From b1f203e8e0c6b4bda4a0394620ee02522ce65686 Mon Sep 17 00:00:00 2001
From: korrapati-kris <bhargav.korrapati@semanticbits.com>
Date: Thu, 15 Jun 2023 05:16:55 -0400
Subject: [PATCH] QPPSE-629: Added tf code for terraform state bucket.

---
 .../.terraform.lock.hcl                       | 25 +++++++
 .../terraform/terraform-state-bucket/main.tf  | 22 ++++++
 .../terraform-state-bucket/state-bucket.tf    | 73 +++++++++++++++++++
 .../terraform-state-bucket/variables.tf       | 44 +++++++++++
 4 files changed, 164 insertions(+)
 create mode 100644 infrastructure/terraform/terraform-state-bucket/.terraform.lock.hcl
 create mode 100644 infrastructure/terraform/terraform-state-bucket/main.tf
 create mode 100644 infrastructure/terraform/terraform-state-bucket/state-bucket.tf
 create mode 100644 infrastructure/terraform/terraform-state-bucket/variables.tf

diff --git a/infrastructure/terraform/terraform-state-bucket/.terraform.lock.hcl b/infrastructure/terraform/terraform-state-bucket/.terraform.lock.hcl
new file mode 100644
index 000000000..0abb40374
--- /dev/null
+++ b/infrastructure/terraform/terraform-state-bucket/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.67.0"
+  constraints = "4.67.0"
+  hashes = [
+    "h1:P43vwcDPG99x5WBbmqwUPgfJrfXf6/ucAIbGlRb7k1w=",
+    "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
+    "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
+    "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
+    "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
+    "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
+    "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
+    "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
+    "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
+    "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
+    "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
+    "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
+    "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
+    "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
+  ]
+}
diff --git a/infrastructure/terraform/terraform-state-bucket/main.tf b/infrastructure/terraform/terraform-state-bucket/main.tf
new file mode 100644
index 000000000..d86b54b99
--- /dev/null
+++ b/infrastructure/terraform/terraform-state-bucket/main.tf
@@ -0,0 +1,22 @@
+terraform {
+    required_providers {
+        aws = {
+            source = "hashicorp/aws"
+            version = "=4.67.0"
+        }
+    }
+    required_version = "1.0.0"
+}
+
+provider "aws" {
+    region = "us-east-1"
+}
+
+terraform {
+  backend "s3" {
+    bucket  = "qppsf-conversion-tool-tf-state"
+    key     = "qppsf/conversion-tool-tf-state-bucket.tfstate"
+    region  = "us-east-1"
+    encrypt = "true"
+  }
+}
\ No newline at end of file
diff --git a/infrastructure/terraform/terraform-state-bucket/state-bucket.tf b/infrastructure/terraform/terraform-state-bucket/state-bucket.tf
new file mode 100644
index 000000000..aa4d24edf
--- /dev/null
+++ b/infrastructure/terraform/terraform-state-bucket/state-bucket.tf
@@ -0,0 +1,73 @@
+resource "aws_s3_bucket" "terraform-state-bucket" {
+  bucket = "qppsf-conversion-tool-tf-state"
+
+  tags = {
+    "Name"                = "qppsf-conversion-tool-tf-state"
+    "qpp:owner"           = var.owner
+    "qpp:environment"     = var.environment
+    "qpp:Name"            = "qppsf-ct"
+    "qpp:pagerduty-email" = var.pagerduty_email
+    "qpp:sensitivity"     = var.sensitivity
+    "qpp:application"     = "qppsf-ct"
+    "qpp:description"     = "Conversion-Tools Terraform State Bucket"
+    "qpp-cross-acc-s3-replication" = "us-east-1"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "terraform-state-bucket_public_block" {
+  bucket = aws_s3_bucket.terraform-state-bucket.id
+
+  restrict_public_buckets = true
+  ignore_public_acls      = true
+  block_public_acls       = true
+  block_public_policy     = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state-bucket_encryption" {
+  bucket = aws_s3_bucket.terraform-state-bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256"
+    }
+    bucket_key_enabled = false
+  }
+}
+
+resource "aws_s3_bucket_versioning" "terraform-state-bucket_versioning" {
+  bucket = aws_s3_bucket.terraform-state-bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_policy" "terraform-state-bucket_bucket_policy" {
+  bucket = aws_s3_bucket.terraform-state-bucket.id
+  policy = data.aws_iam_policy_document.terraform-state-bucket_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "terraform-state-bucket_bucket_policy" {
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "s3:*",
+    ]
+    
+    resources = [
+      aws_s3_bucket.terraform-state-bucket.arn,
+      "${aws_s3_bucket.terraform-state-bucket.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = ["false"]
+    }
+  }
+}
\ No newline at end of file
diff --git a/infrastructure/terraform/terraform-state-bucket/variables.tf b/infrastructure/terraform/terraform-state-bucket/variables.tf
new file mode 100644
index 000000000..548edc14d
--- /dev/null
+++ b/infrastructure/terraform/terraform-state-bucket/variables.tf
@@ -0,0 +1,44 @@
+variable "region" {
+  description = "The AWS region to use"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "project_name" {
+  description = "Team or Project"
+  type        = string
+  default     = "qppsf-ct"
+}
+
+variable "environment" {
+  description = "Name of the Environment"
+  type        = string
+  default     = "common"
+}
+
+variable "owner" {
+  description = "Resource Owner"
+  type        = string
+  default     = "qpp-final-scoring-devops@semanticbits.com"
+}
+
+variable "pagerduty_email" {
+  description = "Team pagerduty notifications email endpoint"
+  type        = string
+  default     = "qpp-final-scoring-devops@semanticbits.com"
+}
+
+variable "application" {
+  type        = string
+  default     = "qpp-conversion-tools"
+}
+
+variable "sensitivity" {
+  type        = string
+  default     = "confidential"
+}
+
+variable "git-origin" {
+  type        = string
+  default     = "https://https://github.com/CMSgov/qpp-conversion-tool.git"
+}
\ No newline at end of file