add tfstate module

CDCgov · Oct 11, 2024 · 4749dd5 · 4749dd5
1 parent b80e6eb
commit 4749dd5
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 4 deletions.
diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf
@@ -26,8 +26,14 @@ module "ecs" {
 
   # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
   # disable_ecr = true
+
   # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
   # non_integrated_viewer = "true"
-  # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) This requires an internet gateway to be present in the VPC.
+
+  # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
+  # This requires an internet gateway to be present in the VPC.
   # internal       = false
+
+  # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
+  # ecr_viewer_app_env = "test"
 }
diff --git a/terraform/implementation/setup/_local.tf b/terraform/implementation/setup/_local.tf
@@ -0,0 +1,8 @@
+locals {
+  vpc_name = "${var.project}-${var.owner}-${terraform.workspace}"
+  tags = {
+    project   = var.project
+    owner     = var.owner
+    workspace = terraform.workspace
+  }
+}
diff --git a/terraform/modules/ecs/_data.tf b/terraform/modules/ecs/_data.tf
@@ -36,5 +36,5 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" {
 
 data "aws_route_table" "this" {
   for_each  = local.private_subnet_kvs
-  subnet_id = each.key
+  subnet_id = each.value
 }
diff --git a/terraform/modules/ecs/_local.tf b/terraform/modules/ecs/_local.tf
@@ -191,6 +191,6 @@ locals {
     "com.amazonaws.${var.region}.logs",
     "com.amazonaws.${var.region}.secretsmanager",
   ]
-  s3_service_name = "com.amazonaws.${var.region}.s3"
-  private_subnet_kvs = { for rt in var.private_subnet_ids : rt => rt }
+  s3_service_name    = "com.amazonaws.${var.region}.s3"
+  private_subnet_kvs = { for index, rt in var.private_subnet_ids : index => rt }
 }
diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf
@@ -142,6 +142,7 @@ data "aws_iam_policy_document" "scoped_two" {
       "ec2:CreateRouteTable",
       "ec2:CreateSecurityGroup",
       "ec2:CreateSubnet",
+      "ec2:CreateVPCEndpoint",
       "ec2:DeleteNetworkAclEntry",
       "iam:PassRole",
     ]
@@ -208,6 +209,7 @@ data "aws_iam_policy_document" "request_tags_create_actions" {
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.project_owner_workspace}*",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${local.project_owner_workspace}*",
       "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${local.project_owner_workspace}:log-stream:",
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${local.project_owner_workspace}*",
       "arn:aws:servicediscovery:${var.region}:${data.aws_caller_identity.current.account_id}:*/*",
     ]
     condition {

diff --git a/terraform/modules/tfstate/_output.tf b/terraform/modules/tfstate/_output.tf
@@ -0,0 +1,7 @@
+output "state_bucket" {
+  value = aws_s3_bucket.tfstate
+}
+
+output "dynamodb_table" {
+  value = aws_dynamodb_table.tfstate_lock
+}
diff --git a/terraform/modules/tfstate/_variable.tf b/terraform/modules/tfstate/_variable.tf
@@ -0,0 +1,22 @@
+variable "owner" {
+  description = "The owner of the project"
+  type        = string
+  default     = "skylight"
+}
+
+variable "project" {
+  description = "The name of the project"
+  type        = string
+  default     = "dibbs-ce"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS region where resources are created"
+  default     = "us-east-1"
+}
+
+variable "identifier" {
+  type    = string
+  default = ""
+}
diff --git a/terraform/modules/tfstate/main.tf b/terraform/modules/tfstate/main.tf
@@ -0,0 +1,45 @@
+resource "aws_s3_bucket" "tfstate" {
+  bucket = "${var.project}-tfstate-${var.owner}-${var.identifier}"
+
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "default" {
+  bucket = aws_s3_bucket.tfstate.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
+# trivy:ignore:AVD-AWS-0132
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.tfstate.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "default" {
+  bucket = aws_s3_bucket.tfstate.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+# Create a DynamoDB table for locking the state file
+resource "aws_dynamodb_table" "tfstate_lock" {
+  name         = "${var.project}-tfstate-lock-${var.owner}-${var.identifier}"
+  hash_key     = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+}