diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 747e8aa..da1af53 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -2,7 +2,7 @@ name: Bug report about: Create a report to help us improve title: '' -labels: '' +labels: Streamline eCR, Cloud Enablement, aws, bug assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index bbcbbe7..c32a237 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -2,7 +2,7 @@ name: Feature request about: Suggest an idea for this project title: '' -labels: '' +labels: Streamline eCR, Cloud Enablement, aws, enhancement assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/maintenance.md b/.github/ISSUE_TEMPLATE/maintenance.md index 179cb38..8779770 100644 --- a/.github/ISSUE_TEMPLATE/maintenance.md +++ b/.github/ISSUE_TEMPLATE/maintenance.md @@ -2,7 +2,7 @@ name: Maintenance about: Questions and requests related to organizational support and maintenance title: '' -labels: '' +labels: Streamline eCR, Cloud Enablement, aws assignees: '' --- diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml new file mode 100644 index 0000000..a9ffcac --- /dev/null +++ b/.github/workflows/tflint.yaml @@ -0,0 +1,46 @@ +name: Terraform Linting +on: + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + tflint: + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: [ubuntu-latest] + + steps: + - uses: actions/checkout@v4 + name: Checkout source code + + - uses: actions/cache@v4 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v0.52.0 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable + # env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + # GITHUB_TOKEN: ${{ github.token }} + + - name: Run TFLint + run: tflint -f compact \ No newline at end of file diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..7bbeb6e --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,33 @@ +name: Terraform Security Scan + +on: + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + trivy: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run tflint + uses: ghcr.io/terraform-linters/tflint + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + scan-ref: . + scanners: 'vuln,secret,config' + ignore-unfixed: false + exit-code: '1' + format: 'table' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..e150b31 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,10 @@ +plugin "terraform" { + enabled = true + preset = "recommended" +} + +plugin "aws" { + enabled = true + version = "0.34.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} \ No newline at end of file diff --git a/README.md b/README.md index a3cae32..910a3b0 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,27 @@ -# CDCgov GitHub Organization Open Source Project Template - -**Template for clearance: This project serves as a template to aid projects in starting up and moving through clearance procedures. To start, create a new repository and implement the required [open practices](open_practices.md), train on and agree to adhere to the organization's [rules of behavior](rules_of_behavior.md), and [send a request through the create repo form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) using language from this template as a Guide.** - -**General disclaimer** This repository was created for use by CDC programs to collaborate on public health related projects in support of the [CDC mission](https://www.cdc.gov/about/organization/mission.htm). GitHub is not hosted by the CDC, but is a third party website used by CDC and its partners to share information and collaborate on software. CDC use of GitHub does not imply an endorsement of any one particular service, product, or enterprise. - -## Access Request, Repo Creation Request - -* [CDC GitHub Open Project Request Form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) _[Requires a CDC Office365 login, if you do not have a CDC Office365 please ask a friend who does to submit the request on your behalf. If you're looking for access to the CDCEnt private organization, please use the [GitHub Enterprise Cloud Access Request form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUQjVJVDlKS1c0SlhQSUxLNVBaOEZCNUczVS4u).]_ - -## Related documents - -* [Open Practices](open_practices.md) -* [Rules of Behavior](rules_of_behavior.md) -* [Thanks and Acknowledgements](thanks.md) -* [Disclaimer](DISCLAIMER.md) -* [Contribution Notice](CONTRIBUTING.md) -* [Code of Conduct](code-of-conduct.md) - -## Overview - -Describe the purpose of your project. Add additional sections as necessary to help collaborators and potential collaborators understand and use your project. - -## Public Domain Standard Notice +# Table of Contents +[1. Overview](#1-overview)\ +[2. Notices](#2-notices) +- [Table of Contents](#table-of-contents) +- [1. Overview](#1-overview) +- [2. Notices](#2-notices) + - [2.1 Public Domain Standard Notice](#21-public-domain-standard-notice) + - [2.2 License Standard Notice](#22-license-standard-notice) + - [2.3 Privacy Standard Notice](#23-privacy-standard-notice) + - [2.4 Contributing Standard Notice](#24-contributing-standard-notice) + - [2.5 Records