From 43d2eb36cb248669bcdb8bd400a8ab35b84aae49 Mon Sep 17 00:00:00 2001 From: martynipratt Date: Thu, 23 Nov 2023 12:24:01 +0000 Subject: [PATCH] updated tagging --- terraform/modules/aws/alarms/alb/README.md | 2 +- terraform/modules/aws/alarms/alb/main.tf | 38 +- .../modules/aws/alarms/autoscaling/README.md | 2 +- .../modules/aws/alarms/autoscaling/main.tf | 12 +- terraform/modules/aws/alarms/ebs/README.md | 2 +- terraform/modules/aws/alarms/ebs/main.tf | 14 +- terraform/modules/aws/alarms/ec2/README.md | 2 +- terraform/modules/aws/alarms/ec2/main.tf | 14 +- terraform/modules/aws/alarms/elb/README.md | 2 +- terraform/modules/aws/alarms/elb/main.tf | 66 +-- .../modules/aws/alarms/natgateway/README.md | 4 +- .../modules/aws/alarms/natgateway/main.tf | 24 +- terraform/modules/aws/alarms/rds/README.md | 2 +- terraform/modules/aws/alarms/rds/main.tf | 32 +- .../modules/aws/iam/gds_user_role/README.md | 4 +- .../modules/aws/iam/gds_user_role/main.tf | 4 +- terraform/modules/aws/iam/role_user/README.md | 4 +- terraform/modules/aws/iam/role_user/main.tf | 4 +- terraform/modules/aws/lb/README.md | 10 +- terraform/modules/aws/lb/main.tf | 192 ++++---- .../modules/aws/lb_listener_rules/README.md | 6 +- .../modules/aws/lb_listener_rules/main.tf | 76 ++-- terraform/modules/aws/network/nat/README.md | 2 +- terraform/modules/aws/network/nat/main.tf | 20 +- .../aws/network/private_subnet/README.md | 8 +- .../aws/network/private_subnet/main.tf | 56 +-- .../aws/network/public_subnet/README.md | 6 +- .../modules/aws/network/public_subnet/main.tf | 30 +- terraform/modules/aws/network/vpc/README.md | 2 +- terraform/modules/aws/network/vpc/main.tf | 32 +- terraform/modules/aws/node_group/README.md | 12 +- terraform/modules/aws/node_group/main.tf | 157 ++++--- terraform/modules/aws/rds_instance/README.md | 8 +- terraform/modules/aws/rds_instance/main.tf | 172 +++---- terraform/projects/app-apt/README.md | 2 +- terraform/projects/app-apt/main.tf | 118 ++--- terraform/projects/app-apt/remote_state.tf | 38 +- .../projects/app-apt/user_data_snippets.tf | 8 +- terraform/projects/app-asset-master/main.tf | 4 + terraform/projects/app-backend-redis/main.tf | 20 +- .../app-backend-redis/remote_state.tf | 14 +- terraform/projects/app-ci-agents/README.md | 4 +- terraform/projects/app-ci-agents/main.tf | 398 +++++++++-------- .../projects/app-ci-agents/remote_state.tf | 38 +- .../app-ci-agents/user_data_snippets.tf | 8 +- terraform/projects/app-ci-master/README.md | 6 +- terraform/projects/app-ci-master/main.tf | 156 +++---- .../projects/app-ci-master/remote_state.tf | 38 +- .../app-ci-master/user_data_snippets.tf | 8 +- .../app-content-data-api-db-admin/README.md | 2 +- .../app-content-data-api-db-admin/main.tf | 38 +- .../remote_state.tf | 38 +- .../user_data_snippets.tf | 8 +- .../app-content-data-api-postgresql/main.tf | 62 +-- .../remote_state.tf | 38 +- terraform/projects/app-db-admin/README.md | 2 +- terraform/projects/app-db-admin/main.tf | 132 +++--- .../projects/app-db-admin/remote_state.tf | 38 +- .../app-db-admin/user_data_snippets.tf | 8 +- terraform/projects/app-deploy/README.md | 2 +- terraform/projects/app-deploy/main.tf | 150 ++++--- terraform/projects/app-deploy/remote_state.tf | 50 +-- .../projects/app-deploy/user_data_snippets.tf | 8 +- .../projects/app-docker-management/README.md | 2 +- .../projects/app-docker-management/main.tf | 46 +- .../app-docker-management/remote_state.tf | 38 +- .../user_data_snippets.tf | 8 +- terraform/projects/app-elasticsearch6/main.tf | 15 +- terraform/projects/app-gatling/README.md | 4 +- terraform/projects/app-gatling/main.tf | 74 +-- .../projects/app-gatling/remote_state.tf | 38 +- .../app-gatling/user_data_snippets.tf | 8 +- .../projects/app-govuk-attachments/README.md | 2 +- .../projects/app-govuk-attachments/main.tf | 51 ++- terraform/projects/app-govuk-rds/main.tf | 3 + terraform/projects/app-govuk-rds/rds.tf | 16 +- terraform/projects/app-graphite/README.md | 2 +- terraform/projects/app-graphite/main.tf | 148 +++--- .../projects/app-graphite/remote_state.tf | 38 +- .../app-graphite/user_data_snippets.tf | 8 +- terraform/projects/app-jumpbox/README.md | 2 +- terraform/projects/app-jumpbox/main.tf | 64 +-- .../projects/app-jumpbox/remote_state.tf | 38 +- .../app-jumpbox/user_data_snippets.tf | 8 +- .../projects/app-licensify-backend/README.md | 4 +- .../projects/app-licensify-backend/main.tf | 62 +-- .../app-licensify-backend/remote_state.tf | 38 +- .../user_data_snippets.tf | 8 +- .../projects/app-licensify-documentdb/main.tf | 66 +-- .../app-licensify-documentdb/remote_state.tf | 8 +- .../projects/app-licensify-frontend/README.md | 4 +- .../projects/app-licensify-frontend/main.tf | 74 +-- .../app-licensify-frontend/remote_state.tf | 38 +- .../user_data_snippets.tf | 8 +- terraform/projects/app-mongo/README.md | 2 +- terraform/projects/app-mongo/main.tf | 252 ++++++----- terraform/projects/app-mongo/remote_state.tf | 38 +- .../projects/app-mongo/user_data_snippets.tf | 8 +- terraform/projects/app-monitoring/README.md | 2 +- terraform/projects/app-monitoring/main.tf | 114 ++--- .../projects/app-monitoring/remote_state.tf | 38 +- .../app-monitoring/user_data_snippets.tf | 8 +- terraform/projects/app-prometheus/README.md | 2 +- terraform/projects/app-prometheus/main.tf | 88 ++-- .../projects/app-prometheus/remote-state.tf | 26 +- .../app-prometheus/userdata-snippet.tf | 6 +- .../projects/app-publishing-amazonmq/main.tf | 3 + terraform/projects/app-puppetmaster/README.md | 2 +- terraform/projects/app-puppetmaster/main.tf | 96 ++-- .../projects/app-puppetmaster/remote_state.tf | 38 +- .../app-puppetmaster/user_data_snippets.tf | 8 +- terraform/projects/app-related-links/main.tf | 90 ++-- .../app-related-links/remote-state.tf | 44 +- .../projects/app-router-backend/README.md | 2 +- terraform/projects/app-router-backend/main.tf | 28 ++ .../app-router-backend/user_data_snippets.tf | 2 +- terraform/projects/app-search/README.md | 2 +- terraform/projects/app-search/main.tf | 16 + .../projects/app-search/user_data_snippets.tf | 2 +- .../projects/app-shared-documentdb/main.tf | 74 +-- .../app-shared-documentdb/remote_state.tf | 16 +- .../app-transition-db-admin/README.md | 2 +- .../projects/app-transition-db-admin/main.tf | 70 +-- .../app-transition-db-admin/remote_state.tf | 38 +- .../user_data_snippets.tf | 8 +- .../app-transition-postgresql/main.tf | 84 ++-- .../app-transition-postgresql/remote_state.tf | 38 +- .../projects/app-whitehall-backend/README.md | 2 +- .../projects/app-whitehall-backend/main.tf | 4 + .../user_data_snippets.tf | 2 +- .../main.tf | 14 +- .../remote_state.tf | 14 +- .../projects/infra-artefact-bucket/main.tf | 106 ++--- .../infra-artefact-bucket/replication-role.tf | 6 +- terraform/projects/infra-ask-export/main.tf | 32 +- .../projects/infra-ask-export/remote_state.tf | 38 +- terraform/projects/infra-assets/main.tf | 10 +- .../infra-athena-query-results/main.tf | 4 + .../projects/infra-certificates/README.md | 4 +- terraform/projects/infra-certificates/main.tf | 50 +-- .../projects/infra-content-data-admin/main.tf | 20 +- .../infra-content-data-admin/remote_state.tf | 14 +- .../infra-content-publisher/env_sync.tf | 40 +- .../projects/infra-content-publisher/main.tf | 50 ++- .../infra-content-publisher/remote_state.tf | 14 +- terraform/projects/infra-csp-reporter/:w | 27 ++ .../infra-csp-reporter/api_gateway.tf | 12 + .../projects/infra-csp-reporter/buckets.tf | 4 + .../projects/infra-csp-reporter/firehose.tf | 4 + terraform/projects/infra-csp-reporter/glue.tf | 4 + .../projects/infra-csp-reporter/lambda.tf | 4 + terraform/projects/infra-csw/main.tf | 10 +- .../infra-cyber-security-audit/main.tf | 6 +- .../infra-database-backups-bucket/main.tf | 20 +- .../README.md | 37 +- .../datagovuk-write-policy.tf | 6 +- .../infra-datagovuk-organogram-bucket/main.tf | 113 ++--- .../infra-datagovuk-static-bucket/README.md | 2 +- .../datagovuk-write-policy.tf | 4 +- .../infra-datagovuk-static-bucket/main.tf | 24 +- .../content_publisher.tf | 6 +- .../infra-env-sync-and-backup/main.tf | 8 +- .../infra-env-sync-and-backup/remote_state.tf | 14 +- terraform/projects/infra-fastly-logs/main.tf | 150 ++++--- .../infra-fastly-logs/remote_state.tf | 14 +- .../infra-google-mirror-bucket/main.tf | 44 +- .../projects/infra-google-monitoring/main.tf | 24 +- .../main.tf | 14 +- .../remote_state.tf | 14 +- .../infra-graphite-backups-bucket/main.tf | 26 +- .../remote_state.tf | 14 +- .../projects/infra-mirror-bucket/README.md | 2 +- .../projects/infra-mirror-bucket/main.tf | 10 +- terraform/projects/infra-monitoring/main.tf | 112 ++--- .../projects/infra-monitoring/secondary.tf | 13 +- terraform/projects/infra-networking/README.md | 28 +- terraform/projects/infra-networking/main.tf | 170 +++---- .../projects/infra-public-services/README.md | 72 +-- .../projects/infra-public-services/main.tf | 422 +++++++++--------- .../infra-public-services/remote_state.tf | 14 +- .../projects/infra-public-services/waf.tf | 18 +- .../infra-public-wafs/backend_public_rule.tf | 4 + .../infra-public-wafs/bouncer_public_rule.tf | 4 + .../infra-public-wafs/cache_public_rule.tf | 4 + .../licensify_backend_public_rule.tf | 4 + .../licensify_frontend_public_rule.tf | 4 + .../projects/infra-public-wafs/variables.tf | 4 + .../projects/infra-root-dns-zones/main.tf | 62 +-- .../projects/infra-security-groups/README.md | 14 +- .../projects/infra-security-groups/apt.tf | 48 +- .../infra-security-groups/asset-master.tf | 8 +- .../infra-security-groups/backend-redis.tf | 20 +- .../infra-security-groups/ci-agents.tf | 180 ++++---- .../infra-security-groups/ci-master.tf | 52 ++- .../projects/infra-security-groups/ckan.tf | 44 +- .../content-data-api-db-admin.tf | 12 +- .../content-data-api-postgresql.tf | 22 +- .../infra-security-groups/db-admin.tf | 24 +- .../projects/infra-security-groups/deploy.tf | 38 +- .../docker-management.tf | 24 +- .../infra-security-groups/elasticsearch6.tf | 24 +- .../projects/infra-security-groups/gatling.tf | 24 +- .../infra-security-groups/graphite.tf | 58 +-- .../projects/infra-security-groups/jumpbox.tf | 12 +- .../licensify-backend.tf | 36 +- .../licensify-documentdb.tf | 14 +- .../licensify-frontend.tf | 58 +-- .../projects/infra-security-groups/main.tf | 4 +- .../infra-security-groups/management.tf | 30 +- .../infra-security-groups/mirrorer.tf | 8 +- .../projects/infra-security-groups/mongo.tf | 12 +- .../infra-security-groups/monitoring.tf | 52 ++- .../infra-security-groups/offsite_ssh.tf | 12 +- .../projects/infra-security-groups/outputs.tf | 112 ++--- .../infra-security-groups/prometheus.tf | 34 +- .../infra-security-groups/puppetmaster.tf | 32 +- .../infra-security-groups/rabbitmq.tf | 36 +- .../infra-security-groups/rate-limit-redis.tf | 8 +- .../infra-security-groups/related-links.tf | 14 +- .../infra-security-groups/remote_state.tf | 2 +- .../infra-security-groups/router-backend.tf | 16 +- .../search-ltr-generation.tf | 14 +- .../projects/infra-security-groups/search.tf | 18 +- .../shared-documentdb.tf | 12 +- .../infra-security-groups/support-api.tf | 16 +- .../transition-db-admin.tf | 20 +- .../transition-postgresql.tf | 8 +- .../infra-security-groups/variables.tf | 22 +- .../infra-specialist-publisher/main.tf | 22 +- .../remote_state.tf | 14 +- terraform/projects/infra-splunk/main.tf | 6 +- .../projects/infra-stack-dns-zones/main.tf | 38 +- terraform/projects/infra-support-api/main.tf | 22 +- .../infra-support-api/remote_state.tf | 14 +- terraform/projects/infra-vpc/main.tf | 72 +-- 235 files changed, 4251 insertions(+), 3734 deletions(-) create mode 100644 terraform/projects/infra-csp-reporter/:w diff --git a/terraform/modules/aws/alarms/alb/README.md b/terraform/modules/aws/alarms/alb/README.md index 6bee64309..9b4c402c2 100644 --- a/terraform/modules/aws/alarms/alb/README.md +++ b/terraform/modules/aws/alarms/alb/README.md @@ -44,7 +44,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | `[]` | no | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | `[]` | no | | [alb\_arn\_suffix](#input\_alb\_arn\_suffix) | The ALB ARN suffix for use with CloudWatch Metrics. | `string` | n/a | yes | | [httpcode\_elb\_4xx\_count\_threshold](#input\_httpcode\_elb\_4xx\_count\_threshold) | The value against which the HTTPCode\_ELB\_4XX\_Count metric is compared. | `string` | `"0"` | no | | [httpcode\_elb\_5xx\_count\_threshold](#input\_httpcode\_elb\_5xx\_count\_threshold) | The value against which the HTTPCode\_ELB\_5XX\_Count metric is compared. | `string` | `"80"` | no | diff --git a/terraform/modules/aws/alarms/alb/main.tf b/terraform/modules/aws/alarms/alb/main.tf index 329571787..0461cdac4 100644 --- a/terraform/modules/aws/alarms/alb/main.tf +++ b/terraform/modules/aws/alarms/alb/main.tf @@ -19,41 +19,41 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/elb-metricscollected.html#load-balancer-metric-dimensions-alb */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." default = [] } variable "alb_arn_suffix" { - type = "string" + type = string description = "The ALB ARN suffix for use with CloudWatch Metrics." } variable "httpcode_target_4xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Target_4XX_Count metric is compared." default = "0" } variable "httpcode_target_5xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Target_5XX_Count metric is compared." default = "80" } variable "httpcode_elb_4xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_4XX_Count metric is compared." default = "0" } variable "httpcode_elb_5xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_5XX_Count metric is compared." default = "80" } @@ -61,7 +61,7 @@ variable "httpcode_elb_5xx_count_threshold" { # Resources #-------------------------------------------------------------- resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx_count" { - count = "${var.httpcode_elb_4xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_4xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_elb_4xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -69,19 +69,19 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_4xx_count_threshold}" + threshold = var.httpcode_elb_4xx_count_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the sum of HTTP 4XX response codes generated by the Application LB." treat_missing_data = "notBreaching" dimensions { - LoadBalancer = "${var.alb_arn_suffix}" + LoadBalancer = var.alb_arn_suffix } } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx_count" { - count = "${var.httpcode_elb_5xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_5xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_elb_5xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -89,19 +89,19 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_5xx_count_threshold}" + threshold = var.httpcode_elb_5xx_count_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the sum of HTTP 5XX response codes generated by the Application LB." treat_missing_data = "notBreaching" dimensions { - LoadBalancer = "${var.alb_arn_suffix}" + LoadBalancer = var.alb_arn_suffix } } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_4xx_count" { - count = "${var.httpcode_target_4xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_target_4xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_target_4xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -109,19 +109,19 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_4xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_target_4xx_count_threshold}" + threshold = var.httpcode_target_4xx_count_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the sum of HTTP 4XX response codes generated by the Target Groups." treat_missing_data = "notBreaching" dimensions { - LoadBalancer = "${var.alb_arn_suffix}" + LoadBalancer = var.alb_arn_suffix } } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_5xx_count" { - count = "${var.httpcode_target_5xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_target_5xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_target_5xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -129,14 +129,14 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_5xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_target_5xx_count_threshold}" + threshold = var.httpcode_target_5xx_count_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the sum of HTTP 5XX response codes generated by the Target Groups." treat_missing_data = "notBreaching" dimensions { - LoadBalancer = "${var.alb_arn_suffix}" + LoadBalancer = var.alb_arn_suffix } } diff --git a/terraform/modules/aws/alarms/autoscaling/README.md b/terraform/modules/aws/alarms/autoscaling/README.md index 7a3b1c670..a9e83c995 100644 --- a/terraform/modules/aws/alarms/autoscaling/README.md +++ b/terraform/modules/aws/alarms/autoscaling/README.md @@ -36,7 +36,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [autoscaling\_group\_name](#input\_autoscaling\_group\_name) | The name of the AutoScalingGroup that we want to monitor. | `string` | n/a | yes | | [groupinserviceinstances\_threshold](#input\_groupinserviceinstances\_threshold) | The value against which the Autoscaling GroupInServiceInstaces metric is compared. | `string` | `"1"` | no | | [name\_prefix](#input\_name\_prefix) | The alarm name prefix. | `string` | n/a | yes | diff --git a/terraform/modules/aws/alarms/autoscaling/main.tf b/terraform/modules/aws/alarms/autoscaling/main.tf index 47623d9a1..77c1a9c82 100644 --- a/terraform/modules/aws/alarms/autoscaling/main.tf +++ b/terraform/modules/aws/alarms/autoscaling/main.tf @@ -15,23 +15,23 @@ * */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "groupinserviceinstances_threshold" { - type = "string" + type = string description = "The value against which the Autoscaling GroupInServiceInstaces metric is compared." default = "1" } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "autoscaling_group_name" { - type = "string" + type = string description = "The name of the AutoScalingGroup that we want to monitor." } @@ -45,7 +45,7 @@ resource "aws_cloudwatch_metric_alarm" "autoscaling_groupinserviceinstances" { namespace = "AWS/AutoScaling" period = "60" statistic = "Average" - threshold = "${var.groupinserviceinstances_threshold}" + threshold = var.groupinserviceinstances_threshold actions_enabled = true alarm_actions = var.alarm_actions alarm_description = "This metric monitors instances in service in an AutoScalingGroup" @@ -60,6 +60,6 @@ resource "aws_cloudwatch_metric_alarm" "autoscaling_groupinserviceinstances" { // The ID of the autoscaling GroupInServiceInstances health check. output "alarm_autoscaling_groupinserviceinstances_id" { - value = "${aws_cloudwatch_metric_alarm.autoscaling_groupinserviceinstances.id}" + value = aws_cloudwatch_metric_alarm.autoscaling_groupinserviceinstances.id description = "The ID of the autoscaling GroupInServiceInstances health check." } diff --git a/terraform/modules/aws/alarms/ebs/README.md b/terraform/modules/aws/alarms/ebs/README.md index 795798a06..ba2e1898b 100644 --- a/terraform/modules/aws/alarms/ebs/README.md +++ b/terraform/modules/aws/alarms/ebs/README.md @@ -36,7 +36,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | The alarm name prefix. | `string` | n/a | yes | | [volume\_id](#input\_volume\_id) | The ID of the EBS volume that we want to monitor. | `string` | n/a | yes | | [volumequeuelength\_threshold](#input\_volumequeuelength\_threshold) | The value against which the EBS VolumeQueueLength metric is compared. | `string` | `"10"` | no | diff --git a/terraform/modules/aws/alarms/ebs/main.tf b/terraform/modules/aws/alarms/ebs/main.tf index f6bb6e773..7a91e75e8 100644 --- a/terraform/modules/aws/alarms/ebs/main.tf +++ b/terraform/modules/aws/alarms/ebs/main.tf @@ -14,23 +14,23 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ebs-metricscollected.html */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "volumequeuelength_threshold" { - type = "string" + type = string description = "The value against which the EBS VolumeQueueLength metric is compared." default = "10" } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "volume_id" { - type = "string" + type = string description = "The ID of the EBS volume that we want to monitor." } @@ -44,13 +44,13 @@ resource "aws_cloudwatch_metric_alarm" "ebs_volumequeuelength" { namespace = "AWS/EBS" period = "120" statistic = "Average" - threshold = "${var.volumequeuelength_threshold}" + threshold = var.volumequeuelength_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the number of read and write operation requests waiting to be completed in an EBS volume" dimensions { - VolumeId = "${var.volume_id}" + VolumeId = var.volume_id } } @@ -59,6 +59,6 @@ resource "aws_cloudwatch_metric_alarm" "ebs_volumequeuelength" { // The ID of the EBS VolumeQueueLength health check. output "alarm_ebs_volumequeuelength_id" { - value = "${aws_cloudwatch_metric_alarm.ebs_volumequeuelength.id}" + value = aws_cloudwatch_metric_alarm.ebs_volumequeuelength.id description = "The ID of the EBS VolumeQueueLength health check." } diff --git a/terraform/modules/aws/alarms/ec2/README.md b/terraform/modules/aws/alarms/ec2/README.md index d48c7553f..53be37f88 100644 --- a/terraform/modules/aws/alarms/ec2/README.md +++ b/terraform/modules/aws/alarms/ec2/README.md @@ -40,7 +40,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [autoscaling\_group\_name](#input\_autoscaling\_group\_name) | The name of the AutoScalingGroup that we want to monitor. | `string` | n/a | yes | | [cpuutilization\_threshold](#input\_cpuutilization\_threshold) | The value against which the CPUUtilization metric is compared, in percent. | `string` | `"80"` | no | | [name\_prefix](#input\_name\_prefix) | The alarm name prefix. | `string` | n/a | yes | diff --git a/terraform/modules/aws/alarms/ec2/main.tf b/terraform/modules/aws/alarms/ec2/main.tf index 130cc383f..5868e4173 100644 --- a/terraform/modules/aws/alarms/ec2/main.tf +++ b/terraform/modules/aws/alarms/ec2/main.tf @@ -17,23 +17,23 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ec2-metricscollected.html */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "cpuutilization_threshold" { - type = "string" + type = string description = "The value against which the CPUUtilization metric is compared, in percent." default = "80" } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "autoscaling_group_name" { - type = "string" + type = string description = "The name of the AutoScalingGroup that we want to monitor." } @@ -47,7 +47,7 @@ resource "aws_cloudwatch_metric_alarm" "ec2_cpuutilization" { namespace = "AWS/EC2" period = "120" statistic = "Average" - threshold = "${var.cpuutilization_threshold}" + threshold = var.cpuutilization_threshold actions_enabled = true alarm_actions = var.alarm_actions alarm_description = "This metric monitors CPU utilization in an instance" @@ -80,12 +80,12 @@ resource "aws_cloudwatch_metric_alarm" "ec2_statuscheckfailed_instance" { // The ID of the instance CPUUtilization health check. output "alarm_ec2_cpuutilization_id" { - value = "${aws_cloudwatch_metric_alarm.ec2_cpuutilization.id}" + value = aws_cloudwatch_metric_alarm.ec2_cpuutilization.id description = "The ID of the instance CPUUtilization health check." } // The ID of the instance StatusCheckFailed_Instance health check. output "alarm_ec2_statuscheckfailed_instance_id" { - value = "${aws_cloudwatch_metric_alarm.ec2_statuscheckfailed_instance.id}" + value = aws_cloudwatch_metric_alarm.ec2_statuscheckfailed_instance.id description = "The ID of the instance StatusCheckFailed_Instance health check." } diff --git a/terraform/modules/aws/alarms/elb/README.md b/terraform/modules/aws/alarms/elb/README.md index 8754d4c0d..f16b1af14 100644 --- a/terraform/modules/aws/alarms/elb/README.md +++ b/terraform/modules/aws/alarms/elb/README.md @@ -59,7 +59,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [elb\_name](#input\_elb\_name) | The name of the ELB that we want to monitor. | `string` | n/a | yes | | [healthyhostcount\_threshold](#input\_healthyhostcount\_threshold) | The value against which the HealthyHostCount metric is compared. | `string` | `"0"` | no | | [httpcode\_backend\_4xx\_threshold](#input\_httpcode\_backend\_4xx\_threshold) | The value against which the HTTPCode\_Backend\_4XX metric is compared. | `string` | `"80"` | no | diff --git a/terraform/modules/aws/alarms/elb/main.tf b/terraform/modules/aws/alarms/elb/main.tf index 2cfa03051..d111dba7c 100644 --- a/terraform/modules/aws/alarms/elb/main.tf +++ b/terraform/modules/aws/alarms/elb/main.tf @@ -32,52 +32,52 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/elb-metricscollected.html */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "elb_name" { - type = "string" + type = string description = "The name of the ELB that we want to monitor." } variable "httpcode_backend_4xx_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Backend_4XX metric is compared." default = "80" } variable "httpcode_backend_5xx_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Backend_5XX metric is compared." default = "80" } variable "httpcode_elb_4xx_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_4XX metric is compared." default = "80" } variable "httpcode_elb_5xx_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_5XX metric is compared." default = "80" } variable "surgequeuelength_threshold" { - type = "string" + type = string description = "The value against which the SurgeQueueLength metric is compared. The maximum size of the queue is 1,024. Additional requests are rejected when the queue is full." default = "0" } variable "healthyhostcount_threshold" { - type = "string" + type = string description = "The value against which the HealthyHostCount metric is compared." default = "0" } @@ -85,7 +85,7 @@ variable "healthyhostcount_threshold" { # Resources #-------------------------------------------------------------- resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_4xx" { - count = "${var.httpcode_backend_4xx_threshold > 0 ? 1 : 0}" + count = var.httpcode_backend_4xx_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_backend_4xx" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -93,9 +93,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_4xx" { namespace = "AWS/ELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_backend_4xx_threshold}" + threshold = var.httpcode_backend_4xx_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 4XX response codes generated by registered instances." dimensions = { @@ -104,7 +104,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_4xx" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_5xx" { - count = "${var.httpcode_backend_5xx_threshold > 0 ? 1 : 0}" + count = var.httpcode_backend_5xx_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_backend_5xx" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -112,9 +112,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_5xx" { namespace = "AWS/ELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_backend_5xx_threshold}" + threshold = var.httpcode_backend_5xx_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 5XX response codes generated by registered instances." treat_missing_data = "notBreaching" @@ -124,7 +124,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_backend_5xx" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx" { - count = "${var.httpcode_elb_4xx_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_4xx_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_elb_4xx" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -132,9 +132,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx" { namespace = "AWS/ELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_4xx_threshold}" + threshold = var.httpcode_elb_4xx_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 4XX server error codes generated by the load balancer." treat_missing_data = "notBreaching" @@ -144,7 +144,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx" { - count = "${var.httpcode_elb_5xx_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_5xx_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-httpcode_elb_5xx" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -152,9 +152,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx" { namespace = "AWS/ELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_5xx_threshold}" + threshold = var.httpcode_elb_5xx_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 5XX server error codes generated by the load balancer." treat_missing_data = "notBreaching" @@ -164,7 +164,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx" { } resource "aws_cloudwatch_metric_alarm" "elb_surgequeuelength" { - count = "${var.surgequeuelength_threshold > 0 ? 