From 1aa602099d6af646e6b86e3a9ea260ea5feec1d1 Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Thu, 1 Aug 2024 17:04:12 +0100 Subject: [PATCH] Remove infra-mirror-bucket project This terraform has been migrated to govuk-infrastructure repo. --- .../infra-mirror-bucket/.terraform-version | 1 - .../projects/infra-mirror-bucket/README.md | 78 ---- .../integration.govuk.backend | 4 - .../projects/infra-mirror-bucket/main.tf | 342 ------------------ .../infra-mirror-bucket/mirror-read-policy.tf | 209 ----------- .../production.govuk.backend | 4 - .../infra-mirror-bucket/staging.govuk.backend | 4 - 7 files changed, 642 deletions(-) delete mode 100644 terraform/projects/infra-mirror-bucket/.terraform-version delete mode 100644 terraform/projects/infra-mirror-bucket/README.md delete mode 100644 terraform/projects/infra-mirror-bucket/integration.govuk.backend delete mode 100644 terraform/projects/infra-mirror-bucket/main.tf delete mode 100644 terraform/projects/infra-mirror-bucket/mirror-read-policy.tf delete mode 100644 terraform/projects/infra-mirror-bucket/production.govuk.backend delete mode 100644 terraform/projects/infra-mirror-bucket/staging.govuk.backend diff --git a/terraform/projects/infra-mirror-bucket/.terraform-version b/terraform/projects/infra-mirror-bucket/.terraform-version deleted file mode 100644 index ebf55b3d7..000000000 --- a/terraform/projects/infra-mirror-bucket/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -0.13.6 diff --git a/terraform/projects/infra-mirror-bucket/README.md b/terraform/projects/infra-mirror-bucket/README.md deleted file mode 100644 index c86a3a84b..000000000 --- a/terraform/projects/infra-mirror-bucket/README.md +++ /dev/null @@ -1,78 +0,0 @@ -## Project: infra-mirror-bucket - -This project creates two s3 buckets: a primary s3 bucket to store the govuk -mirror files and a replica s3 bucket which tracks the primary s3 bucket. - -The primary bucket should be in London and the backup in Ireland. - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | = 0.13.6 | -| [aws](#requirement\_aws) | ~> 3.76 | -| [fastly](#requirement\_fastly) | >= 3.0.4 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 3.76 | -| [aws.aws\_replica](#provider\_aws.aws\_replica) | ~> 3.76 | -| [external](#provider\_external) | n/a | -| [fastly](#provider\_fastly) | >= 3.0.4 | -| [template](#provider\_template) | n/a | -| [terraform](#provider\_terraform) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.govuk_mirror_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.govuk_mirror_replication_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy_attachment.govuk_mirror_read_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_policy_attachment.govuk_mirror_replication_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_role.govuk_mirror_replication_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_user.govuk_mirror_google_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | -| [aws_s3_bucket.govuk-mirror](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket.govuk-mirror-replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_policy.govuk_mirror_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_policy.govuk_mirror_replica_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.s3_mirror_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.s3_mirror_replica_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [fastly_ip_ranges.fastly](https://registry.terraform.io/providers/fastly/fastly/latest/docs/data-sources/ip_ranges) | data source | -| [template_file.s3_govuk_mirror_read_policy_template](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | -| [template_file.s3_govuk_mirror_replication_policy_template](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | -| [template_file.s3_govuk_mirror_replication_role_template](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | -| [terraform_remote_state.infra_monitoring](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.infra_networking](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.infra_vpc](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | -| [aws\_integration\_account\_root\_arn](#input\_aws\_integration\_account\_root\_arn) | AWS account root ARN for the Integration account | `string` | n/a | yes | -| [aws\_region](#input\_aws\_region) | AWS region where primary s3 bucket is located | `string` | `"eu-west-2"` | no | -| [aws\_replica\_region](#input\_aws\_replica\_region) | AWS region where replica s3 bucket is located | `string` | `"eu-west-1"` | no | -| [eks\_egress\_ips](#input\_eks\_egress\_ips) | Egress addresses for the corresponding EKS environment, in CIDR notation. | `list(string)` | n/a | yes | -| [enable\_replica\_lifecycle\_rules](#input\_enable\_replica\_lifecycle\_rules) | Enable lifecycle rules for the mirror bucket's replica | `bool` | `true` | no | -| [enable\_replication](#input\_enable\_replication) | Enable replication from the mirror bucket to its replica | `bool` | `true` | no | -| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list(any)` | n/a | yes | -| [lifecycle\_government\_uploads](#input\_lifecycle\_government\_uploads) | Number of days for the lifecycle rule for the mirror in the case where the prefix path is www.gov.uk/government/uploads/ | `string` | `"8"` | no | -| [lifecycle\_main](#input\_lifecycle\_main) | Number of days for the lifecycle rule for the mirror | `string` | `"5"` | no | -| [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | -| [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | -| [remote\_state\_infra\_networking\_key\_stack](#input\_remote\_state\_infra\_networking\_key\_stack) | Override infra\_networking remote state path | `string` | `""` | no | -| [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | -| [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | - -## Outputs - -No outputs. diff --git a/terraform/projects/infra-mirror-bucket/integration.govuk.backend b/terraform/projects/infra-mirror-bucket/integration.govuk.backend deleted file mode 100644 index b4ad3cbe7..000000000 --- a/terraform/projects/infra-mirror-bucket/integration.govuk.backend +++ /dev/null @@ -1,4 +0,0 @@ -bucket = "govuk-terraform-steppingstone-integration" -key = "govuk/infra-mirror-bucket.tfstate" -encrypt = true -region = "eu-west-1" diff --git a/terraform/projects/infra-mirror-bucket/main.tf b/terraform/projects/infra-mirror-bucket/main.tf deleted file mode 100644 index ed22d8e99..000000000 --- a/terraform/projects/infra-mirror-bucket/main.tf +++ /dev/null @@ -1,342 +0,0 @@ -/** -* ## Project: infra-mirror-bucket -* -* This project creates two s3 buckets: a primary s3 bucket to store the govuk -* mirror files and a replica s3 bucket which tracks the primary s3 bucket. -* -* The primary bucket should be in London and the backup in Ireland. -* -*/ - -variable "aws_region" { - type = string - description = "AWS region where primary s3 bucket is located" - default = "eu-west-2" -} - -variable "aws_replica_region" { - type = string - description = "AWS region where replica s3 bucket is located" - default = "eu-west-1" -} - -variable "aws_environment" { - type = string - description = "AWS Environment" -} - -variable "stackname" { - type = string - description = "Stackname" -} - -variable "remote_state_bucket" { - type = string - description = "S3 bucket we store our terraform state in" -} - -variable "remote_state_infra_monitoring_key_stack" { - type = string - description = "Override stackname path to infra_monitoring remote state " - default = "" -} - -variable "remote_state_infra_networking_key_stack" { - type = string - description = "Override infra_networking remote state path" - default = "" -} - -variable "gds_egress_ips" { - type = list(any) - description = "An array of CIDR blocks that will be allowed offsite access." -} - -variable "eks_egress_ips" { - type = list(string) - description = "Egress addresses for the corresponding EKS environment, in CIDR notation." -} - -variable "lifecycle_main" { - type = string - description = "Number of days for the lifecycle rule for the mirror" - default = "5" -} - -variable "lifecycle_government_uploads" { - type = string - description = "Number of days for the lifecycle rule for the mirror in the case where the prefix path is www.gov.uk/government/uploads/" - default = "8" -} - -variable "remote_state_infra_vpc_key_stack" { - type = string - description = "Override infra_vpc remote state path" - default = "" -} - -variable "enable_replication" { - type = bool - description = "Enable replication from the mirror bucket to its replica" - default = true -} - -variable "enable_replica_lifecycle_rules" { - type = bool - description = "Enable lifecycle rules for the mirror bucket's replica" - default = true -} - -# Resources -# -------------------------------------------------------------- - -# Set up the backend & provider for each region -terraform { - backend "s3" {} - required_version = "= 0.13.6" - - required_providers { - fastly = { - source = "fastly/fastly" - version = ">= 3.0.4" - } - - aws = { - source = "hashicorp/aws" - version = "~> 3.76" - } - } -} - -provider "aws" { - region = var.aws_region -} - -provider "aws" { - region = var.aws_replica_region - alias = "aws_replica" -} - -# This provider is no longer used, but at time of writing resources still exist that were created