feat: fetch the list of OFAC blocked countries from GitHub variables (#…

…163)

.github/workflows/sub-infra-apply.yml

@@ -79,6 +79,7 @@ jobs:
         id: configure-tfvars
         working-directory: ${{ vars.TF_DIRECTORY }}
         run: |
+          echo 'ofac_blocked_countries="${{ vars.OFAC_BLOCKED_COUNTRIES }}"' >> plan.auto.tfvars
           echo 'image_version="${{ inputs.version }}"' >> plan.auto.tfvars
           echo 'grafana_auth="${{ steps.grafana-get-key.outputs.key }}"' >> plan.auto.tfvars
 

.github/workflows/sub-infra-plan.yml

@@ -82,6 +82,7 @@ jobs:
       - name: Configure Terraform Variables
         working-directory: ${{ vars.TF_DIRECTORY }}
         run: |
+          echo 'ofac_blocked_countries="${{ vars.OFAC_BLOCKED_COUNTRIES }}"' >> plan.auto.tfvars
           echo 'image_version="${{ inputs.version }}"' >> plan.auto.tfvars
           echo 'grafana_auth="${{ steps.grafana-get-key.outputs.key }}"' >> plan.auto.tfvars
 

terraform/README.md

@@ -58,6 +58,7 @@ To authenticate, run `terraform login` and follow the instructions.
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Defines logging level for the application |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The notification channels to send alerts to |  <pre lang="json">list(any)</pre> |  <pre lang="json">[]</pre> |  no |
 | <a name="input_notify_url"></a> [notify\_url](#input\_notify\_url) | The URL of the notify server |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
+| <a name="input_ofac_blocked_countries"></a> [ofac\_blocked\_countries](#input\_ofac\_blocked\_countries) | The list of countries to block |  <pre lang="json">string</pre> |  <pre lang="json">""</pre> |  no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project to use for the app |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_registry_api_auth_token"></a> [registry\_api\_auth\_token](#input\_registry\_api\_auth\_token) | The auth token for the registry API |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_registry_api_endpoint"></a> [registry\_api\_endpoint](#input\_registry\_api\_endpoint) | The endpoint of the registry API |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |

terraform/ecs/README.md

@@ -53,7 +53,7 @@ This module creates an ECS cluster and an autoscaling group of EC2 instances to
 | <a name="input_keypair_seed"></a> [keypair\_seed](#input\_keypair\_seed) | The seed for the keypair used to encrypt data |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level for the app |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_notify_url"></a> [notify\_url](#input\_notify\_url) | The URL of the notify server |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
-| <a name="input_ofac_blocked_countries"></a> [ofac\_blocked\_countries](#input\_ofac\_blocked\_countries) | The list of countries under OFAC sanctions |  <pre lang="json">list(string)</pre> |  <pre lang="json">[<br>  "KP",<br>  "IR",<br>  "CU",<br>  "SY"<br>]</pre> |  no |
+| <a name="input_ofac_blocked_countries"></a> [ofac\_blocked\_countries](#input\_ofac\_blocked\_countries) | The list of countries under OFAC sanctions |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_port"></a> [port](#input\_port) | The port the app listens on |  <pre lang="json">number</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_postgres_url"></a> [postgres\_url](#input\_postgres\_url) | The connection URL for the PostgreSQL instance |  <pre lang="json">string</pre> |  <pre lang="json">n/a</pre> |  yes |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The IDs of the private subnets |  <pre lang="json">list(string)</pre> |  <pre lang="json">n/a</pre> |  yes |

terraform/ecs/cluster.tf

@@ -85,7 +85,7 @@ resource "aws_ecs_task_definition" "app_task" {
         { name = "GEOIP_DB_BUCKET", value = var.geoip_db_bucket_name },
         { name = "GEOIP_DB_KEY", value = var.geoip_db_key },
 
-        { name = "BLOCKED_COUNTRIES", value = join(",", var.ofac_blocked_countries) },
+        { name = "BLOCKED_COUNTRIES", value = var.ofac_blocked_countries },
 
         { name = "ANALYTICS_ENABLED", value = "true" },
         { name = "ANALYTICS_EXPORT_BUCKET", value = var.analytics_datalake_bucket_name },

terraform/ecs/variables.tf

@@ -254,6 +254,5 @@ variable "geoip_db_key" {
 
 variable "ofac_blocked_countries" {
   description = "The list of countries under OFAC sanctions"
-  type        = list(string)
-  default     = ["KP", "IR", "CU", "SY"]
+  type        = string
 }

terraform/res_application.tf

@@ -54,12 +54,13 @@ module "ecs" {
   allowed_lb_ingress_cidr_blocks  = module.vpc.vpc_cidr_block
 
   # Application
-  port         = 8080
-  log_level    = var.log_level
-  keypair_seed = var.keypair_seed
-  project_id   = var.project_id
-  relay_url    = var.relay_url
-  notify_url   = var.notify_url
+  port                   = 8080
+  log_level              = var.log_level
+  keypair_seed           = var.keypair_seed
+  project_id             = var.project_id
+  relay_url              = var.relay_url
+  notify_url             = var.notify_url
+  ofac_blocked_countries = var.ofac_blocked_countries
 
   docdb_url    = module.docdb.connection_url
   postgres_url = module.postgres.database_url

terraform/variables.tf

@@ -49,6 +49,11 @@ variable "app_autoscaling_max_capacity" {
   default     = 1
 }
 
+variable "ofac_blocked_countries" {
+  description = "The list of countries to block"
+  type        = string
+  default     = ""
+}
 
 #-------------------------------------------------------------------------------
 # Project Registry