diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf index 858cddf..9c2fd7e 100644 --- a/terraform/implementation/ecs/main.tf +++ b/terraform/implementation/ecs/main.tf @@ -26,8 +26,14 @@ module "ecs" { # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false) # disable_ecr = true + # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false) # non_integrated_viewer = "true" - # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) This requires an internet gateway to be present in the VPC. + + # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) + # This requires an internet gateway to be present in the VPC. # internal = false + + # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod") + # ecr_viewer_app_env = "test" } diff --git a/terraform/implementation/setup/_local.tf b/terraform/implementation/setup/_local.tf new file mode 100644 index 0000000..8e1dc94 --- /dev/null +++ b/terraform/implementation/setup/_local.tf @@ -0,0 +1,8 @@ +locals { + vpc_name = "${var.project}-${var.owner}-${terraform.workspace}" + tags = { + project = var.project + owner = var.owner + workspace = terraform.workspace + } +} diff --git a/terraform/modules/ecs/_data.tf b/terraform/modules/ecs/_data.tf index 41965d3..4a51084 100644 --- a/terraform/modules/ecs/_data.tf +++ b/terraform/modules/ecs/_data.tf @@ -36,5 +36,5 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" { data "aws_route_table" "this" { for_each = local.private_subnet_kvs - subnet_id = each.key + subnet_id = each.value } \ No newline at end of file diff --git a/terraform/modules/ecs/_local.tf b/terraform/modules/ecs/_local.tf index 8cac0d5..ab92c98 100644 --- a/terraform/modules/ecs/_local.tf +++ b/terraform/modules/ecs/_local.tf @@ -191,6 +191,6 @@ locals { "com.amazonaws.${var.region}.logs", "com.amazonaws.${var.region}.secretsmanager", ] - s3_service_name = "com.amazonaws.${var.region}.s3" - private_subnet_kvs = { for rt in var.private_subnet_ids : rt => rt } + s3_service_name = "com.amazonaws.${var.region}.s3" + private_subnet_kvs = { for index, rt in var.private_subnet_ids : index => rt } } diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf index 61e2651..17f329e 100644 --- a/terraform/modules/oidc/_data.tf +++ b/terraform/modules/oidc/_data.tf @@ -142,6 +142,7 @@ data "aws_iam_policy_document" "scoped_two" { "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", + "ec2:CreateVPCEndpoint", "ec2:DeleteNetworkAclEntry", "iam:PassRole", ] @@ -208,6 +209,7 @@ data "aws_iam_policy_document" "request_tags_create_actions" { "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.project_owner_workspace}*", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${local.project_owner_workspace}*", "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${local.project_owner_workspace}:log-stream:", + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/${local.project_owner_workspace}*", "arn:aws:servicediscovery:${var.region}:${data.aws_caller_identity.current.account_id}:*/*", ] condition { diff --git a/terraform/modules/tfstate/_output.tf b/terraform/modules/tfstate/_output.tf new file mode 100644 index 0000000..c86c10a --- /dev/null +++ b/terraform/modules/tfstate/_output.tf @@ -0,0 +1,7 @@ +output "state_bucket" { + value = aws_s3_bucket.tfstate +} + +output "dynamodb_table" { + value = aws_dynamodb_table.tfstate_lock +} \ No newline at end of file diff --git a/terraform/modules/tfstate/_variable.tf b/terraform/modules/tfstate/_variable.tf new file mode 100644 index 0000000..2bc7a1b --- /dev/null +++ b/terraform/modules/tfstate/_variable.tf @@ -0,0 +1,22 @@ +variable "owner" { + description = "The owner of the project" + type = string + default = "skylight" +} + +variable "project" { + description = "The name of the project" + type = string + default = "dibbs-ce" +} + +variable "region" { + type = string + description = "The AWS region where resources are created" + default = "us-east-1" +} + +variable "identifier" { + type = string + default = "" +} \ No newline at end of file diff --git a/terraform/modules/tfstate/main.tf b/terraform/modules/tfstate/main.tf new file mode 100644 index 0000000..de4e477 --- /dev/null +++ b/terraform/modules/tfstate/main.tf @@ -0,0 +1,45 @@ +resource "aws_s3_bucket" "tfstate" { + bucket = "${var.project}-tfstate-${var.owner}-${var.identifier}" + + force_destroy = true +} + +resource "aws_s3_bucket_public_access_block" "default" { + bucket = aws_s3_bucket.tfstate.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/ +# trivy:ignore:AVD-AWS-0132 +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.tfstate.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_versioning" "default" { + bucket = aws_s3_bucket.tfstate.id + versioning_configuration { + status = "Enabled" + } +} + +# Create a DynamoDB table for locking the state file +resource "aws_dynamodb_table" "tfstate_lock" { + name = "${var.project}-tfstate-lock-${var.owner}-${var.identifier}" + hash_key = "LockID" + billing_mode = "PAY_PER_REQUEST" + + attribute { + name = "LockID" + type = "S" + } +}