1 : 0}" + count = var.surgequeuelength_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-surgequeuelength" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -172,9 +172,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_surgequeuelength" { namespace = "AWS/ELB" period = "60" statistic = "Maximum" - threshold = "${var.surgequeuelength_threshold}" + threshold = var.surgequeuelength_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors maximum number of requests that are pending routing." dimensions = { @@ -183,7 +183,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_surgequeuelength" { } resource "aws_cloudwatch_metric_alarm" "elb_healthyhostcount" { - count = "${var.healthyhostcount_threshold > 0 ? 1 : 0}" + count = var.healthyhostcount_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-elb-healthyhostcount" comparison_operator = "LessThanThreshold" evaluation_periods = "5" @@ -191,9 +191,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_healthyhostcount" { namespace = "AWS/ELB" period = "60" statistic = "Maximum" - threshold = "${var.healthyhostcount_threshold}" + threshold = var.healthyhostcount_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors maximum number of healthy instances registered with your load balancer." dimensions = { @@ -206,36 +206,36 @@ resource "aws_cloudwatch_metric_alarm" "elb_healthyhostcount" { // The ID of the ELB HTTPCode_Backend_4XX health check. output "alarm_elb_httpcode_backend_4xx_id" { - value = "${aws_cloudwatch_metric_alarm.elb_httpcode_backend_4xx.*.id}" + value = aws_cloudwatch_metric_alarm.elb_httpcode_backend_4xx.*.id description = "The ID of the ELB HTTPCode_Backend_4XX health check." } // The ID of the ELB HTTPCode_Backend_5XX health check. output "alarm_elb_httpcode_backend_5xx_id" { - value = "${aws_cloudwatch_metric_alarm.elb_httpcode_backend_5xx.*.id}" + value = aws_cloudwatch_metric_alarm.elb_httpcode_backend_5xx.*.id description = "The ID of the ELB HTTPCode_Backend_5XX health check." } // The ID of the ELB HTTPCode_ELB_4XX health check. output "alarm_elb_httpcode_elb_4xx_id" { - value = "${aws_cloudwatch_metric_alarm.elb_httpcode_elb_4xx.*.id}" + value = aws_cloudwatch_metric_alarm.elb_httpcode_elb_4xx.*.id description = "The ID of the ELB HTTPCode_ELB_4XX health check." } // The ID of the ELB HTTPCode_ELB_5XX health check. output "alarm_elb_httpcode_elb_5xx_id" { - value = "${aws_cloudwatch_metric_alarm.elb_httpcode_elb_5xx.*.id}" + value = aws_cloudwatch_metric_alarm.elb_httpcode_elb_5xx.*.id description = "The ID of the ELB HTTPCode_ELB_5XX health check." } // The ID of the ELB SurgeQueueLength health check. output "alarm_elb_surgequeuelength_id" { - value = "${aws_cloudwatch_metric_alarm.elb_surgequeuelength.*.id}" + value = aws_cloudwatch_metric_alarm.elb_surgequeuelength.*.id description = "The ID of the ELB SurgeQueueLength health check." } // The ID of the ELB HealthyHostCount health check. output "alarm_elb_healthyhostcount_id" { - value = "${aws_cloudwatch_metric_alarm.elb_healthyhostcount.*.id}" + value = aws_cloudwatch_metric_alarm.elb_healthyhostcount.*.id description = "The ID of the ELB HealthyHostCount health check." } diff --git a/terraform/modules/aws/alarms/natgateway/README.md b/terraform/modules/aws/alarms/natgateway/README.md index db3e26ad6..ae2b74fc3 100644 --- a/terraform/modules/aws/alarms/natgateway/README.md +++ b/terraform/modules/aws/alarms/natgateway/README.md @@ -38,10 +38,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [errorportallocation\_threshold](#input\_errorportallocation\_threshold) | The value against which the ErrorPortAllocation metric is compared. | `string` | `"10"` | no | | [name\_prefix](#input\_name\_prefix) | The alarm name prefix. | `string` | n/a | yes | -| [nat\_gateway\_ids](#input\_nat\_gateway\_ids) | List of IDs of the NAT Gateways that we want to monitor. | `list` | n/a | yes | +| [nat\_gateway\_ids](#input\_nat\_gateway\_ids) | List of IDs of the NAT Gateways that we want to monitor. | `list(string)` | n/a | yes | | [nat\_gateway\_ids\_length](#input\_nat\_gateway\_ids\_length) | Length of the list of IDs of the NAT Gateways that we want to monitor. | `string` | n/a | yes | | [packetsdropcount\_threshold](#input\_packetsdropcount\_threshold) | The value against which the PacketsDropCount metric is compared. | `string` | `"100"` | no | diff --git a/terraform/modules/aws/alarms/natgateway/main.tf b/terraform/modules/aws/alarms/natgateway/main.tf index 23840d4e9..f561867ab 100644 --- a/terraform/modules/aws/alarms/natgateway/main.tf +++ b/terraform/modules/aws/alarms/natgateway/main.tf @@ -15,33 +15,33 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/nat-gateway-metricscollected.html */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "nat_gateway_ids" { - type = "list" + type = list(string) description = "List of IDs of the NAT Gateways that we want to monitor." } variable "nat_gateway_ids_length" { - type = "string" + type = string description = "Length of the list of IDs of the NAT Gateways that we want to monitor." } variable "errorportallocation_threshold" { - type = "string" + type = string description = "The value against which the ErrorPortAllocation metric is compared." default = "10" } variable "packetsdropcount_threshold" { - type = "string" + type = string description = "The value against which the PacketsDropCount metric is compared." default = "100" } @@ -49,7 +49,7 @@ variable "packetsdropcount_threshold" { # Resources #-------------------------------------------------------------- resource "aws_cloudwatch_metric_alarm" "natgateway_errorportallocation" { - count = "${var.nat_gateway_ids_length}" + count = var.nat_gateway_ids_length alarm_name = "${var.name_prefix}-natgateway-errorportallocation-${var.nat_gateway_ids[count.index]}" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -57,7 +57,7 @@ resource "aws_cloudwatch_metric_alarm" "natgateway_errorportallocation" { namespace = "AWS/NATGateway" period = "60" statistic = "Sum" - threshold = "${var.errorportallocation_threshold}" + threshold = var.errorportallocation_threshold actions_enabled = true alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of the number of times the NAT gateway could not allocate a source port." @@ -68,7 +68,7 @@ resource "aws_cloudwatch_metric_alarm" "natgateway_errorportallocation" { } resource "aws_cloudwatch_metric_alarm" "natgateway_packetsdropcount" { - count = "${var.nat_gateway_ids_length}" + count = var.nat_gateway_ids_length alarm_name = "${var.name_prefix}-natgateway-packetsdropcount-${var.nat_gateway_ids[count.index]}" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -76,7 +76,7 @@ resource "aws_cloudwatch_metric_alarm" "natgateway_packetsdropcount" { namespace = "AWS/NATGateway" period = "60" statistic = "Sum" - threshold = "${var.packetsdropcount_threshold}" + threshold = var.packetsdropcount_threshold actions_enabled = true alarm_actions = var.alarm_actions alarm_description = "This metric monitors the number of packets dropped by the NAT gateway." @@ -91,12 +91,12 @@ resource "aws_cloudwatch_metric_alarm" "natgateway_packetsdropcount" { // The ID of the NAT Gateway ErrorPortAllocation health check. output "alarm_natgateway_errorportallocation_id" { - value = "${aws_cloudwatch_metric_alarm.natgateway_errorportallocation.*.id}" + value = aws_cloudwatch_metric_alarm.natgateway_errorportallocation.*.id description = "The ID of the NAT Gateway ErrorPortAllocation health check." } // The ID of the NAT Gateway PacketsDropCount health check. output "alarm_natgateway_packetsdropcount_id" { - value = "${aws_cloudwatch_metric_alarm.natgateway_packetsdropcount.*.id}" + value = aws_cloudwatch_metric_alarm.natgateway_packetsdropcount.*.id description = "The ID of the NAT Gateway PacketsDropCount health check." } diff --git a/terraform/modules/aws/alarms/rds/README.md b/terraform/modules/aws/alarms/rds/README.md index b328677c4..14263048e 100644 --- a/terraform/modules/aws/alarms/rds/README.md +++ b/terraform/modules/aws/alarms/rds/README.md @@ -46,7 +46,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | n/a | yes | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | n/a | yes | | [cpuutilization\_threshold](#input\_cpuutilization\_threshold) | The value against which the CPUUtilization metric is compared, in percent. | `string` | `"80"` | no | | [db\_instance\_id](#input\_db\_instance\_id) | The ID of the database instance that we want to monitor. | `string` | n/a | yes | | [freeablememory\_threshold](#input\_freeablememory\_threshold) | The value against which the FreeableMemory metric is compared, in Bytes. | `string` | `"2147483648"` | no | diff --git a/terraform/modules/aws/alarms/rds/main.tf b/terraform/modules/aws/alarms/rds/main.tf index 3b5b511aa..828604987 100644 --- a/terraform/modules/aws/alarms/rds/main.tf +++ b/terraform/modules/aws/alarms/rds/main.tf @@ -21,40 +21,40 @@ * http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/rds-metricscollected.html */ variable "name_prefix" { - type = "string" + type = string description = "The alarm name prefix." } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." } variable "db_instance_id" { - type = "string" + type = string description = "The ID of the database instance that we want to monitor." } variable "cpuutilization_threshold" { - type = "string" + type = string description = "The value against which the CPUUtilization metric is compared, in percent." default = "80" } variable "freeablememory_threshold" { - type = "string" + type = string description = "The value against which the FreeableMemory metric is compared, in Bytes." default = "2147483648" } variable "freestoragespace_threshold" { - type = "string" + type = string description = "The value against which the FreeStorageSpace metric is compared, in Bytes." default = "10737418240" } variable "replicalag_threshold" { - type = "string" + type = string description = "The value against which the ReplicaLag metric is compared, in seconds." default = "0" } @@ -69,7 +69,7 @@ resource "aws_cloudwatch_metric_alarm" "rds_cpuutilization" { namespace = "AWS/RDS" period = "60" statistic = "Average" - threshold = "${var.cpuutilization_threshold}" + threshold = var.cpuutilization_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the percentage of CPU utilization." @@ -87,7 +87,7 @@ resource "aws_cloudwatch_metric_alarm" "rds_freeablememory" { namespace = "AWS/RDS" period = "60" statistic = "Average" - threshold = "${var.freeablememory_threshold}" + threshold = var.freeablememory_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the amount of available random access memory." @@ -105,7 +105,7 @@ resource "aws_cloudwatch_metric_alarm" "rds_freestoragespace" { namespace = "AWS/RDS" period = "60" statistic = "Average" - threshold = "${var.freestoragespace_threshold}" + threshold = var.freestoragespace_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the amount of available storage space." @@ -116,7 +116,7 @@ resource "aws_cloudwatch_metric_alarm" "rds_freestoragespace" { } resource "aws_cloudwatch_metric_alarm" "rds_replicalag" { - count = "${var.replicalag_threshold > 0 ? 1 : 0}" + count = var.replicalag_threshold > 0 ? 1 : 0 alarm_name = "${var.name_prefix}-rds-replicalag" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "2" @@ -124,7 +124,7 @@ resource "aws_cloudwatch_metric_alarm" "rds_replicalag" { namespace = "AWS/RDS" period = "60" statistic = "Maximum" - threshold = "${var.replicalag_threshold}" + threshold = var.replicalag_threshold actions_enabled = true alarm_actions = ["${var.alarm_actions}"] alarm_description = "This metric monitors the amount of time a Read Replica DB instance lags behind the source DB instance." @@ -139,24 +139,24 @@ resource "aws_cloudwatch_metric_alarm" "rds_replicalag" { // The ID of the RDS CPUUtilization health check. output "alarm_rds_cpuutilization_id" { - value = "${aws_cloudwatch_metric_alarm.rds_cpuutilization.id}" + value = aws_cloudwatch_metric_alarm.rds_cpuutilization.id description = "The ID of the RDS CPUUtilization health check." } // The ID of the RDS FreeableMemory health check. output "alarm_rds_freeablememory_id" { - value = "${aws_cloudwatch_metric_alarm.rds_freeablememory.id}" + value = aws_cloudwatch_metric_alarm.rds_freeablememory.id description = "The ID of the RDS FreeableMemory health check." } // The ID of the RDS FreeStorageSpace health check. output "alarm_rds_freestoragespace_id" { - value = "${aws_cloudwatch_metric_alarm.rds_freestoragespace.id}" + value = aws_cloudwatch_metric_alarm.rds_freestoragespace.id description = "The ID of the RDS FreeStorageSpace health check." } // The ID of the RDS ReplicaLag health check. output "alarm_rds_replicalag_id" { - value = "${join("", aws_cloudwatch_metric_alarm.rds_replicalag.*.id)}" + value = join("", aws_cloudwatch_metric_alarm.rds_replicalag.