From e24539589c27645cdfdfe92c5ce5a63b92c0c437 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Fri, 14 Jun 2024 16:09:12 -0400 Subject: [PATCH 1/9] switch resource block to data block --- terraform/modules/bucket/main.tf | 58 ++------------------------- terraform/modules/bucket/outputs.tf | 10 +++++ terraform/modules/bucket/variables.tf | 9 +++++ 3 files changed, 23 insertions(+), 54 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index af95db63..aadcbd21 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -87,63 +87,13 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } -resource "aws_s3_bucket" "access_logs" { - bucket = "${var.name}-access" - force_destroy = true -} - -data "aws_iam_policy_document" "access_logs" { - statement { - sid = "AllowSSLRequestsOnly" - - effect = "Deny" - - principals { - type = "AWS" - identifiers = ["*"] - } - - actions = ["s3:*"] - - resources = [ - aws_s3_bucket.access_logs.arn, - "${aws_s3_bucket.access_logs.arn}/*", - ] - - condition { - test = "Bool" - variable = "aws:SecureTransport" - values = ["false"] - } - } -} - -resource "aws_s3_bucket_policy" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - policy = data.aws_iam_policy_document.access_logs.json -} - -resource "aws_s3_bucket_versioning" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = module.bucket_key.id - sse_algorithm = "aws:kms" - } - } +data "aws_s3_bucket" "access_logs" { + bucket = "${var.app}-access-logs" } resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id - target_bucket = aws_s3_bucket.access_logs.id - target_prefix = "log/" + target_bucket = data.aws_s3_bucket.access_logs.id + target_prefix = "${var.name}/log/" } diff --git a/terraform/modules/bucket/outputs.tf b/terraform/modules/bucket/outputs.tf index ef1a5cc8..54b94c24 100644 --- a/terraform/modules/bucket/outputs.tf +++ b/terraform/modules/bucket/outputs.tf @@ -7,3 +7,13 @@ output "id" { description = "ID for the S3 bucket" value = aws_s3_bucket.this.id } + +output "access_log_bucket_name" { + description = "The name of the access log S3 bucket" + value = data.aws_s3_bucket.access_logs.bucket +} + +output "access_log_bucket_arn" { + description = "The ARN of the access log S3 bucket" + value = data.aws_s3_bucket.access_logs.arn +} diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index f55c3b64..751acee5 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -8,3 +8,12 @@ variable "cross_account_read_roles" { type = list default = [] } + +variable "app" { + description = "The application name (bcda, dpc)" + type = string + validation { + condition = contains(["bcda", "dpc"], var.app) + error_message = "Valid value for app is bcda, or dpc." + } +} From 7f8d051aa372bbb7120551b14d14156c309d28c2 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Fri, 14 Jun 2024 17:18:09 -0400 Subject: [PATCH 2/9] fix workflow failure issue --- terraform/modules/bucket/main.tf | 4 +--- terraform/modules/bucket/variables.tf | 11 ++++------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index aadcbd21..74ce6ee5 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -86,11 +86,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } } - data "aws_s3_bucket" "access_logs" { - bucket = "${var.app}-access-logs" + bucket = var.access_log_bucket_name } - resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index 751acee5..bc037527 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -9,11 +9,8 @@ variable "cross_account_read_roles" { default = [] } -variable "app" { - description = "The application name (bcda, dpc)" - type = string - validation { - condition = contains(["bcda", "dpc"], var.app) - error_message = "Valid value for app is bcda, or dpc." - } +variable "access_log_bucket_name" { + type = string + description = "The name of the centralized access log bucket" + default = "access-logs" } From ac70e7dd3d8b009782c319f346c7befc036c8953 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Fri, 21 Jun 2024 14:58:27 -0400 Subject: [PATCH 3/9] modify data source --- terraform/modules/bucket/main.tf | 6 +++--- terraform/modules/bucket/outputs.tf | 4 ++-- terraform/modules/bucket/variables.tf | 14 +++++++++----- terraform/modules/bucket/versions.tf | 2 +- terraform/modules/function/main.tf | 3 +++ 5 files changed, 18 insertions(+), 11 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 74ce6ee5..d28287eb 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -86,12 +86,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } } -data "aws_s3_bucket" "access_logs" { - bucket = var.access_log_bucket_name +data "aws_s3_bucket" "bucket-access_logs" { + bucket = "${var.app}-${var.env}-bucket-access-log" } resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id - target_bucket = data.aws_s3_bucket.access_logs.id + target_bucket = data.aws_s3_bucket.bucket-access_logs.id target_prefix = "${var.name}/log/" } diff --git a/terraform/modules/bucket/outputs.tf