refactor: update configs (#356)

maddevsio · Aug 12, 2024 · d8b659d · d8b659d
1 parent d6b443f
commit d8b659d
Show file tree

Hide file tree

Showing 63 changed files with 1,433 additions and 773 deletions.
diff --git a/.github/workflows/aws-eks-utils-image.yml b/.github/workflows/aws-eks-utils-image.yml
@@ -1,9 +1,9 @@
-name: 'aws-eks-utils'
+name: 'Build docker image aws-eks-utils'
 
 on:
   push:
     branches:
-      - 'main'
+      - main
     paths:
       - 'docker/aws-eks-utils/Dockerfile'
 
@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Build and Push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           context: docker/aws-eks-utils/

diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
@@ -17,7 +17,7 @@ jobs:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Terraform Init l1
         working-directory: ./terraform/layer1-aws
         run: terraform init -backend=false
@@ -47,7 +47,7 @@ jobs:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Terraform Format
         run: terraform fmt -recursive -write=false -check .
         working-directory: ./terraform
@@ -62,7 +62,7 @@ jobs:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Terraform tflint l1
         working-directory: ./terraform/layer1-aws
         run: tflint --no-color
@@ -79,16 +79,16 @@ jobs:
       options: --user root
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Download init for l1
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: l1
           path: ./terraform/layer1-aws/.terraform
       - name: tfsec l1
         working-directory: ./terraform
         run: tfsec layer1-aws
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@v5
         with:
           name: l1
           failOnError: false

diff --git a/.github/workflows/terraform-utils-image.yml b/.github/workflows/terraform-utils-image.yml
@@ -1,4 +1,4 @@
-name: 'Terraform-utils'
+name: 'Build docker image terraform-utils'
 
 on:
   push:
@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Build and Push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           context: docker/terraform-utils/

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,5 +1,5 @@
 image:
-  name: hashicorp/terraform:0.14.6
+  name: hashicorp/terraform:1.8.3
   entrypoint:
     - '/usr/bin/env'
     - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -38,7 +38,7 @@ terraform_validate:
     - terraform validate -no-color .
 
 terraform_tflint:
-  image: 
+  image:
     name: wata727/tflint
     entrypoint:
     - '/usr/bin/env'

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,14 +1,14 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.76.0
+  rev: v1.89.1
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
     - id: terragrunt_fmt
 #    - id: terraform_tflint
 #    - id: terraform_tfsec
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.3.0
+  rev: v4.6.0
   hooks:
     - id: check-merge-conflict
     - id: trailing-whitespace

diff --git a/docker/aws-eks-utils/Dockerfile b/docker/aws-eks-utils/Dockerfile
@@ -1,60 +1,75 @@
-FROM public.ecr.aws/docker/library/alpine:3.15.4
+FROM public.ecr.aws/docker/library/ubuntu:22.04 as sessionmanagerplugin
 
-ARG TERRAFORM_VERSION="1.1.8"
-ARG TERRAGRUNT_VERSION="0.39.1"
-ARG HELM_VERSION="3.8.2"
+RUN apt-get update \
+    && apt-get install -y curl \
+    && curl -Lo "session-manager-plugin.deb" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" \
+    && dpkg -i "session-manager-plugin.deb"
+
+FROM public.ecr.aws/docker/library/alpine:3.19.1
+
+ARG TERRAFORM_VERSION="1.8.3"
+ARG TERRAGRUNT_VERSION="0.58.5"
+ARG HELM_VERSION="3.15.0"
 ARG HELMFILE_VERSION="0.144.0"
-ARG KUBECTL_VERSION="1.22.0"
+ARG KUBECTL_VERSION="1.30.1"
 ENV BASE_URL="https://get.helm.sh"
 ENV TAR_FILE="helm-v${HELM_VERSION}-linux-amd64.tar.gz"
 
 #Install python and pip
-RUN echo "**** install Python ****" && \
-    apk add --no-cache python3 && \
-    if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
-    \
-    echo "**** install pip ****" && \
-    python3 -m ensurepip && \
-    pip3 install --no-cache --upgrade pip setuptools wheel && \
-    if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
+RUN echo "**** install Python and pip ****" && \
+    apk add --update --no-cache python3 py3-pip py3-setuptools py3-wheel
 