Management Standard Notice](#25-records-management-standard-notice) + - [2.6 Additional Standard Notices](#26-additional-standard-notices) +- [3. Architectural Design](#3-architectural-design) + +# 1. Overview + +The Data Integration Building Blocks (DIBBs) project is an effort to help state, local, territorial, and tribal public health departments better make sense of and utilize their data. You can read more about the project on the [main DIBBs repository](https://github.com/CDCgov/phdi/blob/main/README.md). + +This repository is specifically to develop an AWS "starter kit" for the DIBBs project. This will enable our jurisdictional partners to build from this repository to provision their own AWS infrastructure. + ++ [Return to Table of Contents](#table-of-contents). + +# 2. Notices +## 2.1 Public Domain Standard Notice This repository constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC ยง 105. This repository is in the public domain within the United States, and copyright and related rights in @@ -30,7 +30,10 @@ All contributions to this repository will be released under the CC0 dedication. submitting a pull request you are agreeing to comply with this waiver of copyright interest. -## License Standard Notice + ++ [Return to Table of Contents](#table-of-contents). + +## 2.2 License Standard Notice The repository utilizes code licensed under the terms of the Apache Software License and therefore is licensed under ASL v2 or later. @@ -43,33 +46,47 @@ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the Apache Software License for more details. You should have received a copy of the Apache Software License along with this -program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html +program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html. The source code forked from other open source projects will inherit its license. -## Privacy Standard Notice + ++ [Return to Table of Contents](#table-of-contents). + +## 2.3 Privacy Standard Notice This repository contains only non-sensitive, publicly available data and information. All material and community participation is covered by the [Disclaimer](DISCLAIMER.md) and [Code of Conduct](code-of-conduct.md). For more information about CDC's privacy policy, please visit [http://www.cdc.gov/other/privacy.html](https://www.cdc.gov/other/privacy.html). -## Contributing Standard Notice + ++ [Return to Table of Contents](#table-of-contents). + +## 2.4 Contributing Standard Notice Anyone is encouraged to contribute to the repository by [forking](https://help.github.com/articles/fork-a-repo) -and submitting a pull request. (If you are new to GitHub, you might start with a -[basic tutorial](https://help.github.com/articles/set-up-git).) By contributing -to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, -non-exclusive, transferable license to all users under the terms of the -[Apache Software License v2](http://www.apache.org/licenses/LICENSE-2.0.html) or -later. +and submitting a pull request. (If you are new to GitHub, you might start with a [basic tutorial](https://help.github.com/articles/set-up-git).) By contributing to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, non-exclusive, transferable license to all users under the terms of the [Apache Software License v2](http://www.apache.org/licenses/LICENSE-2.0.html) or later. All comments, messages, pull requests, and other submissions received through CDC including this GitHub page may be subject to applicable federal law, including but not limited to the Federal Records Act, and may be archived. Learn more at [http://www.cdc.gov/other/privacy.html](http://www.cdc.gov/other/privacy.html). -## Records Management Standard Notice -This repository is not a source of government records, but is a copy to increase -collaboration and collaborative potential. All government records will be -published through the [CDC web site](http://www.cdc.gov). -## Additional Standard Notices ++ [Return to Table of Contents](#table-of-contents). + +## 2.5 Records Management Standard Notice +This repository is not a source of government records, but is a copy to increase collaboration and collaborative potential. All government records will be published through the [CDC web site](http://www.cdc.gov). + ++ [Return to Table of Contents](#table-of-contents). + +## 2.6 Additional Standard Notices Please refer to [CDC's Template Repository](https://github.com/CDCgov/template) for more information about [contributing to this repository](https://github.com/CDCgov/template/blob/main/CONTRIBUTING.md), [public domain notices and disclaimers](https://github.com/CDCgov/template/blob/main/DISCLAIMER.md), and [code of conduct](https://github.com/CDCgov/template/blob/main/code-of-conduct.md). + + ++ [Return to Table of Contents](#table-of-contents). + +# 3. Architectural Design +The current architectural design for dibbs-aws is as follows: + +![Current DIBBS Architecture as of 6-24-2024](https://github.com/CDCgov/dibbs-aws/assets/29112142/7d43d3c1-5d61-41b8-a1c3-bb4884073825) + ++ [Return to Table of Contents](#table-of-contents). \ No newline at end of file diff --git a/_local.tf b/_local.tf index 6d2c78d..88dfa46 100644 --- a/_local.tf +++ b/_local.tf @@ -6,22 +6,21 @@ resource "random_string" "s3_viewer" { locals { registry_url = var.disable_ecr == false ? "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" : "ghcr.io/cdcgov/phdi" - registry_auth = data.aws_ecr_authorization_token.this.proxy_endpoint registry_username = data.aws_ecr_authorization_token.this.user_name registry_password = data.aws_ecr_authorization_token.this.password - service_data = { + service_data = length(var.service_data) > 0 ? var.service_data : { ecr-viewer = { short_name = "ecrv", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer", app_version = var.phdi_version, container_port = 3000, host_port = 3000, - public = true - registry_url = local.registry_url + public = true, + registry_url = local.registry_url, env_vars = [ { name = "AWS_REGION", @@ -61,64 +60,64 @@ locals { short_name = "fhirc", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter", app_version = var.phdi_version, container_port = 8080, host_port = 8080, - public = false - registry_url = local.registry_url + public = false, + registry_url = local.registry_url, env_vars = [] }, ingestion = { short_name = "inge", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion", app_version = var.phdi_version, container_port = 8080, host_port = 8080, - public = false - registry_url = local.registry_url + public = false, + registry_url = local.registry_url, env_vars = [] }, validation = { short_name = "vali", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation", app_version = var.phdi_version, container_port = 8080, host_port = 8080, - public = false - registry_url = local.registry_url + public = false, + registry_url = local.registry_url, env_vars = [] }, trigger-code-reference = { short_name = "trigcr", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference", app_version = var.phdi_version, container_port = 8080, host_port = 8080, - public = false - registry_url = local.registry_url + public = false, + registry_url = local.registry_url, env_vars = [] }, message-parser = { short_name = "msgp", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser", app_version = var.phdi_version, container_port = 8080, @@ -131,14 +130,14 @@ locals { short_name = "orch", fargate_cpu = 1024, fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 + min_capacity = 1, + max_capacity = 5, app_image = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration", app_version = var.phdi_version, container_port = 8080, host_port = 8080, - public = true - registry_url = local.registry_url + public = true, + registry_url = local.registry_url, env_vars = [ { name = "OTEL_METRICS", @@ -177,11 +176,9 @@ locals { } local_name = "${var.project}-${var.owner}-${terraform.workspace}" - # service_data = var.service_data == {} ? local.default_service_data : local.default_service_data appmesh_name = var.appmesh_name == "" ? local.local_name : var.appmesh_name cloudmap_namespace_name = var.cloudmap_namespace_name == "" ? local.local_name : var.cloudmap_namespace_name - cloudmap_service_name = var.cloudmap_service_name == "" ? local.local_name : var.cloudmap_service_name - ecs_alb_name = var.ecs_alb_name == "" ? "${local.local_name}" : var.ecs_alb_name + ecs_alb_name = var.ecs_alb_name == "" ? local.local_name : var.ecs_alb_name ecs_alb_tg_name = var.ecs_alb_tg_name == "" ? local.local_name : var.ecs_alb_tg_name ecs_task_execution_role_name = var.ecs_task_execution_role_name == "" ? "${local.local_name}-tern" : var.ecs_task_execution_role_name ecs_task_role_name = var.ecs_task_role_name == "" ? "${local.local_name}-trn" : var.ecs_task_role_name diff --git a/_variable.tf b/_variable.tf index 14ad01f..1819922 100644 --- a/_variable.tf +++ b/_variable.tf @@ -15,12 +15,6 @@ variable "cloudmap_namespace_name" { default = "" } -variable "cloudmap_service_name" { - type = string - description = "Name of the AWS Cloud Map service" - default = "" -} - variable "cw_retention_in_days" { type = number description = "Retention period in days for CloudWatch logs" @@ -39,12 +33,6 @@ variable "ecs_alb_tg_name" { default = "" } -variable "ecs_alb_sg" { - type = string - description = "Name of the ECS ALB Security Group" - default = "" -} - variable "ecs_cluster_name" { type = string description = "Name of the ECS Cluster" @@ -107,7 +95,8 @@ variable "service_data" { short_name = string fargate_cpu = number fargate_memory = number - app_count = number + min_capacity = number + max_capacity = number app_image = string app_version = string container_port = number diff --git a/provider.tf b/provider.tf index fc084d4..5542bae 100644 --- a/provider.tf +++ b/provider.tf @@ -1,10 +1,23 @@ terraform { required_providers { + aws = { + source = "hashicorp/aws" + version = "5.56.1" + } dockerless = { source = "nullstone-io/dockerless" version = "0.1.1" } + null = { + source = "hashicorp/null" + version = "3.2.3" + } + random = { + source = "hashicorp/random" + version = "3.6.3" + } } + required_version = "1.9.0" } provider "dockerless" {