*.id) description = "The ID of the RDS ReplicaLag health check." } diff --git a/terraform/modules/aws/iam/gds_user_role/README.md b/terraform/modules/aws/iam/gds_user_role/README.md index d537afa75..1ce9a4a71 100644 --- a/terraform/modules/aws/iam/gds_user_role/README.md +++ b/terraform/modules/aws/iam/gds_user_role/README.md @@ -32,9 +32,9 @@ No modules. |------|-------------|------|---------|:--------:| | [gds\_egress\_ips](#input\_gds\_egress\_ips) | DEPRECATED: list of trusted CIDR netblocks | `list(string)` | `[]` | no | | [restrict\_to\_gds\_ips](#input\_restrict\_to\_gds\_ips) | n/a | `bool` | `false` | no | -| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of policies to attach to the role | `list` | `[]` | no | +| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of policies to attach to the role | `list(any)` | `[]` | no | | [role\_suffix](#input\_role\_suffix) | Suffix of the role name | `string` | n/a | yes | -| [role\_user\_arns](#input\_role\_user\_arns) | List of ARNs of external users that can assume the role | `list` | n/a | yes | +| [role\_user\_arns](#input\_role\_user\_arns) | List of ARNs of external users that can assume the role | `list(any)` | n/a | yes | ## Outputs diff --git a/terraform/modules/aws/iam/gds_user_role/main.tf b/terraform/modules/aws/iam/gds_user_role/main.tf index c82f2f0b9..c09ee9297 100644 --- a/terraform/modules/aws/iam/gds_user_role/main.tf +++ b/terraform/modules/aws/iam/gds_user_role/main.tf @@ -15,12 +15,12 @@ variable "role_suffix" { } variable "role_user_arns" { - type = list + type = list(any) description = "List of ARNs of external users that can assume the role" } variable "role_policy_arns" { - type = list + type = list(any) description = "List of ARNs of policies to attach to the role" default = [] } diff --git a/terraform/modules/aws/iam/role_user/README.md b/terraform/modules/aws/iam/role_user/README.md index e84e7d7dd..a799f3cc7 100644 --- a/terraform/modules/aws/iam/role_user/README.md +++ b/terraform/modules/aws/iam/role_user/README.md @@ -48,8 +48,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [role\_name](#input\_role\_name) | The name of the Role | `string` | n/a | yes | -| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of policies to attach to the role | `list` | `[]` | no | -| [role\_user\_arns](#input\_role\_user\_arns) | List of ARNs of external users that can assume the role | `list` | n/a | yes | +| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of policies to attach to the role | `list(any)` | `[]` | no | +| [role\_user\_arns](#input\_role\_user\_arns) | List of ARNs of external users that can assume the role | `list(any)` | n/a | yes | ## Outputs diff --git a/terraform/modules/aws/iam/role_user/main.tf b/terraform/modules/aws/iam/role_user/main.tf index 5eda9d790..c79a9ed86 100644 --- a/terraform/modules/aws/iam/role_user/main.tf +++ b/terraform/modules/aws/iam/role_user/main.tf @@ -28,12 +28,12 @@ variable "role_name" { } variable "role_user_arns" { - type = list + type = list(any) description = "List of ARNs of external users that can assume the role" } variable "role_policy_arns" { - type = list + type = list(any) description = "List of ARNs of policies to attach to the role" default = [] } diff --git a/terraform/modules/aws/lb/README.md b/terraform/modules/aws/lb/README.md index cf9437d09..ba4cca64f 100644 --- a/terraform/modules/aws/lb/README.md +++ b/terraform/modules/aws/lb/README.md @@ -71,24 +71,24 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_logs\_bucket\_name](#input\_access\_logs\_bucket\_name) | The S3 bucket name to store the logs in. | `string` | n/a | yes | | [access\_logs\_bucket\_prefix](#input\_access\_logs\_bucket\_prefix) | The S3 prefix name to store the logs in. | `string` | `""` | no | -| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list` | `[]` | no | +| [alarm\_actions](#input\_alarm\_actions) | The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN). | `list(string)` | `[]` | no | | [allow\_routing\_for\_absent\_host\_header\_rules](#input\_allow\_routing\_for\_absent\_host\_header\_rules) | If true, the ALB will route to backend hosts. Otherwise, a 400 error will be returned | `string` | `"true"` | no | -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [httpcode\_elb\_4xx\_count\_threshold](#input\_httpcode\_elb\_4xx\_count\_threshold) | The value against which the HTTPCode\_ELB\_4XX\_Count metric is compared. | `string` | `"0"` | no | | [httpcode\_elb\_5xx\_count\_threshold](#input\_httpcode\_elb\_5xx\_count\_threshold) | The value against which the HTTPCode\_ELB\_5XX\_Count metric is compared. | `string` | `"80"` | no | | [httpcode\_target\_4xx\_count\_threshold](#input\_httpcode\_target\_4xx\_count\_threshold) | The value against which the HTTPCode\_Target\_4XX\_Count metric is compared. | `string` | `"0"` | no | | [httpcode\_target\_5xx\_count\_threshold](#input\_httpcode\_target\_5xx\_count\_threshold) | The value against which the HTTPCode\_Target\_5XX\_Count metric is compared. | `string` | `"80"` | no | | [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `string` | `"60"` | no | | [internal](#input\_internal) | If true, the LB will be internal. | `string` | `true` | no | -| [listener\_action](#input\_listener\_action) | A map of Load Balancer Listener and default target group action, both specified as PROTOCOL:PORT. | `map` | n/a | yes | +| [listener\_action](#input\_listener\_action) | A map of Load Balancer Listener and default target group action, both specified as PROTOCOL:PORT. | `map(string)` | n/a | yes | | [listener\_certificate\_domain\_name](#input\_listener\_certificate\_domain\_name) | HTTPS Listener certificate domain name. | `string` | `""` | no | | [listener\_internal\_certificate\_domain\_name](#input\_listener\_internal\_certificate\_domain\_name) | HTTPS Listener internal certificate domain name. | `string` | `""` | no | | [listener\_secondary\_certificate\_domain\_name](#input\_listener\_secondary\_certificate\_domain\_name) | HTTPS Listener secondary certificate domain name. | `string` | `""` | no | | [listener\_ssl\_policy](#input\_listener\_ssl\_policy) | The name of the SSL Policy for HTTPS listeners. | `string` | `"ELBSecurityPolicy-TLS-1-2-2017-01"` | no | | [load\_balancer\_type](#input\_load\_balancer\_type) | The type of load balancer to create. Possible values are application or network. The default value is application. | `string` | `"application"` | no | | [name](#input\_name) | The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters. | `string` | n/a | yes | -| [security\_groups](#input\_security\_groups) | A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application. | `list` | `[]` | no | -| [subnets](#input\_subnets) | A list of subnet IDs to attach to the LB. | `list` | n/a | yes | +| [security\_groups](#input\_security\_groups) | A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application. | `list(string)` | `[]` | no | +| [subnets](#input\_subnets) | A list of subnet IDs to attach to the LB. | `list(string)` | n/a | yes | | [target\_group\_deregistration\_delay](#input\_target\_group\_deregistration\_delay) | The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. | `string` | `300` | no | | [target\_group\_health\_check\_interval](#input\_target\_group\_health\_check\_interval) | The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. | `string` | `30` | no | | [target\_group\_health\_check\_matcher](#input\_target\_group\_health\_check\_matcher) | The health check match response code. | `string` | `"200"` | no | diff --git a/terraform/modules/aws/lb/main.tf b/terraform/modules/aws/lb/main.tf index 40feda1d1..35c84cc54 100644 --- a/terraform/modules/aws/lb/main.tf +++ b/terraform/modules/aws/lb/main.tf @@ -34,152 +34,152 @@ */ variable "allow_routing_for_absent_host_header_rules" { - type = "string" + type = string description = "If true, the ALB will route to backend hosts. Otherwise, a 400 error will be returned" default = "true" } variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "load_balancer_type" { - type = "string" + type = string description = "The type of load balancer to create. Possible values are application or network. The default value is application." default = "application" } variable "idle_timeout" { - type = "string" + type = string description = "The time in seconds that the connection is allowed to be idle." default = "60" } variable "access_logs_bucket_name" { - type = "string" + type = string description = "The S3 bucket name to store the logs in." } variable "access_logs_bucket_prefix" { - type = "string" + type = string description = "The S3 prefix name to store the logs in." default = "" } variable "listener_action" { - type = "map" + type = map(string) description = "A map of Load Balancer Listener and default target group action, both specified as PROTOCOL:PORT." } variable "listener_certificate_domain_name" { - type = "string" + type = string description = "HTTPS Listener certificate domain name." default = "" } variable "listener_secondary_certificate_domain_name" { - type = "string" + type = string description = "HTTPS Listener secondary certificate domain name." default = "" } variable "listener_internal_certificate_domain_name" { - type = "string" + type = string description = "HTTPS Listener internal certificate domain name." default = "" } variable "listener_ssl_policy" { - type = "string" + type = string description = "The name of the SSL Policy for HTTPS listeners." default = "ELBSecurityPolicy-TLS-1-2-2017-01" } variable "internal" { - type = "string" + type = string description = "If true, the LB will be internal." default = true } variable "name" { - type = "string" + type = string description = "The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters." } variable "subnets" { - type = "list" + type = list(string) description = "A list of subnet IDs to attach to the LB." } variable "security_groups" { - type = "list" + type = list(string) description = "A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application." default = [] } variable "vpc_id" { - type = "string" + type = string description = "The ID of the VPC in which the default target groups are created." } variable "target_group_health_check_path" { - type = "string" + type = string description = "The health check path." default = "/_healthcheck" } variable "target_group_health_check_matcher" { - type = "string" + type = string description = "The health check match response code." default = "200" } variable "target_group_deregistration_delay" { - type = "string" + type = string description = "The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused." default = 300 } variable "target_group_health_check_interval" { - type = "string" + type = string description = "The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds." default = 30 } variable "target_group_health_check_timeout" { - type = "string" + type = string description = "The amount of time, in seconds, during which no response means a failed health check." default = 5 } variable "alarm_actions" { - type = "list" + type = list(string) description = "The list of actions to execute when this alarm transitions into an ALARM state. Each action is specified as an Amazon Resource Number (ARN)." default = [] } variable "httpcode_target_4xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Target_4XX_Count metric is compared." default = "0" } variable "httpcode_target_5xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_Target_5XX_Count metric is compared." default = "80" } variable "httpcode_elb_4xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_4XX_Count metric is compared." default = "0" } variable "httpcode_elb_5xx_count_threshold" { - type = "string" + type = string description = "The value against which the HTTPCode_ELB_5XX_Count metric is compared." default = "80" } @@ -188,47 +188,47 @@ variable "httpcode_elb_5xx_count_threshold" { #-------------------------------------------------------------- data "aws_acm_certificate" "cert" { - count = "${var.listener_certificate_domain_name == "" ? 0 : 1}" - domain = "${var.listener_certificate_domain_name}" + count = var.listener_certificate_domain_name == "" ? 0 : 1 + domain = var.listener_certificate_domain_name statuses = ["ISSUED"] } data "aws_acm_certificate" "secondary_cert" { - count = "${var.listener_secondary_certificate_domain_name == "" ? 0 : 1}" - domain = "${var.listener_secondary_certificate_domain_name}" + count = var.listener_secondary_certificate_domain_name == "" ? 0 : 1 + domain = var.listener_secondary_certificate_domain_name statuses = ["ISSUED"] } data "aws_acm_certificate" "internal_cert" { - count = "${var.listener_internal_certificate_domain_name == "" ? 0 : 1}" - domain = "${var.listener_internal_certificate_domain_name}" + count = var.listener_internal_certificate_domain_name == "" ? 0 : 1 + domain = var.listener_internal_certificate_domain_name statuses = ["ISSUED"] } resource "aws_lb" "lb" { - name = "${var.name}" - internal = "${var.internal}" - security_groups = "${var.security_groups}" + name = var.name + internal = var.internal + security_groups = var.security_groups subnets = flatten(var.subnets) - load_balancer_type = "${var.load_balancer_type}" - idle_timeout = "${var.idle_timeout}" + load_balancer_type = var.load_balancer_type + idle_timeout = var.idle_timeout access_logs { enabled = true - bucket = "${var.access_logs_bucket_name}" - prefix = "${var.access_logs_bucket_prefix != "" ? var.access_logs_bucket_prefix : "lb/${var.name}"}" + bucket = var.access_logs_bucket_name + prefix = var.access_logs_bucket_prefix != "" ? var.access_logs_bucket_prefix : "lb/${var.name}" } - tags = "${merge( + tags = (merge( var.default_tags, map( "Name", var.name ) - )}" + )) } data "null_data_source" "values" { - count = "${length(keys(var.listener_action))}" + count = length(keys(var.listener_action)) inputs = { ssl_arn_index = "${element(split(":", element(keys(var.listener_action), count.index)), 0) == "HTTPS" ? format("%d", count.index) : ""}" @@ -237,14 +237,14 @@ data "null_data_source" "values" { } resource "aws_lb_listener" "listener_non_ssl" { - count = "${length(compact(data.null_data_source.values.*.inputs.arn_index))}" - load_balancer_arn = "${aws_lb.lb.arn}" - port = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))), 1)}" - protocol = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))), 0)}" + count = length(compact(data.null_data_source.values.*.inputs.arn_index)) + load_balancer_arn = aws_lb.lb.arn + port = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))), 1) + protocol = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))), 0) default_action { - target_group_arn = "${var.allow_routing_for_absent_host_header_rules == "true" ? lookup(local.target_groups_arns, "${element(values(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))}") : ""}" - type = "${var.allow_routing_for_absent_host_header_rules == "true" ? "forward" : "fixed-response"}" + target_group_arn = var.allow_routing_for_absent_host_header_rules == "true" ? lookup(local.target_groups_arns, "${element(values(var.listener_action), element(compact(data.null_data_source.values.