 #Install additional packages and helm
-RUN apk add --update --no-cache openssl git jq bash curl wget unzip ca-certificates && \
+RUN echo "**** install additional packages and helm ****" && \
+    apk add --update --no-cache openssl git jq bash curl wget unzip ca-certificates && \
     curl -L ${BASE_URL}/${TAR_FILE} |tar xvz && \
     mv linux-amd64/helm /usr/bin/helm && \
     chmod +x /usr/bin/helm
 
 WORKDIR /tmp
 
 #Install tfenv for terraform
-RUN git clone https://github.com/tfutils/tfenv.git /usr/bin/.tfenv && \
+RUN echo "**** install tfenv for terraform ****" && \
+    git clone https://github.com/tfutils/tfenv.git /usr/bin/.tfenv && \
     ln -s /usr/bin/.tfenv/bin/* /usr/bin
 
 #Intall tgenv for terragrunt
-RUN git clone https://github.com/cunymatthieu/tgenv.git /usr/bin/.tgenv && \
+RUN echo "**** install tgenv for terragrunt ****" && \
+    git clone https://github.com/cunymatthieu/tgenv.git /usr/bin/.tgenv && \
     ln -s /usr/bin/.tgenv/bin/* /usr/bin
 
 #Install terraform
-RUN tfenv install $TERRAFORM_VERSION
+RUN echo "**** install terraform ****" && \
+    tfenv install $TERRAFORM_VERSION
 
 #Install terragrunt
-RUN tgenv install $TERRAGRUNT_VERSION
+RUN echo "**** install terragrunt ****" && \
+    tgenv install $TERRAGRUNT_VERSION
 
 #Install aws-cli
-RUN pip install awscli --upgrade
+RUN echo "**** install aws-cli ****" && \
+    pip install awscli --upgrade --break-system-packages
+
+#Install aws session-manager plugin for cli
+RUN echo "**** install aws session manager plugin  for cli ****"
+COPY --from=sessionmanagerplugin /usr/local/sessionmanagerplugin/bin/session-manager-plugin /usr/local/bin/
 
 #Install kubectl
-RUN wget https://storage.googleapis.com/kubernetes-release/release/v"$KUBECTL_VERSION"/bin/linux/amd64/kubectl \
-  && chmod +x kubectl && mv kubectl /bin/kubectl
+RUN echo "**** install kubectl ****" && \
+    wget https://storage.googleapis.com/kubernetes-release/release/v"$KUBECTL_VERSION"/bin/linux/amd64/kubectl && \
+    chmod +x kubectl && mv kubectl /bin/kubectl
 
 #Install docker
-RUN apk add --no-cache --update docker
+RUN echo "**** install docker ****" && \
+    apk add --no-cache --update docker
 
 #Install helmfile
-RUN wget https://github.com/roboll/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_linux_amd64 \
+RUN echo "**** install helmfile ****" && \
+    wget https://github.com/roboll/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_linux_amd64 \
     && chmod +x helmfile_linux_amd64 && mv helmfile_linux_amd64 /bin/helmfile
 
 # Install ssh
-RUN apk add openssh
+RUN echo "**** install openssh ****" && \
+    apk add openssh
 
 ENTRYPOINT [""]
diff --git a/docker/postgresql-backups/Dockerfile b/docker/postgresql-backups/Dockerfile
@@ -1,18 +1,12 @@
-FROM public.ecr.aws/docker/library/postgres:12-alpine
+FROM public.ecr.aws/docker/library/postgres:16-alpine
 
 #Install python and pip
-RUN echo "**** install Python ****" && \
-    apk add --no-cache python3 && \
-    if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
-    \
-    echo "**** install pip ****" && \
-    python3 -m ensurepip && \
-    pip3 install --no-cache --upgrade pip setuptools wheel && \
-    if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
+RUN echo "**** install Python and pip ****" && \
+    apk add --update --no-cache python3 py3-pip py3-setuptools py3-wheel
 
 COPY requirements.txt .
 
