_key = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn iam_policy_documents = [data.aws_iam_policy_document.api_access_policy.json] diff --git a/terraform/environment/region/modules/event_received/variables.tf b/terraform/environment/region/modules/event_received/variables.tf index 789d30ad9e..f0d6fab849 100644 --- a/terraform/environment/region/modules/event_received/variables.tf +++ b/terraform/environment/region/modules/event_received/variables.tf @@ -1,7 +1,3 @@ -variable "lambda_function_image_ecr_arn" { - type = string -} - variable "lambda_function_image_ecr_url" { type = string } diff --git a/terraform/environment/region/modules/event_received/versions.tf b/terraform/environment/region/modules/event_received/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/event_received/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/lambda/data_sources.tf b/terraform/environment/region/modules/lambda/data_sources.tf index d8e53a9194..61986a9cc6 100644 --- a/terraform/environment/region/modules/lambda/data_sources.tf +++ b/terraform/environment/region/modules/lambda/data_sources.tf @@ -1,11 +1,3 @@ -data "aws_region" "current" { - provider = aws.region -} - data "aws_caller_identity" "current" { provider = aws.region } - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/lambda/main.tf b/terraform/environment/region/modules/lambda/main.tf index aa8a05d6aa..0ee9dcf57c 100644 --- a/terraform/environment/region/modules/lambda/main.tf +++ b/terraform/environment/region/modules/lambda/main.tf @@ -6,6 +6,7 @@ resource "aws_cloudwatch_log_group" "lambda" { resource "aws_lambda_function" "lambda_function" { function_name = "${var.lambda_name}-${var.environment}" + description = var.description image_uri = var.image_uri package_type = var.package_type role = aws_iam_role.lambda_role.arn diff --git a/terraform/environment/region/modules/lambda/terraform.tf b/terraform/environment/region/modules/lambda/terraform.tf deleted file mode 100644 index 627607ccd6..0000000000 --- a/terraform/environment/region/modules/lambda/terraform.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} diff --git a/terraform/environment/region/modules/lambda/variables.tf b/terraform/environment/region/modules/lambda/variables.tf index fa0547d08a..6d9ca5cf0f 100644 --- a/terraform/environment/region/modules/lambda/variables.tf +++ b/terraform/environment/region/modules/lambda/variables.tf @@ -21,12 +21,6 @@ variable "description" { default = null } -variable "lambda_role_policy_document" { - description = "The policy JSON for the lambda IAM role. This policy JSON is merged with Logging and ECR access included in the module." - type = string - default = null -} - variable "environment_variables" { description = "A map that defines environment variables for the Lambda Function." type = map(string) @@ -50,13 +44,8 @@ variable "timeout" { default = 30 } -variable "ecr_arn" { - description = "The ECR arn for lambda image." - type = string - default = null -} - variable "kms_key" { + type = any description = "KMS key for the lambda log group" } diff --git a/terraform/environment/region/modules/lambda/version.tf b/terraform/environment/region/modules/lambda/version.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/lambda/version.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/mock_onelogin/data_sources.tf b/terraform/environment/region/modules/mock_onelogin/data_sources.tf new file mode 100644 index 0000000000..606b690309 --- /dev/null +++ b/terraform/environment/region/modules/mock_onelogin/data_sources.tf @@ -0,0 +1,7 @@ +data "aws_region" "current" { + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} diff --git a/terraform/environment/region/modules/mock_onelogin/terraform.tf b/terraform/environment/region/modules/mock_onelogin/terraform.tf deleted file mode 100644 index 13588602eb..0000000000 --- a/terraform/environment/region/modules/mock_onelogin/terraform.