*.inputs.arn_index), count.index))}") : "" + type = var.allow_routing_for_absent_host_header_rules == "true" ? "forward" : "fixed-response" fixed_response { content_type = "text/plain" @@ -255,16 +255,16 @@ resource "aws_lb_listener" "listener_non_ssl" { } resource "aws_lb_listener" "listener" { - count = "${length(compact(data.null_data_source.values.*.inputs.ssl_arn_index))}" - load_balancer_arn = "${aws_lb.lb.arn}" - port = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 1)}" - protocol = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0)}" - ssl_policy = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0) == "HTTPS" ? var.listener_ssl_policy : ""}" - certificate_arn = "${element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0) == "HTTPS" ? data.aws_acm_certificate.cert.0.arn : ""}" + count = length(compact(data.null_data_source.values.*.inputs.ssl_arn_index)) + load_balancer_arn = aws_lb.lb.arn + port = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 1) + protocol = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0) + ssl_policy = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0) == "HTTPS" ? var.listener_ssl_policy : "" + certificate_arn = element(split(":", element(keys(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))), 0) == "HTTPS" ? data.aws_acm_certificate.cert.0.arn : "" default_action { - target_group_arn = "${var.allow_routing_for_absent_host_header_rules == "true" ? lookup(local.target_groups_arns, "${element(values(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))}") : ""}" - type = "${var.allow_routing_for_absent_host_header_rules == "true" ? "forward" : "fixed-response"}" + target_group_arn = var.allow_routing_for_absent_host_header_rules == "true" ? lookup(local.target_groups_arns, "${element(values(var.listener_action), element(compact(data.null_data_source.values.*.inputs.ssl_arn_index), count.index))}") : "" + type = var.allow_routing_for_absent_host_header_rules == "true" ? "forward" : "fixed-response" fixed_response { content_type = "text/plain" @@ -275,54 +275,54 @@ resource "aws_lb_listener" "listener" { } resource "aws_lb_listener_certificate" "secondary" { - count = "${var.listener_secondary_certificate_domain_name == "" ? 0 : length(compact(data.null_data_source.values.*.inputs.ssl_arn_index))}" - listener_arn = "${element(aws_lb_listener.listener.*.arn, count.index)}" - certificate_arn = "${data.aws_acm_certificate.secondary_cert.0.arn}" + count = var.listener_secondary_certificate_domain_name == "" ? 0 : length(compact(data.null_data_source.values.*.inputs.ssl_arn_index)) + listener_arn = element(aws_lb_listener.listener.*.arn, count.index) + certificate_arn = data.aws_acm_certificate.secondary_cert.0.arn } resource "aws_lb_listener_certificate" "internal" { - count = "${var.listener_internal_certificate_domain_name == "" ? 0 : length(compact(data.null_data_source.values.*.inputs.ssl_arn_index))}" - listener_arn = "${element(aws_lb_listener.listener.*.arn, count.index)}" - certificate_arn = "${data.aws_acm_certificate.internal_cert.0.arn}" + count = var.listener_internal_certificate_domain_name == "" ? 0 : length(compact(data.null_data_source.values.*.inputs.ssl_arn_index)) + listener_arn = element(aws_lb_listener.listener.*.arn, count.index) + certificate_arn = data.aws_acm_certificate.internal_cert.0.arn } locals { - target_groups = "${distinct(values(var.listener_action))}" + target_groups = distinct(values(var.listener_action)) } resource "aws_lb_target_group" "tg_default" { - count = "${length(local.target_groups)}" - name = "${replace(format("%.21s-%.10s", var.name, replace(local.target_groups[count.index], ":", "-")), "/-$/", "")}" - port = "${element(split(":", element(local.target_groups, count.index)), 1)}" - protocol = "${element(split(":", element(local.target_groups, count.index)), 0)}" - vpc_id = "${var.vpc_id}" - deregistration_delay = "${var.target_group_deregistration_delay}" + count = length(local.target_groups) + name = replace(format("%.21s-%.10s", var.name, replace(local.target_groups[count.index], ":", "-")), "/-$/", "") + port = element(split(":", element(local.target_groups, count.index)), 1) + protocol = element(split(":", element(local.target_groups, count.index)), 0) + vpc_id = var.vpc_id + deregistration_delay = var.target_group_deregistration_delay health_check { - interval = "${var.target_group_health_check_interval}" - path = "${var.target_group_health_check_path}" - matcher = "${var.target_group_health_check_matcher}" - port = "${element(split(":", element(local.target_groups, count.index)), 1)}" - protocol = "${element(split(":", element(local.target_groups, count.index)), 0)}" + interval = var.target_group_health_check_interval + path = var.target_group_health_check_path + matcher = var.target_group_health_check_matcher + port = element(split(":", element(local.target_groups, count.index)), 1) + protocol = element(split(":", element(local.target_groups, count.index)), 0) healthy_threshold = 2 unhealthy_threshold = 2 - timeout = "${var.target_group_health_check_timeout}" + timeout = var.target_group_health_check_timeout } lifecycle { create_before_destroy = true } - tags = "${merge( + tags = (merge( var.default_tags, map( "Name", "${var.name}-${replace(element(local.target_groups, count.index), ":", "-")}" ) - )}" + )) } locals { - target_groups_arns = "${zipmap(formatlist("%v:%v", aws_lb_target_group.tg_default.*.protocol, aws_lb_target_group.tg_default.*.port), aws_lb_target_group.tg_default.*.arn)}" + target_groups_arns = zipmap(formatlist("%v:%v", aws_lb_target_group.tg_default.*.protocol, aws_lb_target_group.tg_default.*.port), aws_lb_target_group.tg_default.*.arn) } locals { @@ -330,7 +330,7 @@ locals { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx_count" { - count = "${var.httpcode_elb_4xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_4xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name}-elb-httpcode_elb_4xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -338,9 +338,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_4xx_count_threshold}" + threshold = var.httpcode_elb_4xx_count_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 4XX response codes generated by the Application LB." treat_missing_data = "notBreaching" @@ -350,7 +350,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_4xx_count" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx_count" { - count = "${var.httpcode_elb_5xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_elb_5xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name}-elb-httpcode_elb_5xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -358,9 +358,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_elb_5xx_count_threshold}" + threshold = var.httpcode_elb_5xx_count_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 5XX response codes generated by the Application LB." treat_missing_data = "notBreaching" @@ -370,7 +370,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_elb_5xx_count" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_4xx_count" { - count = "${var.httpcode_target_4xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_target_4xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name}-elb-httpcode_target_4xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -378,9 +378,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_4xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_target_4xx_count_threshold}" + threshold = var.httpcode_target_4xx_count_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 4XX response codes generated by the Target Groups." treat_missing_data = "notBreaching" @@ -390,7 +390,7 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_4xx_count" { } resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_5xx_count" { - count = "${var.httpcode_target_5xx_count_threshold > 0 ? 1 : 0}" + count = var.httpcode_target_5xx_count_threshold > 0 ? 1 : 0 alarm_name = "${var.name}-elb-httpcode_target_5xx_count" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "5" @@ -398,9 +398,9 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_5xx_count" { namespace = "AWS/ApplicationELB" period = "60" statistic = "Sum" - threshold = "${var.httpcode_target_5xx_count_threshold}" + threshold = var.httpcode_target_5xx_count_threshold actions_enabled = true - alarm_actions = "${var.alarm_actions}" + alarm_actions = var.alarm_actions alarm_description = "This metric monitors the sum of HTTP 5XX response codes generated by the Target Groups." treat_missing_data = "notBreaching" @@ -413,31 +413,31 @@ resource "aws_cloudwatch_metric_alarm" "elb_httpcode_target_5xx_count" { #-------------------------------------------------------------- output "lb_id" { - value = "${aws_lb.lb.id}" + value = aws_lb.lb.id description = "The ARN of the load balancer (matches arn)." } output "lb_arn_suffix" { - value = "${aws_lb.lb.arn_suffix}" + value = aws_lb.lb.arn_suffix description = "The ARN suffix for use with CloudWatch Metrics." } output "lb_dns_name" { - value = "${aws_lb.lb.dns_name}" + value = aws_lb.lb.dns_name description = "The DNS name of the load balancer." } output "lb_zone_id" { - value = "${aws_lb.lb.zone_id}" + value = aws_lb.lb.zone_id description = "The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record)." } output "target_group_arns" { - value = "${aws_lb_target_group.tg_default.*.arn}" + value = aws_lb_target_group.tg_default.*.arn description = "List of the default target group ARNs." } output "load_balancer_ssl_listeners" { - value = "${aws_lb_listener.listener.*.arn}" + value = aws_lb_listener.listener.*.arn description = "List of https listeners on the Load Balancer." } diff --git a/terraform/modules/aws/lb_listener_rules/README.md b/terraform/modules/aws/lb_listener_rules/README.md index 981b3ddfb..4d51d97ef 100644 --- a/terraform/modules/aws/lb_listener_rules/README.md +++ b/terraform/modules/aws/lb_listener_rules/README.md @@ -41,12 +41,12 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [autoscaling\_group\_name](#input\_autoscaling\_group\_name) | Name of ASG to associate with the target group. An empty value does not create any attachment to the LB target group. | `string` | `""` | no | -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [listener\_arn](#input\_listener\_arn) | ARN of the listener. | `string` | n/a | yes | | [name](#input\_name) | Prefix of the target group names. The final name is name-rulename. | `string` | n/a | yes | | [priority\_offset](#input\_priority\_offset) | first priority number assigned to the rules managed by the module. | `string` | `1` | no | -| [rules\_for\_existing\_target\_groups](#input\_rules\_for\_existing\_target\_groups) | create an additional rule for a target group already created via rules\_host | `map` | `{}` | no | -| [rules\_host](#input\_rules\_host) | A list with the values to create Host-header based listener rules and target groups. | `list` | `[]` | no | +| [rules\_for\_existing\_target\_groups](#input\_rules\_for\_existing\_target\_groups) | create an additional rule for a target group already created via rules\_host | `map(string)` | `{}` | no | +| [rules\_host](#input\_rules\_host) | A list with the values to create Host-header based listener rules and target groups. | `list(string)` | `[]` | no | | [rules\_host\_domain](#input\_rules\_host\_domain) | Host header domain to append to the hosts in rules\_host. | `string` | `"*"` | no | | [target\_group\_deregistration\_delay](#input\_target\_group\_deregistration\_delay) | The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. | `string` | `300` | no | | [target\_group\_health\_check\_interval](#input\_target\_group\_health\_check\_interval) | The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. | `string` | `30` | no | diff --git a/terraform/modules/aws/lb_listener_rules/main.tf b/terraform/modules/aws/lb_listener_rules/main.tf index 5f692785a..be27c14d4 100644 --- a/terraform/modules/aws/lb_listener_rules/main.tf +++ b/terraform/modules/aws/lb_listener_rules/main.tf @@ -16,94 +16,94 @@ */ variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "listener_arn" { - type = "string" + type = string description = "ARN of the listener." } variable "rules_host" { - type = "list" + type = list(string) description = "A list with the values to create Host-header based listener rules and target groups." default = [] } variable "rules_host_domain" { - type = "string" + type = string description = "Host header domain to append to the hosts in rules_host." default = "*" } variable "name" { - type = "string" + type = string description = "Prefix of the target group names. The final name is name-rulename." } variable "priority_offset" { - type = "string" + type = string description = "first priority number assigned to the rules managed by the module." default = 1 } variable "vpc_id" { - type = "string" + type = string description = "The ID of the VPC in which the default target groups are created." } variable "autoscaling_group_name" { - type = "string" + type = string description = "Name of ASG to associate with the target group. An empty value does not create any attachment to the LB target group." default = "" } variable "target_group_deregistration_delay" { - type = "string" + type = string description = "The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused." default = 300 } variable "target_group_health_check_interval" { - type = "string" + type = string description = "The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds." default = 30 } variable "target_group_health_check_timeout" { - type = "string" + type = string description = "The amount of time, in seconds, during which no response means a failed health check." default = 5 } variable "target_group_port" { - type = "string" + type = string description = "The port on which targets receive traffic." default = 80 } variable "target_group_protocol" { - type = "string" + type = string description = "The protocol to use for routing traffic to the targets." default = "HTTP" } variable "target_group_health_check_path_prefix" { - type = "string" + type = string description = "The prefix destination for the health check request." default = "/_healthcheck-ready_" } variable "target_group_health_check_matcher" { - type = "string" + type = string description = "The HTTP codes to use when checking for a successful response from a target." default = "200-399" } variable "rules_for_existing_target_groups" { - type = "map" + type = map(string) description = "create an additional rule for a target group already created via rules_host" default = {} } @@ -112,41 +112,41 @@ variable "rules_for_existing_target_groups" { #-------------------------------------------------------------- resource "aws_lb_target_group" "tg" { - count = "${length(var.rules_host)}" - name = "${replace(format("%.10s-%.21s", var.name, var.rules_host[count.index]), "/-$/", "")}" - port = "${var.target_group_port}" - protocol = "${var.target_group_protocol}" - vpc_id = "${var.vpc_id}" - deregistration_delay = "${var.target_group_deregistration_delay}" + count = length(var.rules_host) + name = replace(format("%.10s-%.21s", var.name, var.rules_host[count.index]), "/-$/", "") + port = var.target_group_port + protocol = var.target_group_protocol + vpc_id = var.vpc_id + deregistration_delay = var.target_group_deregistration_delay health_check { - interval = "${var.target_group_health_check_interval}" + interval = var.target_group_health_check_interval path = "${var.target_group_health_check_path_prefix}${var.rules_host[count.index]}" - matcher = "${var.target_group_health_check_matcher}" + matcher = var.target_group_health_check_matcher port = "traffic-port" - protocol = "${var.target_group_protocol}" + protocol = var.target_group_protocol healthy_threshold = 2 unhealthy_threshold = 2 - timeout = "${var.target_group_health_check_timeout}" + timeout = var.target_group_health_check_timeout } - tags = "${var.default_tags}" + tags = var.default_tags } resource "aws_autoscaling_attachment" "tg" { - count = "${var.autoscaling_group_name != "" ? length(var.rules_host) : 0}" - autoscaling_group_name = "${var.autoscaling_group_name}" - alb_target_group_arn = "${aws_lb_target_group.tg.*.arn[count.index]}" + count = var.autoscaling_group_name != "" ? length(var.rules_host) : 0 + autoscaling_group_name = var.autoscaling_group_name + alb_target_group_arn = aws_lb_target_group.tg.*.arn[count.index] } resource "aws_lb_listener_rule" "routing" { - count = "${length(var.rules_host)}" - listener_arn = "${var.listener_arn}" - priority = "${count.index + var.priority_offset}" + count = length(var.rules_host) + listener_arn = var.listener_arn + priority = count.index + var.priority_offset action { type = "forward" - target_group_arn = "${aws_lb_target_group.tg.*.arn[count.index]}" + target_group_arn = aws_lb_target_group.tg.*.arn[count.index] } condition { @@ -161,13 +161,13 @@ resource "aws_lb_listener_rule" "routing" { } resource "aws_lb_listener_rule" "existing_target_groups" { - count = "${length(keys(var.rules_for_existing_target_groups))}" - listener_arn = "${var.listener_arn}" - priority = "${count.index + var.priority_offset + length(var.rules_host)}" + count = length(keys(var.rules_for_existing_target_groups)) + listener_arn = var.listener_arn + priority = count.index + var.priority_offset + length(var.rules_host) action { type = "forward" - target_group_arn = "${aws_lb_target_group.tg.*.arn[index(var.rules_host, var.rules_for_existing_target_groups[element(keys(var.rules_for_existing_target_groups), count.index)])]}" + target_group_arn = aws_lb_target_group.tg.*.arn[index(var.rules_host, var.rules_for_existing_target_groups[element(keys(var.rules_for_existing_target_groups), count.index)])] } condition { diff --git a/terraform/modules/aws/network/nat/README.md b/terraform/modules/aws/network/nat/README.md index dc27c8305..b90361138 100644 --- a/terraform/modules/aws/network/nat/README.md +++ b/terraform/modules/aws/network/nat/README.md @@ -32,7 +32,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [shield\_protection\_enabled](#input\_shield\_protection\_enabled) | Whether or not to enable AWS Shield. Terraform 0.11 doesn't have booleans, so representing as string. | `string` | `"true"` | no | -| [subnet\_ids](#input\_subnet\_ids) | List of public subnet IDs where you want to create a NAT Gateway | `list` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | List of public subnet IDs where you want to create a NAT Gateway | `list(string)` | n/a | yes | | [subnet\_ids\_length](#input\_subnet\_ids\_length) | Length of subnet\_ids variable | `string` | n/a | yes | ## Outputs diff --git a/terraform/modules/aws/network/nat/main.tf b/terraform/modules/aws/network/nat/main.tf index abe6eb8d4..53a106dc3 100644 --- a/terraform/modules/aws/network/nat/main.tf +++ b/terraform/modules/aws/network/nat/main.tf @@ -6,25 +6,25 @@ */ variable "shield_protection_enabled" { - type = "string" + type = string description = "Whether or not to enable AWS Shield. Terraform 0.11 doesn't have booleans, so representing as string." default = "true" } variable "subnet_ids" { - type = "list" + type = list(string) description = "List of public subnet IDs where you want to create a NAT Gateway" } variable "subnet_ids_length" { - type = "string" + type = string description = "Length of subnet_ids variable" } # Resources # -------------------------------------------------------------- resource "aws_eip" "nat" { - count = "${var.subnet_ids_length}" + count = var.subnet_ids_length vpc = true lifecycle { @@ -37,15 +37,15 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} resource "aws_shield_protection" "aws_eip" { - count = "${var.shield_protection_enabled ? length(aws_eip.nat.*.id) : 0}" + count = var.shield_protection_enabled ? length(aws_eip.nat.*.id) : 0 name = "${element(aws_eip.nat.*.id, count.index)}_shield" resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${element(aws_eip.nat.*.id, count.index)}" } resource "aws_nat_gateway" "nat" { - count = "${var.subnet_ids_length}" - allocation_id = "${element(aws_eip.nat.*.id, count.index)}" - subnet_id = "${element(var.subnet_ids, count.index)}" + count = var.subnet_ids_length + allocation_id = element(aws_eip.nat.*.id, count.index) + subnet_id = element(var.subnet_ids, count.index) lifecycle { create_before_destroy = true @@ -61,11 +61,11 @@ output "nat_gateway_ids" { } output "nat_gateway_subnets_ids_map" { - value = "${zipmap(aws_nat_gateway.nat.*.subnet_id, aws_nat_gateway.nat.*.id)}" + value = zipmap(aws_nat_gateway.nat.*.subnet_id, aws_nat_gateway.nat.*.id) description = "Map containing the NAT gateway IDs and the public subnet ID where each one is located" } output "nat_gateway_elastic_ips_list" { - value = "${aws_eip.nat.*.public_ip}" + value = aws_eip.nat.*.public_ip description = "List containing the public IPs associated with the NAT gateways" } diff --git a/terraform/modules/aws/network/private_subnet/README.md b/terraform/modules/aws/network/private_subnet/README.md index d18f2c120..0983c30b2 100644 --- a/terraform/modules/aws/network/private_subnet/README.md +++ b/terraform/modules/aws/network/private_subnet/README.md @@ -62,11 +62,11 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [s3\_gateway\_id](#input\_s3\_gateway\_id) | The ID of the AWS VPC Endpoint to use to communicate with S3 | `string` | n/a | yes | -| [subnet\_availability\_zones](#input\_subnet\_availability\_zones) | A map of which AZs the subnets should be created in. | `map` | n/a | yes | -| [subnet\_cidrs](#input\_subnet\_cidrs) | A map of the CIDRs for the subnets being created. | `map` | n/a | yes | -| [subnet\_nat\_gateways](#input\_subnet\_nat\_gateways) | A map containing the NAT gateway IDs for the subnets being created. | `map` | `{}` | no | +| [subnet\_availability\_zones](#input\_subnet\_availability\_zones) | A map of which AZs the subnets should be created in. | `map(string)` | n/a | yes | +| [subnet\_cidrs](#input\_subnet\_cidrs) | A map of the CIDRs for the subnets being created. | `map(string)` | n/a | yes | +| [subnet\_nat\_gateways](#input\_subnet\_nat\_gateways) | A map containing the NAT gateway IDs for the subnets being created. | `map(string)` | `{}` | no | | [subnet\_nat\_gateways\_length](#input\_subnet\_nat\_gateways\_length) | Provide the number of elements in the map subnet\_nat\_gateways. | `string` | `"0"` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the private subnet is created. | `string` | n/a | yes | diff --git a/terraform/modules/aws/network/private_subnet/main.tf b/terraform/modules/aws/network/private_subnet/main.tf index bb7084bce..28073da8f 100644 --- a/terraform/modules/aws/network/private_subnet/main.tf +++ b/terraform/modules/aws/network/private_subnet/main.tf @@ -37,39 +37,39 @@ */ variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "vpc_id" { - type = "string" + type = string description = "The ID of the VPC in which the private subnet is created." } variable "subnet_cidrs" { - type = "map" + type = map(string) description = "A map of the CIDRs for the subnets being created." } variable "subnet_availability_zones" { - type = "map" + type = map(string) description = "A map of which AZs the subnets should be created in." } variable "s3_gateway_id" { - type = "string" + type = string description = "The ID of the AWS VPC Endpoint to use to communicate with S3" } variable "subnet_nat_gateways" { - type = "map" + type = map(string) description = "A map containing the NAT gateway IDs for the subnets being created." default = {} } variable "subnet_nat_gateways_length" { - type = "string" + type = string description = "Provide the number of elements in the map subnet_nat_gateways." default = "0" } @@ -78,12 +78,12 @@ variable "subnet_nat_gateways_length" { #-------------------------------------------------------------- resource "aws_subnet" "private" { - count = "${length(keys(var.subnet_cidrs))}" - vpc_id = "${var.vpc_id}" - cidr_block = "${element(values(var.subnet_cidrs), count.index)}" - availability_zone = "${lookup(var.subnet_availability_zones, element(keys(var.subnet_cidrs), count.index))}" + count = length(keys(var.subnet_cidrs)) + vpc_id = var.vpc_id + cidr_block = element(values(var.subnet_cidrs), count.index) + availability_zone = lookup(var.subnet_availability_zones, element(keys(var.subnet_cidrs), count.index)) - tags = "${merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index)))}" + tags = merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index))) lifecycle { create_before_destroy = true @@ -93,10 +93,10 @@ resource "aws_subnet" "private" { } resource "aws_route_table" "private" { - count = "${length(keys(var.subnet_cidrs))}" - vpc_id = "${var.vpc_id}" + count = length(keys(var.subnet_cidrs)) + vpc_id = var.vpc_id - tags = "${merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index)))}" + tags = merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index))) lifecycle { create_before_destroy = true @@ -104,43 +104,43 @@ resource "aws_route_table" "private" { } resource "aws_route_table_association" "private" { - count = "${length(keys(var.subnet_cidrs))}" - subnet_id = "${element(aws_subnet.private.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + count = length(keys(var.subnet_cidrs)) + subnet_id = element(aws_subnet.private.*.id, count.index) + route_table_id = element(aws_route_table.private.*.id, count.index) } resource "aws_route" "nat" { - count = "${var.subnet_nat_gateways_length}" - route_table_id = "${lookup(zipmap(aws_route_table.private.*.tags.Name, aws_route_table.private.*.id), element(keys(var.subnet_nat_gateways), count.index))}" + count = var.subnet_nat_gateways_length + route_table_id = lookup(zipmap(aws_route_table.private.*.tags.Name, aws_route_table.private.*.id), element(keys(var.subnet_nat_gateways), count.index)) destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(values(var.subnet_nat_gateways), count.index)}" + nat_gateway_id = element(values(var.subnet_nat_gateways), count.index) } resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = "${length(keys(var.subnet_cidrs))}" - vpc_endpoint_id = "${var.s3_gateway_id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + count = length(keys(var.subnet_cidrs)) + vpc_endpoint_id = var.s3_gateway_id + route_table_id = element(aws_route_table.private.*.id, count.index) } # Outputs #-------------------------------------------------------------- output "subnet_ids" { - value = "${aws_subnet.private.*.id}" + value = aws_subnet.private.*.id description = "List of private subnet IDs" } output "subnet_names_ids_map" { - value = "${zipmap(aws_subnet.private.*.tags.Name, aws_subnet.private.*.id)}" + value = zipmap(aws_subnet.private.*.tags.Name, aws_subnet.private.*.id) description = "Map containing the name of each subnet created and ID associated" } output "subnet_route_table_ids" { - value = "${aws_route_table.private.*.id}" + value = aws_route_table.private.*.id description = "List of route_table IDs" } output "subnet_names_route_tables_map" { - value = "${zipmap(aws_route_table.private.*.tags.Name, aws_route_table.private.*.id)}" + value = zipmap(aws_route_table.private.*.tags.Name, aws_route_table.private.