-RUN pip install --upgrade --no-cache-dir -r requirements.txt
+RUN pip install --upgrade --no-cache-dir --break-system-packages -r requirements.txt
 
 COPY backup.py .
 

diff --git a/docker/postgresql-exporter-script/Dockerfile b/docker/postgresql-exporter-script/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/postgres:12-alpine
+FROM public.ecr.aws/docker/library/postgres:16-alpine
 
 WORKDIR /app
 

diff --git a/docker/terraform-utils/Dockerfile b/docker/terraform-utils/Dockerfile
@@ -1,5 +1,5 @@
-FROM public.ecr.aws/docker/library/alpine:3.15.4
-ARG TERRAFORM_VERSION="1.1.8"
+FROM public.ecr.aws/docker/library/alpine:3.19.1
+ARG TERRAFORM_VERSION="1.8.3"
 
 WORKDIR /tmp
 

diff --git a/terraform/.terraform-version b/terraform/.terraform-version
@@ -1 +1 @@
-1.7.3
+1.8.3
diff --git a/terraform/modules/aws-acm/README.md b/terraform/modules/aws-acm/README.md
@@ -0,0 +1,36 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | 5.0.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_acm_certificate"></a> [create\_acm\_certificate](#input\_create\_acm\_certificate) | n/a | `bool` | `false` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Main public domain name | `string` | n/a | yes |
+| <a name="input_validation_method"></a> [validation\_method](#input\_validation\_method) | Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform. | `string` | `"DNS"` | no |
+| <a name="input_zone_id"></a> [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_ssl_certificate_arn"></a> [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | n/a |
diff --git a/terraform/modules/aws-acm/main.tf b/terraform/modules/aws-acm/main.tf
@@ -10,12 +10,13 @@ data "aws_acm_certificate" "main" {
 
 module "acm" {
   source  = "terraform-aws-modules/acm/aws"
-  version = "4.3.2"
+  version = "5.0.1"
 
   create_certificate = var.create_acm_certificate
 
-  domain_name = var.domain_name
-  zone_id     = var.zone_id
+  domain_name       = var.domain_name
+  zone_id           = var.zone_id
+  validation_method = var.validation_method
   subject_alternative_names = [
   "*.${var.domain_name}"]
 }
diff --git a/terraform/modules/aws-acm/outputs.tf b/terraform/modules/aws-acm/outputs.tf
@@ -0,0 +1,3 @@
+output "ssl_certificate_arn" {
+  value = var.create_acm_certificate ? module.acm.acm_certificate_arn : data.aws_acm_certificate.main[0].arn
+}
diff --git a/terraform/modules/aws-acm/variables.tf b/terraform/modules/aws-acm/variables.tf
@@ -12,3 +12,8 @@ variable "zone_id" {
   default     = ""
   description = "R53 zone id for public domain"
 }
+
+variable "validation_method" {
+  default     = "DNS"
+  description = "Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform."
+}
diff --git a/terraform/modules/aws-cis-benchmark-alerts/README.md b/terraform/modules/aws-cis-benchmark-alerts/README.md
@@ -0,0 +1,34 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 3.3.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_cis_benchmark_alerts"></a> [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | <pre>{<br>  "email": "[email protected]",<br>  "enabled": "false",<br>  "rules": {<br>    "aws_config_changes_enabled": true,<br>    "cloudtrail_configuration_changes_enabled": true,<br>    "console_login_failed_enabled": true,<br>    "consolelogin_without_mfa_enabled": true,<br>    "iam_policy_changes_enabled": true,<br>    "kms_cmk_delete_or_disable_enabled": true,<br>    "nacl_changes_enabled": true,<br>    "network_gateway_changes_enabled": true,<br>    "organization_changes_enabled": true,<br>    "parameter_store_actions_enabled": true,<br>    "route_table_changes_enabled": true,<br>    "s3_bucket_policy_changes_enabled": true,<br>    "secrets_manager_actions_enabled": true,<br>    "security_group_changes_enabled": true,<br>    "unauthorized_api_calls_enabled": true,<br>    "usage_of_root_account_enabled": true,<br>    "vpc_changes_enabled": true<br>  }<br>}</pre> | no |
+| <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/aws-cis-benchmark-alerts/main.tf b/terraform/modules/aws-cis-benchmark-alerts/main.tf
@@ -1,7 +1,7 @@
 module "eventbridge" {
   count   = var.aws_cis_benchmark_alerts.enabled ? 1 : 0
   source  = "terraform-aws-modules/eventbridge/aws"
-  version = "1.17.3"
+  version = "3.3.1"
 
   create_bus = false