b/terraform/modules/bucket/outputs.tf index 54b94c24..c0e89155 100644 --- a/terraform/modules/bucket/outputs.tf +++ b/terraform/modules/bucket/outputs.tf @@ -10,10 +10,10 @@ output "id" { output "access_log_bucket_name" { description = "The name of the access log S3 bucket" - value = data.aws_s3_bucket.access_logs.bucket + value = data.aws_s3_bucket.bucket-access_logs.bucket } output "access_log_bucket_arn" { description = "The ARN of the access log S3 bucket" - value = data.aws_s3_bucket.access_logs.arn + value = data.aws_s3_bucket.bucket-access_logs.arn } diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index bc037527..c2eddd37 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -5,12 +5,16 @@ variable "name" { variable "cross_account_read_roles" { description = "Roles in other accounts that need read access to this S3 bucket" - type = list + type = list(any) default = [] } -variable "access_log_bucket_name" { - type = string - description = "The name of the centralized access log bucket" - default = "access-logs" +variable "app" { + description = "The name of the application" + type = string +} + +variable "env" { + description = "The environment name" + type = string } diff --git a/terraform/modules/bucket/versions.tf b/terraform/modules/bucket/versions.tf index a123982a..581752ec 100644 --- a/terraform/modules/bucket/versions.tf +++ b/terraform/modules/bucket/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" } } required_version = "~> 1.5.5" diff --git a/terraform/modules/function/main.tf b/terraform/modules/function/main.tf index cc243859..a4f8bc4e 100644 --- a/terraform/modules/function/main.tf +++ b/terraform/modules/function/main.tf @@ -145,6 +145,9 @@ module "zip_bucket" { "arn:aws:iam::${data.aws_ssm_parameter.prod_account[0].value}:role/delegatedadmin/developer/${var.app}-prod-github-actions", "arn:aws:iam::${data.aws_ssm_parameter.sbx_account[0].value}:role/delegatedadmin/developer/${var.app}-sbx-github-actions", ] : [] + + app = var.app + env = var.env } resource "aws_s3_object" "empty_function_zip" { From f68b45a86c5775951845c53f9f15b33c2ec1f7f7 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Thu, 27 Jun 2024 19:00:59 -0400 Subject: [PATCH 4/9] fix resource name & modify workflow --- .github/workflows/tfstate-apply.yml | 2 ++ .github/workflows/tfstate-plan.yml | 2 ++ terraform/modules/bucket/main.tf | 6 +++--- terraform/modules/bucket/outputs.tf | 10 ---------- terraform/modules/bucket/variables.tf | 12 ++++++++++-- terraform/services/tfstate/main.tf | 2 ++ 6 files changed, 19 insertions(+), 15 deletions(-) diff --git a/.github/workflows/tfstate-apply.yml b/.github/workflows/tfstate-apply.yml index 9e3751b9..65413f76 100644 --- a/.github/workflows/tfstate-apply.yml +++ b/.github/workflows/tfstate-apply.yml @@ -7,6 +7,8 @@ on: paths: - .github/workflows/tfstate-apply.yml - terraform/services/tfstate/** + - terraform/modules/bucket/** + - terraform/modules/table/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/.github/workflows/tfstate-plan.yml b/.github/workflows/tfstate-plan.yml index 923d8e47..b19ba05a 100644 --- a/.github/workflows/tfstate-plan.yml +++ b/.github/workflows/tfstate-plan.yml @@ -5,6 +5,8 @@ on: paths: - .github/workflows/tfstate-plan.yml - terraform/services/tfstate/** + - terraform/modules/bucket/** + - terraform/modules/table/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index d28287eb..43539bc0 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -86,12 +86,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } } -data "aws_s3_bucket" "bucket-access_logs" { +data "aws_s3_bucket" "bucket_access_logs" { bucket = "${var.app}-${var.env}-bucket-access-log" } resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id - target_bucket = data.aws_s3_bucket.bucket-access_logs.id - target_prefix = "${var.name}/log/" + target_bucket = data.aws_s3_bucket.bucket_access_logs.id + target_prefix = "${var.name}/" } diff --git a/terraform/modules/bucket/outputs.tf b/terraform/modules/bucket/outputs.tf index c0e89155..ef1a5cc8 100644 --- a/terraform/modules/bucket/outputs.tf +++ b/terraform/modules/bucket/outputs.tf @@ -7,13 +7,3 @@ output "id" { description = "ID for the S3 bucket" value = aws_s3_bucket.this.id } - -output "access_log_bucket_name" { - description = "The name of the access log S3 bucket" - value = data.aws_s3_bucket.bucket-access_logs.bucket -} - -output "access_log_bucket_arn" { - description = "The ARN of the access log S3 bucket" - value = data.aws_s3_bucket.bucket-access_logs.arn -} diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index c2eddd37..e13b1837 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -10,11 +10,19 @@ variable "cross_account_read_roles" { } variable "app" { - description = "The name of the application" + description = "The application name (ab2d, bcda, dpc)" type = string + validation { + condition = contains(["ab2d", "bcda", "dpc"], var.app) + error_message = "Valid value for app is ab2d, bcda, or dpc." + } } variable "env" { - description = "The environment name" + description = "The application environment (dev, test, sbx, prod, mgmt)" type = string + validation { + condition = contains(["dev", "test", "sbx", "prod", "mgmt"], var.env) + error_message = "Valid value for env is dev, test, sbx, prod, or mgmt." + } } diff --git a/terraform/services/tfstate/main.tf b/terraform/services/tfstate/main.tf index 5296eee8..6d977cb5 100644 --- a/terraform/services/tfstate/main.tf +++ b/terraform/services/tfstate/main.tf @@ -5,6 +5,8 @@ locals { module "tfstate_bucket" { source = "../../modules/bucket" name = local.name + app = var.app + env = var.env } module "tfstate_table" { From caa0c7272a96304aa2edaa0078d59b76695f4617 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Thu, 27 Jun 2024 19:08:11 -0400 Subject: [PATCH 5/9] fix resource name & modify workflow --- terraform/services/tfstate/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/services/tfstate/main.tf b/terraform/services/tfstate/main.tf index 6d977cb5..17e0d258 100644 --- a/terraform/services/tfstate/main.tf +++ b/terraform/services/tfstate/main.tf @@ -5,8 +5,8 @@ locals { module "tfstate_bucket" { source = "../../modules/bucket" name = local.name - app = var.app - env = var.env + app = var.app + env = var.env } module "tfstate_table" { From b9a164975a790b488b25b2dc97ed6081e777b1b2 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Tue, 23 Jul 2024 11:32:31 -0400 Subject: [PATCH 6/9] modify bucket name --- terraform/modules/bucket/main.tf | 4 +++- terraform/modules/bucket/variables.tf | 18 ------------------ 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 43539bc0..1e54b1c3 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + module "bucket_key" { source = "../key" name = "${var.name}-bucket" @@ -87,7 +89,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } data "aws_s3_bucket" "bucket_access_logs" { - bucket = "${var.app}-${var.env}-bucket-access-log" + bucket = "${data.aws_caller_identity.current.account_id}-bucket-access-logs" } resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index e13b1837..71853d53 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -8,21 +8,3 @@ variable "cross_account_read_roles" { type = list(any) default = [] } - -variable "app" { - description = "The application name (ab2d, bcda, dpc)" - type = string - validation { - condition = contains(["ab2d", "bcda", "dpc"], var.app) - error_message = "Valid value for app is ab2d, bcda, or dpc." - } -} - -variable "env" { - description = "The application environment (dev, test, sbx, prod, mgmt)" - type = string - validation { - condition = contains(["dev", "test", "sbx", "prod", "mgmt"], var.env) - error_message = "Valid value for env is dev, test, sbx, prod, or mgmt." - } -} From 99453cc81d706200700c02c367faf5e833f8a2d7 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Tue, 23 Jul 2024 11:41:33 -0400 Subject: [PATCH 7/9] modify bucket name --- terraform/modules/function/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/modules/function/main.tf b/terraform/modules/function/main.tf index a4f8bc4e..aba34b4b 100644 --- a/terraform/modules/function/main.tf +++ b/terraform/modules/function/main.tf @@ -146,8 +146,6 @@ module "zip_bucket" { "arn:aws:iam::${data.aws_ssm_parameter.sbx_account[0].value}:role/delegatedadmin/developer/${var.app}-sbx-github-actions", ] : [] - app = var.app - env = var.env } resource "aws_s3_object" "empty_function_zip" { From 2cd8823745165004f559415ead8d6c165beee836 Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Tue, 23 Jul 2024 12:12:20 -0400 Subject: [PATCH 8/9] modify bucket name --- terraform/services/tfstate/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/services/tfstate/main.tf b/terraform/services/tfstate/main.tf index 17e0d258..5296eee8 100644 --- a/terraform/services/tfstate/main.tf +++ b/terraform/services/tfstate/main.tf @@ -5,8 +5,6 @@ locals { module "tfstate_bucket" { source = "../../modules/bucket" name = local.name - app = var.app - env = var.env } module "tfstate_table" { From e6d810f77370a85a07e259e9efd0e56a787a5c7d Mon Sep 17 00:00:00 2001 From: Maboh Christopher Date: Tue, 23 Jul 2024 13:12:09 -0400 Subject: [PATCH 9/9] modify bucket name --- terraform/modules/function/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/modules/function/main.tf b/terraform/modules/function/main.tf index aba34b4b..cc243859 100644 --- a/terraform/modules/function/main.tf +++ b/terraform/modules/function/main.tf @@ -145,7 +145,6 @@ module "zip_bucket" { "arn:aws:iam::${data.aws_ssm_parameter.prod_account[0].value}:role/delegatedadmin/developer/${var.app}-prod-github-actions", "arn:aws:iam::${data.aws_ssm_parameter.sbx_account[0].value}:role/delegatedadmin/developer/${var.app}-sbx-github-actions", ] : [] - } resource "aws_s3_object" "empty_function_zip" {