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} diff --git a/terraform/environment/region/modules/mock_onelogin/variables.tf b/terraform/environment/region/modules/mock_onelogin/variables.tf index a3cd22fa52..409b763e6d 100644 --- a/terraform/environment/region/modules/mock_onelogin/variables.tf +++ b/terraform/environment/region/modules/mock_onelogin/variables.tf @@ -41,6 +41,7 @@ variable "ecs_capacity_provider" { } variable "ecs_application_log_group_name" { + type = string description = "The AWS Cloudwatch Log Group resource for application logging" } diff --git a/terraform/environment/region/modules/mock_onelogin/versions.tf b/terraform/environment/region/modules/mock_onelogin/versions.tf new file mode 100644 index 0000000000..574764a522 --- /dev/null +++ b/terraform/environment/region/modules/mock_onelogin/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} + diff --git a/terraform/environment/region/modules/s3_antivirus/alarms.tf b/terraform/environment/region/modules/s3_antivirus/alarms.tf index 313ba6e042..8c43a413fe 100644 --- a/terraform/environment/region/modules/s3_antivirus/alarms.tf +++ b/terraform/environment/region/modules/s3_antivirus/alarms.tf @@ -4,7 +4,7 @@ resource "aws_s3_bucket_metric" "virus_infections" { filter { tags = { - "${var.environment_variables.ANTIVIRUS_TAG_KEY}" = var.environment_variables.ANTIVIRUS_TAG_VALUE_FAIL + tostring(var.environment_variables.ANTIVIRUS_TAG_KEY) = var.environment_variables.ANTIVIRUS_TAG_VALUE_FAIL } } provider = aws.region diff --git a/terraform/environment/region/modules/s3_antivirus/main.tf b/terraform/environment/region/modules/s3_antivirus/main.tf index 6bc847f8dc..b2a43a3466 100644 --- a/terraform/environment/region/modules/s3_antivirus/main.tf +++ b/terraform/environment/region/modules/s3_antivirus/main.tf @@ -12,6 +12,7 @@ resource "aws_cloudwatch_log_group" "lambda" { resource "aws_lambda_function" "lambda_function" { function_name = "s3-antivirus-${data.aws_default_tags.current.tags.environment-name}" + description = "Function to scan S3 objects for viruses" image_uri = var.ecr_image_uri package_type = "Image" role = var.lambda_task_role.arn diff --git a/terraform/environment/region/modules/s3_antivirus/terraform.tf b/terraform/environment/region/modules/s3_antivirus/terraform.tf deleted file mode 100644 index 627607ccd6..0000000000 --- a/terraform/environment/region/modules/s3_antivirus/terraform.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} diff --git a/terraform/environment/region/modules/s3_antivirus/variables.tf b/terraform/environment/region/modules/s3_antivirus/variables.tf index 3b38a6247a..bcbfe0185f 100644 --- a/terraform/environment/region/modules/s3_antivirus/variables.tf +++ b/terraform/environment/region/modules/s3_antivirus/variables.tf @@ -4,27 +4,25 @@ variable "alarm_sns_topic_arn" { } variable "aws_subnet_ids" { + type = list(string) description = "List of Sirius private subnet Ids" } variable "data_store_bucket" { + type = any description = "Data store bucket to scan for viruses" } variable "definition_bucket" { + type = any description = "Bucket containing virus definitions" } variable "ecr_image_uri" { + type = string description = "URI of ECR image to use for Lambda" } -variable "enable_autoscan" { - description = "Whether to enable the automatic scan of newly uploaded objects" - type = bool - default = false -} - variable "environment_variables" { description = "A map that defines environment variables for the Lambda Function." type = map(string) @@ -32,6 +30,7 @@ variable "environment_variables" { } variable "lambda_task_role" { + type = any description = "Execution role for Lambda" } diff --git a/terraform/environment/region/modules/s3_antivirus/versions.tf b/terraform/environment/region/modules/s3_antivirus/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/s3_antivirus/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/modules/uploads_s3_bucket/data_sources.tf b/terraform/environment/region/modules/uploads_s3_bucket/data_sources.tf index 95a840de1c..02e1a5eefc 100644 --- a/terraform/environment/region/modules/uploads_s3_bucket/data_sources.tf +++ b/terraform/environment/region/modules/uploads_s3_bucket/data_sources.tf @@ -11,11 +11,6 @@ data "aws_default_tags" "current" { provider = aws.region } -data "aws_kms_alias" "source_default_key" { - name = "alias/aws/s3" - provider = aws.region -} - data "aws_s3_bucket" "access_log" { bucket = "s3-access-logs-${data.aws_default_tags.current.tags.application}-${data.aws_default_tags.current.tags.account-name}-${data.aws_region.current.name}" provider = aws.region diff --git a/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf b/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf index 7e1fea4189..7a2da39cf7 100644 --- a/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf +++ b/terraform/environment/region/modules/uploads_s3_bucket/lambda.tf @@ -6,7 +6,6 @@ module "s3_create_batch_replication_jobs" { ENVIRONMENT = data.aws_default_tags.current.tags.environment-name } image_uri = "${var.s3_replication.lambda_function_image_ecr_url}:${var.s3_replication.lambda_function_image_tag}" - ecr_arn = var.s3_replication.lambda_function_image_ecr_arn environment = data.aws_default_tags.current.tags.environment-name kms_key = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn timeout = 900 diff --git a/terraform/environment/region/modules/uploads_s3_bucket/terraform.tf b/terraform/environment/region/modules/uploads_s3_bucket/terraform.tf deleted file mode 100644 index 627607ccd6..0000000000 --- a/terraform/environment/region/modules/uploads_s3_bucket/terraform.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - ] - } - } -} diff --git a/terraform/environment/region/modules/uploads_s3_bucket/variables.tf b/terraform/environment/region/modules/uploads_s3_bucket/variables.tf index 0893e8c142..bacfff41de 100644 --- a/terraform/environment/region/modules/uploads_s3_bucket/variables.tf +++ b/terraform/environment/region/modules/uploads_s3_bucket/variables.tf @@ -35,9 +35,11 @@ variable "s3_replication" { } variable "events_received_lambda_function" { + type = any description = "Lambda function ARN for events received" } variable "s3_antivirus_lambda_function" { + type = any description = "Lambda function ARN for events received" } diff --git a/terraform/environment/region/modules/uploads_s3_bucket/versions.tf b/terraform/environment/region/modules/uploads_s3_bucket/versions.tf new file mode 100644 index 0000000000..cd46c79b99 --- /dev/null +++ b/terraform/environment/region/modules/uploads_s3_bucket/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + ] + } + } +} diff --git a/terraform/environment/region/s3_antivirus.tf b/terraform/environment/region/s3_antivirus.tf index 2d9732cbaa..3d84c3b993 100644 --- a/terraform/environment/region/s3_antivirus.tf +++ b/terraform/environment/region/s3_antivirus.tf @@ -17,11 +17,10 @@ data "aws_s3_bucket" "antivirus_definitions" { module "s3_antivirus" { source = "./modules/s3_antivirus" alarm_sns_topic_arn = data.aws_sns_topic.custom_cloudwatch_alarms.arn - aws_subnet_ids = data.aws_subnet.application.*.id + aws_subnet_ids = data.aws_subnet.application[*].id data_store_bucket = module.uploads_s3_bucket.bucket definition_bucket = data.aws_s3_bucket.antivirus_definitions ecr_image_uri = "${data.aws_ecr_repository.s3_antivirus.repository_url}@${data.aws_ecr_image.s3_antivirus.image_digest}" - enable_autoscan = true lambda_task_role = var.iam_roles.s3_antivirus s3_antivirus_provisioned_concurrency = var.s3_antivirus_provisioned_concurrency diff --git a/terraform/environment/region/terraform.tf b/terraform/environment/region/terraform.tf deleted file mode 100644 index 8be33f6abb..0000000000 --- a/terraform/environment/region/terraform.tf +++ /dev/null @@ -1,39 +0,0 @@ -terraform { - required_version = ">= 1.5.2" - - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.region, - aws.global, - aws.management_global, - aws.management, - ] - } - pagerduty = { - source = "PagerDuty/pagerduty" - version = ">= 2.16.0" - } - } -} - -data "aws_region" "current" { - provider = aws.region -} - -data "aws_caller_identity" "current" { - provider = aws.region -} - -data "aws_default_tags" "current" { - provider = aws.region -} - -data "aws_caller_identity" "global" { - provider = aws.global -} - -data "aws_region" "global" { - provider = aws.global -} diff --git a/terraform/environment/region/versions.tf b/terraform/environment/region/versions.tf new file mode 100644 index 0000000000..6193b5cf57 --- /dev/null +++ b/terraform/environment/region/versions.tf @@ -0,0 +1,20 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.32.0" + configuration_aliases = [ + aws.region, + aws.global, + aws.management_global, + aws.management, + ] + } + pagerduty = { + source = "PagerDuty/pagerduty" + version = "~> 3.4.0" + } + } +}