*.id) description = "Map containing the name of each subnet and route_table ID associated" } diff --git a/terraform/modules/aws/network/public_subnet/README.md b/terraform/modules/aws/network/public_subnet/README.md index 8d2b6d733..0f4622710 100644 --- a/terraform/modules/aws/network/public_subnet/README.md +++ b/terraform/modules/aws/network/public_subnet/README.md @@ -47,10 +47,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [route\_table\_public\_id](#input\_route\_table\_public\_id) | The ID of the route table in the VPC | `string` | n/a | yes | -| [subnet\_availability\_zones](#input\_subnet\_availability\_zones) | A map of which AZs the subnets should be created in. | `map` | n/a | yes | -| [subnet\_cidrs](#input\_subnet\_cidrs) | A map of the CIDRs for the subnets being created. | `map` | n/a | yes | +| [subnet\_availability\_zones](#input\_subnet\_availability\_zones) | A map of which AZs the subnets should be created in. | `map(string)` | n/a | yes | +| [subnet\_cidrs](#input\_subnet\_cidrs) | A map of the CIDRs for the subnets being created. | `map(string)` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the public subnet is created. | `string` | n/a | yes | ## Outputs diff --git a/terraform/modules/aws/network/public_subnet/main.tf b/terraform/modules/aws/network/public_subnet/main.tf index 184cfd38b..cfc70225e 100644 --- a/terraform/modules/aws/network/public_subnet/main.tf +++ b/terraform/modules/aws/network/public_subnet/main.tf @@ -25,28 +25,28 @@ */ variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "vpc_id" { - type = "string" + type = string description = "The ID of the VPC in which the public subnet is created." } variable "route_table_public_id" { - type = "string" + type = string description = "The ID of the route table in the VPC" } variable "subnet_cidrs" { - type = "map" + type = map(string) description = "A map of the CIDRs for the subnets being created." } variable "subnet_availability_zones" { - type = "map" + type = map(string) description = "A map of which AZs the subnets should be created in." } @@ -54,12 +54,12 @@ variable "subnet_availability_zones" { #-------------------------------------------------------------- resource "aws_subnet" "public" { - count = "${length(keys(var.subnet_cidrs))}" - vpc_id = "${var.vpc_id}" - cidr_block = "${element(values(var.subnet_cidrs), count.index)}" - availability_zone = "${lookup(var.subnet_availability_zones, element(keys(var.subnet_cidrs), count.index))}" + count = length(keys(var.subnet_cidrs)) + vpc_id = var.vpc_id + cidr_block = element(values(var.subnet_cidrs), count.index) + availability_zone = lookup(var.subnet_availability_zones, element(keys(var.subnet_cidrs), count.index)) - tags = "${merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index)))}" + tags = merge(var.default_tags, map("Name", element(keys(var.subnet_cidrs), count.index))) lifecycle { create_before_destroy = true @@ -69,20 +69,20 @@ resource "aws_subnet" "public" { } resource "aws_route_table_association" "public" { - count = "${length(keys(var.subnet_cidrs))}" - subnet_id = "${element(aws_subnet.public.*.id, count.index)}" - route_table_id = "${var.route_table_public_id}" + count = length(keys(var.subnet_cidrs)) + subnet_id = element(aws_subnet.public.*.id, count.index) + route_table_id = var.route_table_public_id } # Outputs #-------------------------------------------------------------- output "subnet_ids" { - value = "${aws_subnet.public.*.id}" + value = aws_subnet.public.*.id description = "List containing the IDs of the created subnets." } output "subnet_names_ids_map" { - value = "${zipmap(aws_subnet.public.*.tags.Name, aws_subnet.public.*.id)}" + value = zipmap(aws_subnet.public.*.tags.Name, aws_subnet.public.*.id) description = "Map containing the pair name-id for each subnet created." } diff --git a/terraform/modules/aws/network/vpc/README.md b/terraform/modules/aws/network/vpc/README.md index 43e665b45..b0c964f1c 100644 --- a/terraform/modules/aws/network/vpc/README.md +++ b/terraform/modules/aws/network/vpc/README.md @@ -31,7 +31,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cidr](#input\_cidr) | The cidr block of the desired VPC | `string` | n/a | yes | -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [name](#input\_name) | A name tag for the VPC | `string` | n/a | yes | ## Outputs diff --git a/terraform/modules/aws/network/vpc/main.tf b/terraform/modules/aws/network/vpc/main.tf index 8764710b0..4dac64141 100644 --- a/terraform/modules/aws/network/vpc/main.tf +++ b/terraform/modules/aws/network/vpc/main.tf @@ -4,18 +4,18 @@ * This module creates a VPC, Internet Gateway and route associated */ variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "name" { - type = "string" + type = string description = "A name tag for the VPC" } variable "cidr" { - type = "string" + type = string description = "The cidr block of the desired VPC" } @@ -25,11 +25,11 @@ variable "cidr" { data "aws_region" "current" {} resource "aws_vpc" "vpc" { - cidr_block = "${var.cidr}" + cidr_block = var.cidr enable_dns_support = true enable_dns_hostnames = true - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) lifecycle { create_before_destroy = true @@ -37,24 +37,24 @@ resource "aws_vpc" "vpc" { } resource "aws_internet_gateway" "public" { - vpc_id = "${aws_vpc.vpc.id}" + vpc_id = aws_vpc.vpc.id - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) } resource "aws_route_table" "public" { - vpc_id = "${aws_vpc.vpc.id}" + vpc_id = aws_vpc.vpc.id route { cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.public.id}" + gateway_id = aws_internet_gateway.public.id } - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) } resource "aws_vpc_endpoint" "s3" { - vpc_id = "${aws_vpc.vpc.id}" + vpc_id = aws_vpc.vpc.id service_name = "com.amazonaws.${data.aws_region.current.name}.s3" } @@ -62,26 +62,26 @@ resource "aws_vpc_endpoint" "s3" { #-------------------------------------------------------------- output "vpc_id" { - value = "${aws_vpc.vpc.id}" + value = aws_vpc.vpc.id description = "The ID of the VPC." } output "vpc_cidr" { - value = "${aws_vpc.vpc.cidr_block}" + value = aws_vpc.vpc.cidr_block description = "The CIDR block of the VPC." } output "internet_gateway_id" { - value = "${aws_internet_gateway.public.id}" + value = aws_internet_gateway.public.id description = "The ID of the Internet Gateway." } output "s3_gateway_id" { - value = "${aws_vpc_endpoint.s3.id}" + value = aws_vpc_endpoint.s3.id description = "The ID of the VPC gateway to use with S3" } output "route_table_public_id" { - value = "${aws_route_table.public.id}" + value = aws_route_table.public.id description = "The ID of the public routing table associated with the Internet Gateway." } diff --git a/terraform/modules/aws/node_group/README.md b/terraform/modules/aws/node_group/README.md index 7a7693e22..54fc535f4 100644 --- a/terraform/modules/aws/node_group/README.md +++ b/terraform/modules/aws/node_group/README.md @@ -59,23 +59,23 @@ No modules. | [asg\_max\_size](#input\_asg\_max\_size) | The autoscaling groups max\_size | `string` | `"1"` | no | | [asg\_min\_size](#input\_asg\_min\_size) | The autoscaling groups max\_size | `string` | `"1"` | no | | [asg\_notification\_topic\_arn](#input\_asg\_notification\_topic\_arn) | The Topic ARN for Autoscaling Group notifications to be sent to | `string` | `""` | no | -| [asg\_notification\_types](#input\_asg\_notification\_types) | A list of Notification Types that trigger Autoscaling Group notifications. Acceptable values are documented in https://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_NotificationConfiguration.html | `list` |
[
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR"
]
| no | +| [asg\_notification\_types](#input\_asg\_notification\_types) | A list of Notification Types that trigger Autoscaling Group notifications. Acceptable values are documented in https://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_NotificationConfiguration.html | `list(string)` |
[
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR"
]
| no | | [create\_asg\_notifications](#input\_create\_asg\_notifications) | Enable Autoscaling Group notifications | `string` | `true` | no | | [create\_instance\_key](#input\_create\_instance\_key) | Whether to create a key pair for the instance launch configuration | `bool` | `false` | no | -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [ebs\_device\_name](#input\_ebs\_device\_name) | Name of the block device to mount on the instance, e.g. xvdf | `string` | `"xvdf"` | no | | [ebs\_device\_volume\_size](#input\_ebs\_device\_volume\_size) | Size of additional ebs volume in GB | `string` | `"20"` | no | | [ebs\_encrypted](#input\_ebs\_encrypted) | Whether or not to encrypt the ebs volume | `string` | `"false"` | no | | [instance\_additional\_user\_data](#input\_instance\_additional\_user\_data) | Append additional user-data script | `string` | `""` | no | | [instance\_ami\_filter\_name](#input\_instance\_ami\_filter\_name) | Name to use to find AMI images for the instance | `string` | `"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"` | no | | [instance\_default\_policy](#input\_instance\_default\_policy) | Name of the JSON file containing the default IAM role policy for the instance | `string` | `"default_policy.json"` | no | -| [instance\_elb\_ids](#input\_instance\_elb\_ids) | A list of the ELB IDs to attach this ASG to | `list` | `[]` | no | +| [instance\_elb\_ids](#input\_instance\_elb\_ids) | A list of the ELB IDs to attach this ASG to | `list(string)` | `[]` | no | | [instance\_elb\_ids\_length](#input\_instance\_elb\_ids\_length) | Length of instance\_elb\_ids | `string` | `0` | no | | [instance\_key\_name](#input\_instance\_key\_name) | Name of the instance key | `string` | `"govuk-infra"` | no | | [instance\_public\_key](#input\_instance\_public\_key) | The jumpbox default public key material | `string` | `""` | no | -| [instance\_security\_group\_ids](#input\_instance\_security\_group\_ids) | List of security group ids to attach to the ASG | `list` | n/a | yes | -| [instance\_subnet\_ids](#input\_instance\_subnet\_ids) | List of subnet ids where the instance can be deployed | `list` | n/a | yes | -| [instance\_target\_group\_arns](#input\_instance\_target\_group\_arns) | The ARN of the target group with which to register targets. | `list` | `[]` | no | +| [instance\_security\_group\_ids](#input\_instance\_security\_group\_ids) | List of security group ids to attach to the ASG | `list(string)` | n/a | yes | +| [instance\_subnet\_ids](#input\_instance\_subnet\_ids) | List of subnet ids where the instance can be deployed | `list(string)` | n/a | yes | +| [instance\_target\_group\_arns](#input\_instance\_target\_group\_arns) | The ARN of the target group with which to register targets. | `list(string)` | `[]` | no | | [instance\_target\_group\_arns\_length](#input\_instance\_target\_group\_arns\_length) | Length of instance\_target\_group\_arns | `string` | `0` | no | | [instance\_type](#input\_instance\_type) | Instance type | `string` | `"t2.micro"` | no | | [instance\_user\_data](#input\_instance\_user\_data) | User\_data provisioning script (default user\_data.sh in module directory) | `string` | `"user_data.sh"` | no | diff --git a/terraform/modules/aws/node_group/main.tf b/terraform/modules/aws/node_group/main.tf index 12b581afd..28443b4c9 100644 --- a/terraform/modules/aws/node_group/main.tf +++ b/terraform/modules/aws/node_group/main.tf @@ -18,34 +18,34 @@ * to use with Application Load Balancers with the `instance_target_group_arns` variable. */ variable "name" { - type = "string" + type = string description = "Jumpbox resources name. Only alphanumeric characters and hyphens allowed" } variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "instance_subnet_ids" { - type = "list" + type = list(string) description = "List of subnet ids where the instance can be deployed" } variable "instance_security_group_ids" { - type = "list" + type = list(string) description = "List of security group ids to attach to the ASG" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images for the instance" default = "ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*" } variable "instance_type" { - type = "string" + type = string description = "Instance type" default = "t2.micro" } @@ -57,97 +57,97 @@ variable "create_instance_key" { } variable "instance_key_name" { - type = "string" + type = string description = "Name of the instance key" default = "govuk-infra" } variable "instance_public_key" { - type = "string" + type = string description = "The jumpbox default public key material" default = "" } variable "instance_user_data" { - type = "string" + type = string description = "User_data provisioning script (default user_data.sh in module directory)" default = "user_data.sh" } variable "instance_additional_user_data" { - type = "string" + type = string description = "Append additional user-data script" default = "" } variable "instance_default_policy" { - type = "string" + type = string description = "Name of the JSON file containing the default IAM role policy for the instance" default = "default_policy.json" } variable "instance_elb_ids" { - type = "list" + type = list(string) description = "A list of the ELB IDs to attach this ASG to" default = [] } variable "instance_elb_ids_length" { - type = "string" + type = string description = "Length of instance_elb_ids" default = 0 } variable "instance_target_group_arns" { - type = "list" + type = list(string) description = "The ARN of the target group with which to register targets." default = [] } variable "instance_target_group_arns_length" { - type = "string" + type = string description = "Length of instance_target_group_arns" default = 0 } variable "asg_health_check_grace_period" { - type = "string" + type = string description = "The time to wait after creation before checking the status of the instance" default = "60" } variable "asg_desired_capacity" { - type = "string" + type = string description = "The autoscaling groups desired capacity" default = "1" } variable "asg_max_size" { - type = "string" + type = string description = "The autoscaling groups max_size" default = "1" } variable "asg_min_size" { - type = "string" + type = string description = "The autoscaling groups max_size" default = "1" } variable "root_block_device_volume_size" { - type = "string" + type = string description = "The size of the instance root volume in gigabytes" default = "20" } variable "create_asg_notifications" { - type = "string" + type = string description = "Enable Autoscaling Group notifications" default = true } variable "asg_notification_types" { - type = "list" + type = list(string) description = "A list of Notification Types that trigger Autoscaling Group notifications. Acceptable values are documented in https://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_NotificationConfiguration.html" default = [ @@ -158,37 +158,37 @@ variable "asg_notification_types" { } variable "asg_notification_topic_arn" { - type = "string" + type = string description = "The Topic ARN for Autoscaling Group notifications to be sent to" default = "" } variable "lc_create_ebs_volume" { - type = "string" + type = string description = "Creates a launch configuration which will add an additional ebs volume to the instance if this value is set to 1" default = "0" } variable "ebs_device_volume_size" { - type = "string" + type = string description = "Size of additional ebs volume in GB" default = "20" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not to encrypt the ebs volume" default = "false" } variable "ebs_device_name" { - type = "string" + type = string description = "Name of the block device to mount on the instance, e.g. xvdf" default = "xvdf" } locals { - launch_configuration_name = "${coalesce(join("", aws_launch_configuration.node_launch_configuration.