From 0798ca3c2f1a17d9ea7440bd9ca95e438afe14df Mon Sep 17 00:00:00 2001 From: alismx Date: Thu, 10 Oct 2024 12:03:45 -0400 Subject: [PATCH] add tfstate module --- terraform/implementation/ecs/main.tf | 8 ++++- terraform/implementation/setup/_local.tf | 8 +++++ terraform/modules/ecs/_data.tf | 2 +- terraform/modules/ecs/_local.tf | 4 +-- terraform/modules/oidc/_data.tf | 15 ++++++-- terraform/modules/tfstate/_output.tf | 7 ++++ terraform/modules/tfstate/_variable.tf | 22 ++++++++++++ terraform/modules/tfstate/main.tf | 45 ++++++++++++++++++++++++ 8 files changed, 104 insertions(+), 7 deletions(-) create mode 100644 terraform/implementation/setup/_local.tf create mode 100644 terraform/modules/tfstate/_output.tf create mode 100644 terraform/modules/tfstate/_variable.tf create mode 100644 terraform/modules/tfstate/main.tf diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf index 858cddf..9c2fd7e 100644 --- a/terraform/implementation/ecs/main.tf +++ b/terraform/implementation/ecs/main.tf @@ -26,8 +26,14 @@ module "ecs" { # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false) # disable_ecr = true + # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false) # non_integrated_viewer = "true" - # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) This requires an internet gateway to be present in the VPC. + + # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) + # This requires an internet gateway to be present in the VPC. # internal = false + + # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod") + # ecr_viewer_app_env = "test" } diff --git a/terraform/implementation/setup/_local.tf b/terraform/implementation/setup/_local.tf new file mode 100644 index 0000000..8e1dc94 --- /dev/null +++ b/terraform/implementation/setup/_local.tf @@ -0,0 +1,8 @@ +locals { + vpc_name = "${var.project}-${var.owner}-${terraform.workspace}" + tags = { + project = var.project + owner = var.owner + workspace = terraform.workspace + } +} diff --git a/terraform/modules/ecs/_data.tf b/terraform/modules/ecs/_data.tf index 41965d3..4a51084 100644 --- a/terraform/modules/ecs/_data.tf +++ b/terraform/modules/ecs/_data.tf @@ -36,5 +36,5 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" { data "aws_route_table" "this" { for_each = local.private_subnet_kvs - subnet_id = each.key + subnet_id = each.value } \ No newline at end of file diff --git a/terraform/modules/ecs/_local.tf b/terraform/modules/ecs/_local.tf index 8cac0d5..ab92c98 100644 --- a/terraform/modules/ecs/_local.tf +++ b/terraform/modules/ecs/_local.tf @@ -191,6 +191,6 @@ locals { "com.amazonaws.${var.region}.logs", "com.amazonaws.${var.region}.secretsmanager", ] - s3_service_name = "com.amazonaws.${var.region}.s3" - private_subnet_kvs = { for rt in var.private_subnet_ids : rt => rt } + s3_service_name = "com.amazonaws.${var.region}.s3" + private_subnet_kvs = { for index, rt in var.private_subnet_ids : index => rt } } diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf index 61e2651..8c5e361 100644 --- a/terraform/modules/oidc/_data.tf +++ b/terraform/modules/oidc/_data.tf @@ -41,7 +41,6 @@ data "aws_iam_policy_document" "storage" { "${var.state_bucket_arn}", "${var.state_bucket_arn}/*", "${var.dynamodb_table_arn}", - "arn:aws:s3:::prod-region-starport-layer-bucket/*" ] } } @@ -52,6 +51,8 @@ data "aws_iam_policy_document" "wildcard" { statement { actions = [ "ec2:DescribeAddresses", + "ec2:DescribeVpcEndpoints", + "ec2:DescribePrefixLists", "ec2:DescribeAddressesAttribute", "ec2:DescribeFlowLogs", "ec2:DescribeInternetGateways", @@ -135,6 +136,7 @@ data "aws_iam_policy_document" "scoped_one" { data "aws_iam_policy_document" "scoped_two" { statement { actions = [ + "ec2:createVpcEndpoint", "ec2:CreateFlowLogs", "ec2:CreateNatGateway", "ec2:CreateNetworkAclEntry", @@ -156,6 +158,7 @@ data "aws_iam_policy_document" "scoped_two" { "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:natgateway/*", "arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository/*", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.project_owner_workspace}*", + "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*", ] } } @@ -165,6 +168,7 @@ data "aws_iam_policy_document" "request_tags_create_actions" { statement { actions = [ "appmesh:CreateMesh", + "ec2:createVpcEndpoint", "appmesh:CreateVirtualNode", "appmesh:DeleteMesh", "appmesh:DeleteVirtualNode", @@ -185,12 +189,14 @@ data "aws_iam_policy_document" "request_tags_create_actions" { "iam:CreateRole", "logs:CreateLogDelivery", "logs:CreateLogGroup", + "logs:TagResource", "servicediscovery:CreatePrivateDnsNamespace", ] resources = [ "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}", - "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*", + "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc/${local.vpc_id}", + "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:subnet/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:route-table/*", @@ -256,6 +262,7 @@ data "aws_iam_policy_document" "resource_tags_update_actions" { "iam:TagPolicy", "iam:UntagPolicy", "logs:PutRetentionPolicy", + "logs:UntagResource", "servicediscovery:TagResource", ] resources = [ @@ -305,6 +312,7 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" { "ecs:DeleteCluster", "ecs:DeleteService", "ec2:DeleteVpc", + "ec2:DeleteVpcEndpoints", "ec2:DeleteTags", "ec2:DisassociateRouteTable", "ec2:DeleteRouteTable", @@ -332,6 +340,7 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" { "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:natgateway/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:security-group/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*", + "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:internet-gateway/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:elastic-ip/*", "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:network-interface/*", @@ -357,4 +366,4 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" { ] } } -} +} \ No newline at end of file diff --git a/terraform/modules/tfstate/_output.tf b/terraform/modules/tfstate/_output.tf new file mode 100644 index 0000000..c86c10a --- /dev/null +++ b/terraform/modules/tfstate/_output.tf @@ -0,0 +1,7 @@ +output "state_bucket" { + value = aws_s3_bucket.tfstate +} + +output "dynamodb_table" { + value = aws_dynamodb_table.tfstate_lock +} \ No newline at end of file diff --git a/terraform/modules/tfstate/_variable.tf b/terraform/modules/tfstate/_variable.tf new file mode 100644 index 0000000..2bc7a1b --- /dev/null +++ b/terraform/modules/tfstate/_variable.tf @@ -0,0 +1,22 @@ +variable "owner" { + description = "The owner of the project" + type = string + default = "skylight" +} + +variable "project" { + description = "The name of the project" + type = string + default = "dibbs-ce" +} + +variable "region" { + type = string + description = "The AWS region where resources are created" + default = "us-east-1" +} + +variable "identifier" { + type = string + default = "" +} \ No newline at end of file diff --git a/terraform/modules/tfstate/main.tf b/terraform/modules/tfstate/main.tf new file mode 100644 index 0000000..de4e477 --- /dev/null +++ b/terraform/modules/tfstate/main.tf @@ -0,0 +1,45 @@ +resource "aws_s3_bucket" "tfstate" { + bucket = "${var.project}-tfstate-${var.owner}-${var.identifier}" + + force_destroy = true +} + +resource "aws_s3_bucket_public_access_block" "default" { + bucket = aws_s3_bucket.tfstate.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/ +# trivy:ignore:AVD-AWS-0132 +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.tfstate.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_versioning" "default" { + bucket = aws_s3_bucket.tfstate.id + versioning_configuration { + status = "Enabled" + } +} + +# Create a DynamoDB table for locking the state file +resource "aws_dynamodb_table" "tfstate_lock" { + name = "${var.project}-tfstate-lock-${var.owner}-${var.identifier}" + hash_key = "LockID" + billing_mode = "PAY_PER_REQUEST" + + attribute { + name = "LockID" + type = "S" + } +}