by it, so it can't be removed yet -provider "aws" { - region = "us-east-1" - alias = "aws_cloudfront_certificate" -} - -data "aws_caller_identity" "current" {} - -data "terraform_remote_state" "infra_monitoring" { - backend = "s3" - - config = { - bucket = var.remote_state_bucket - key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = var.aws_replica_region - } -} - -data "terraform_remote_state" "infra_networking" { - backend = "s3" - - config = { - bucket = var.remote_state_bucket - key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = var.aws_replica_region - } -} - -data "terraform_remote_state" "infra_vpc" { - backend = "s3" - - config = { - bucket = var.remote_state_bucket - key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = var.aws_replica_region - } -} - -resource "aws_s3_bucket" "govuk-mirror" { - bucket = "govuk-${var.aws_environment}-mirror" - - tags = { - Name = "govuk-${var.aws_environment}-mirror" - aws_environment = var.aws_environment - } - - logging { - target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_secondary_logging_bucket_id - target_prefix = "s3/govuk-${var.aws_environment}-mirror/" - } - - versioning { - enabled = true - } - - lifecycle_rule { - id = "main" - enabled = true - - prefix = "" - - noncurrent_version_expiration { - days = var.lifecycle_main - } - } - - lifecycle_rule { - id = "government_uploads" - enabled = true - - prefix = "www.gov.uk/government/uploads/" - - noncurrent_version_expiration { - days = var.lifecycle_government_uploads - } - } - - dynamic "replication_configuration" { - for_each = var.enable_replication ? [1] : [] - - content { - role = aws_iam_role.govuk_mirror_replication_role.arn - - rules { - id = "govuk-mirror-replication-whole-bucket-rule" - prefix = "" - status = "Enabled" - - destination { - bucket = aws_s3_bucket.govuk-mirror-replica.arn - storage_class = "STANDARD" - } - } - } - } - - cors_rule { - allowed_headers = ["*"] - allowed_methods = ["GET", "HEAD"] - allowed_origins = ["*"] - max_age_seconds = 3000 - } -} - -resource "aws_s3_bucket" "govuk-mirror-replica" { - bucket = "govuk-${var.aws_environment}-mirror-replica" - provider = aws.aws_replica - - tags = { - Name = "govuk-${var.aws_environment}-mirror-replica" - Status = var.enable_replication ? null : "Not in use in ${var.aws_environment} environment" - aws_environment = var.aws_environment - } - - logging { - target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id - target_prefix = "s3/govuk-${var.aws_environment}-mirror-replica/" - } - - versioning { - enabled = true - } - - dynamic "lifecycle_rule" { - for_each = var.enable_replica_lifecycle_rules ? [1] : [] - - content { - id = "main" - enabled = true - - prefix = "" - - noncurrent_version_expiration { - days = var.lifecycle_main - } - } - } - - dynamic "lifecycle_rule" { - for_each = var.enable_replica_lifecycle_rules ? [1] : [] - - content { - id = "government_uploads" - enabled = true - - prefix = "www.gov.uk/government/uploads/" - - noncurrent_version_expiration { - days = var.lifecycle_government_uploads - } - } - } -} - -resource "aws_s3_bucket_policy" "govuk_mirror_read_policy" { - bucket = aws_s3_bucket.govuk-mirror.id - policy = data.aws_iam_policy_document.s3_mirror_read_policy_doc.json -} - -resource "aws_s3_bucket_policy" "govuk_mirror_replica_read_policy" { - bucket = aws_s3_bucket.govuk-mirror-replica.id - policy = data.aws_iam_policy_document.s3_mirror_replica_read_policy_doc.json - provider = aws.aws_replica -} - -# S3 backup replica role configuration -data "template_file" "s3_govuk_mirror_replication_role_template" { - template = file("${path.module}/../../policies/s3_govuk_mirror_replication_role.tpl") -} - -# Adding backup replication role -resource "aws_iam_role" "govuk_mirror_replication_role" { - name = "${var.stackname}-mirror-replication-role" - assume_role_policy = data.template_file.s3_govuk_mirror_replication_role_template.rendered -} - -data "template_file" "s3_govuk_mirror_replication_policy_template" { - template = file("${path.module}/../../policies/s3_govuk_mirror_replication_policy.tpl") - - vars = { - govuk_mirror_arn = aws_s3_bucket.govuk-mirror.arn - govuk_mirror_replica_arn = aws_s3_bucket.govuk-mirror-replica.arn - aws_account_id = data.aws_caller_identity.current.account_id - } -} - -# Adding backup replication policy -resource "aws_iam_policy" "govuk_mirror_replication_policy" { - name = "govuk-${var.aws_environment}-mirror-buckets-replication-policy" - policy = data.template_file.s3_govuk_mirror_replication_policy_template.rendered - description = "Allows replication of the mirror buckets" -} - -# Combine the role and policy -resource "aws_iam_policy_attachment" "govuk_mirror_replication_policy_attachment" { - name = "s3-govuk-mirror-replication-policy-attachment" - roles = [aws_iam_role.govuk_mirror_replication_role.name] - policy_arn = aws_iam_policy.govuk_mirror_replication_policy.arn -} - -data "template_file" "s3_govuk_mirror_read_policy_template" { - template = file("${path.module}/../../policies/s3_govuk_mirror_read_policy.tpl") - - vars = { - govuk_mirror_arn = aws_s3_bucket.govuk-mirror.arn - } -} - -resource "aws_iam_policy" "govuk_mirror_read_policy" { - name = "govuk-${var.aws_environment}-mirror-read-policy" - policy = data.template_file.s3_govuk_mirror_read_policy_template.rendered - description = "Allow the listing and reading of the primary govuk mirror bucket" -} - -resource "aws_iam_user" "govuk_mirror_google_reader" { - name = "govuk_mirror_google_reader" -} - -resource "aws_iam_policy_attachment" "govuk_mirror_read_policy_attachment" { - name = "s3-govuk-mirror-read-policy-attachment" - users = [aws_iam_user.govuk_mirror_google_reader.name] - policy_arn = aws_iam_policy.govuk_mirror_read_policy.arn -} diff --git a/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf b/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf deleted file mode 100644 index a492dbbcd..000000000 --- a/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf +++ /dev/null @@ -1,209 +0,0 @@ -provider "fastly" { - # We only want to use fastly's data API - api_key = "test" -} - -variable "aws_integration_account_root_arn" { - type = string - description = "AWS account root ARN for the Integration account" -} - -locals { - egress_ips = concat( - var.eks_egress_ips, - data.terraform_remote_state.infra_networking.outputs.nat_gateway_elastic_ips_list, - ) -} - -data "fastly_ip_ranges" "fastly" {} - -data "aws_iam_policy_document" "s3_mirror_read_policy_doc" { - statement { - sid = "S3FastlyReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = data.fastly_ip_ranges.fastly.cidr_blocks - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "S3OfficeReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = var.gds_egress_ips - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "S3NATInternalReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = local.egress_ips - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "CrossAccountAccess" - effect = "Allow" - - actions = [ - "s3:ListBucket", - "s3:GetObject", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}/*", - ] - - principals { - type = "AWS" - identifiers = [var.aws_integration_account_root_arn] - } - } -} - -data "aws_iam_policy_document" "s3_mirror_replica_read_policy_doc" { - statement { - sid = "S3FastlyReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = data.fastly_ip_ranges.fastly.cidr_blocks - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "S3OfficeReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = var.gds_egress_ips - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "S3NATInternalReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*", - ] - - condition { - test = "IpAddress" - variable = "aws:SourceIp" - values = local.egress_ips - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "S3NATGatewayReadBucket" - actions = ["s3:GetObject"] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*", - ] - - condition { - test = "StringEquals" - variable = "aws:SourceVpce" - values = [data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id] - } - - principals { - type = "AWS" - identifiers = ["*"] - } - } - - statement { - sid = "CrossAccountAccess" - effect = "Allow" - - actions = [ - "s3:ListBucket", - "s3:GetObject", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}", - "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*", - ] - - principals { - type = "AWS" - identifiers = [var.aws_integration_account_root_arn] - } - } -} diff --git a/terraform/projects/infra-mirror-bucket/production.govuk.backend b/terraform/projects/infra-mirror-bucket/production.govuk.backend deleted file mode 100644 index 7d2cfe678..000000000 --- a/terraform/projects/infra-mirror-bucket/production.govuk.backend +++ /dev/null @@ -1,4 +0,0 @@ -bucket = "govuk-terraform-steppingstone-production" -key = "govuk/infra-mirror-bucket.tfstate" -encrypt = true -region = "eu-west-1" diff --git a/terraform/projects/infra-mirror-bucket/staging.govuk.backend b/terraform/projects/infra-mirror-bucket/staging.govuk.backend deleted file mode 100644 index eb0e73ca7..000000000 --- a/terraform/projects/infra-mirror-bucket/staging.govuk.backend +++ /dev/null @@ -1,4 +0,0 @@ -bucket = "govuk-terraform-steppingstone-staging" -key = "govuk/infra-mirror-bucket.tfstate" -encrypt = true -region = "eu-west-1"