*.name), join("", aws_launch_configuration.node_with_ebs_launch_configuration.*.name))}" + launch_configuration_name = coalesce(join("", aws_launch_configuration.node_launch_configuration.*.name), join("", aws_launch_configuration.node_with_ebs_launch_configuration.*.name)) } # Resources @@ -211,7 +211,7 @@ data "aws_ami" "node_ami_ubuntu" { } resource "aws_iam_role" "node_iam_role" { - name = "${var.name}" + name = var.name path = "/" assume_role_policy = < [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | Whether to copy the instance tags to the snapshot. | `string` | `"true"` | no | | [create\_rds\_notifications](#input\_create\_rds\_notifications) | Enable RDS events notifications | `string` | `true` | no | | [create\_replicate\_source\_db](#input\_create\_replicate\_source\_db) | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate | `string` | `"0"` | no | -| [default\_tags](#input\_default\_tags) | Additional resource tags | `map` | `{}` | no | +| [default\_tags](#input\_default\_tags) | Additional resource tags | `map(string)` | `{}` | no | | [engine\_name](#input\_engine\_name) | RDS engine (eg mysql, postgresql) | `string` | `""` | no | | [engine\_version](#input\_engine\_version) | Which version of MySQL to use (eg 5.5.46) | `string` | `""` | no | -| [event\_categories](#input\_event\_categories) | A list of event categories for a SourceType that you want to subscribe to. See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide//USER_Events.html | `list` |
[
"availability",
"deletion",
"failure",
"low storage"
]
| no | +| [event\_categories](#input\_event\_categories) | A list of event categories for a SourceType that you want to subscribe to. See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide//USER_Events.html | `list(string)` |
[
"availability",
"deletion",
"failure",
"low storage"
]
| no | | [event\_sns\_topic\_arn](#input\_event\_sns\_topic\_arn) | The SNS topic to send events to. | `string` | `""` | no | | [instance\_class](#input\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t1.micro"` | no | | [instance\_name](#input\_instance\_name) | The RDS Instance Name. | `string` | `""` | no | @@ -52,11 +52,11 @@ No modules. | [parameter\_group\_name](#input\_parameter\_group\_name) | Name of the parameter group to make the instance a member of. | `string` | `""` | no | | [password](#input\_password) | Password for accessing the database. | `string` | `""` | no | | [replicate\_source\_db](#input\_replicate\_source\_db) | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate | `string` | `"false"` | no | -| [security\_group\_ids](#input\_security\_group\_ids) | Security group IDs to apply to this cluster | `list` | n/a | yes | +| [security\_group\_ids](#input\_security\_group\_ids) | Security group IDs to apply to this cluster | `list(string)` | n/a | yes | | [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Set to true to NOT create a final snapshot when the cluster is deleted. | `string` | `"false"` | no | | [snapshot\_identifier](#input\_snapshot\_identifier) | Specifies whether or not to create this database from a snapshot. | `string` | `""` | no | | [storage\_type](#input\_storage\_type) | One of standard (magnetic), gp2 (general purpose SSD), or io1 (provisioned IOPS SSD). The default is gp2 | `string` | `"gp2"` | no | -| [subnet\_ids](#input\_subnet\_ids) | Subnet IDs to assign to the aws\_elasticache\_subnet\_group | `list` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | Subnet IDs to assign to the aws\_elasticache\_subnet\_group | `list(string)` | `[]` | no | | [terraform\_create\_rds\_timeout](#input\_terraform\_create\_rds\_timeout) | Set the timeout time for AWS RDS creation. | `string` | `"2h"` | no | | [terraform\_delete\_rds\_timeout](#input\_terraform\_delete\_rds\_timeout) | Set the timeout time for AWS RDS deletion. | `string` | `"2h"` | no | | [terraform\_update\_rds\_timeout](#input\_terraform\_update\_rds\_timeout) | Set the timeout time for AWS RDS modification. | `string` | `"2h"` | no | diff --git a/terraform/modules/aws/rds_instance/main.tf b/terraform/modules/aws/rds_instance/main.tf index 49c52adf5..d0d666c1d 100644 --- a/terraform/modules/aws/rds_instance/main.tf +++ b/terraform/modules/aws/rds_instance/main.tf @@ -4,137 +4,137 @@ * Create an RDS instance */ variable "name" { - type = "string" + type = string description = "The common name for all the resources created by this module" } variable "engine_name" { - type = "string" + type = string description = "RDS engine (eg mysql, postgresql)" default = "" } variable "engine_version" { - type = "string" + type = string description = "Which version of MySQL to use (eg 5.5.46)" default = "" } variable "default_tags" { - type = "map" + type = map(string) description = "Additional resource tags" default = {} } variable "subnet_ids" { - type = "list" + type = list(string) description = "Subnet IDs to assign to the aws_elasticache_subnet_group" default = [] } variable "username" { - type = "string" + type = string description = "User to create on the database" default = "" } variable "password" { - type = "string" + type = string description = "Password for accessing the database." default = "" } variable "allocated_storage" { - type = "string" + type = string description = "The allocated storage in gigabytes." default = "10" } variable "max_allocated_storage" { - type = "string" + type = string description = "current maximum storage in GB that AWS can autoscale the RDS storage to, 0 means disabled autoscaling" default = "100" } variable "storage_type" { - type = "string" + type = string description = "One of standard (magnetic), gp2 (general purpose SSD), or io1 (provisioned IOPS SSD). The default is gp2" default = "gp2" } variable "instance_class" { - type = "string" + type = string description = "The instance type of the RDS instance." default = "db.t1.micro" } variable "instance_name" { - type = "string" + type = string description = "The RDS Instance Name." default = "" } variable "security_group_ids" { - type = "list" + type = list(string) description = "Security group IDs to apply to this cluster" } variable "multi_az" { - type = "string" + type = string description = "Specifies if the RDS instance is multi-AZ" default = true } variable "create_replicate_source_db" { - type = "string" + type = string description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate" default = "0" } variable "replicate_source_db" { - type = "string" + type = string description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate" default = "false" } variable "parameter_group_name" { - type = "string" + type = string description = "Name of the parameter group to make the instance a member of." default = "" } variable "skip_final_snapshot" { - type = "string" + type = string description = "Set to true to NOT create a final snapshot when the cluster is deleted." default = "false" } variable "maintenance_window" { - type = "string" + type = string description = "The window to perform maintenance in." default = "Mon:04:00-Mon:06:00" } variable "backup_retention_period" { - type = "string" + type = string description = "The days to retain backups for." default = "7" } variable "backup_window" { - type = "string" + type = string description = "The daily time range during which automated backups are created if automated backups are enabled." default = "01:00-03:00" } variable "create_rds_notifications" { - type = "string" + type = string description = "Enable RDS events notifications" default = true } variable "event_categories" { - type = "list" + type = list(string) description = "A list of event categories for a SourceType that you want to subscribe to. See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide//USER_Events.html" default = [ @@ -146,49 +146,49 @@ variable "event_categories" { } variable "event_sns_topic_arn" { - type = "string" + type = string description = "The SNS topic to send events to." default = "" } variable "copy_tags_to_snapshot" { - type = "string" + type = string description = "Whether to copy the instance tags to the snapshot." default = "true" } variable "snapshot_identifier" { - type = "string" + type = string description = "Specifies whether or not to create this database from a snapshot." default = "" } variable "terraform_create_rds_timeout" { - type = "string" + type = string description = "Set the timeout time for AWS RDS creation." default = "2h" } variable "terraform_update_rds_timeout" { - type = "string" + type = string description = "Set the timeout time for AWS RDS modification." default = "2h" } variable "terraform_delete_rds_timeout" { - type = "string" + type = string description = "Set the timeout time for AWS RDS deletion." default = "2h" } variable "monitoring_interval" { - type = "string" + type = string description = "Collection interval in seconds for Enhanced Monitoring metrics. Default is 0, which disables Enhanced Monitoring. Valid values are 0, 1, 5, 10, 15, 30, 60." default = "0" } variable "monitoring_role_arn" { - type = "string" + type = string description = "ARN of the IAM role which lets RDS send Enhanced Monitoring logs to CloudWatch. Must be specified if monitoring_interval is non-zero." default = "" } @@ -197,80 +197,80 @@ variable "monitoring_role_arn" { # -------------------------------------------------------------- resource "aws_db_subnet_group" "subnet_group" { - count = "${1 - var.create_replicate_source_db}" - name = "${var.name}" + count = 1 - var.create_replicate_source_db + name = var.name subnet_ids = var.subnet_ids - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) } resource "aws_db_instance" "db_instance_replica" { # the 'name' parameter is not set as that creates a default database # of that name in the instance. Which we don't want. - count = "${var.create_replicate_source_db}" + count = var.create_replicate_source_db - instance_class = "${var.instance_class}" - identifier = "${var.instance_name}" - storage_type = "${var.storage_type}" - allocated_storage = "${var.allocated_storage}" - max_allocated_storage = "${var.max_allocated_storage}" + instance_class = var.instance_class + identifier = var.instance_name + storage_type = var.storage_type + allocated_storage = var.allocated_storage + max_allocated_storage = var.max_allocated_storage vpc_security_group_ids = var.security_group_ids - replicate_source_db = "${var.replicate_source_db}" - parameter_group_name = "${var.parameter_group_name}" - monitoring_interval = "${var.monitoring_interval}" - monitoring_role_arn = "${var.monitoring_role_arn}" + replicate_source_db = var.replicate_source_db + parameter_group_name = var.parameter_group_name + monitoring_interval = var.monitoring_interval + monitoring_role_arn = var.monitoring_role_arn timeouts { - create = "${var.terraform_create_rds_timeout}" - delete = "${var.terraform_delete_rds_timeout}" - update = "${var.terraform_update_rds_timeout}" + create = var.terraform_create_rds_timeout + delete = var.terraform_delete_rds_timeout + update = var.terraform_update_rds_timeout } - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) } resource "aws_db_instance" "db_instance" { # the 'name' parameter is not set as that creates a default database # of that name in the instance. Which we don't want. - count = "${1 - var.create_replicate_source_db}" - - engine = "${var.engine_name}" - engine_version = "${var.engine_version}" - username = "${var.username}" - password = "${var.password}" - allocated_storage = "${var.allocated_storage}" - max_allocated_storage = "${var.max_allocated_storage}" - instance_class = "${var.instance_class}" - identifier = "${var.instance_name}" - storage_type = "${var.storage_type}" - db_subnet_group_name = "${aws_db_subnet_group.subnet_group.name}" + count = 1 - var.create_replicate_source_db + + engine = var.engine_name + engine_version = var.engine_version + username = var.username + password = var.password + allocated_storage = var.allocated_storage + max_allocated_storage = var.max_allocated_storage + instance_class = var.instance_class + identifier = var.instance_name + storage_type = var.storage_type + db_subnet_group_name = aws_db_subnet_group.subnet_group.name vpc_security_group_ids = ["${var.security_group_ids}"] - multi_az = "${var.multi_az}" - parameter_group_name = "${var.parameter_group_name}" - maintenance_window = "${var.maintenance_window}" - backup_retention_period = "${var.backup_retention_period}" - backup_window = "${var.backup_window}" - copy_tags_to_snapshot = "${var.copy_tags_to_snapshot}" - snapshot_identifier = "${var.snapshot_identifier}" - monitoring_interval = "${var.monitoring_interval}" - monitoring_role_arn = "${var.monitoring_role_arn}" + multi_az = var.multi_az + parameter_group_name = var.parameter_group_name + maintenance_window = var.maintenance_window + backup_retention_period = var.backup_retention_period + backup_window = var.backup_window + copy_tags_to_snapshot = var.copy_tags_to_snapshot + snapshot_identifier = var.snapshot_identifier + monitoring_interval = var.monitoring_interval + monitoring_role_arn = var.monitoring_role_arn timeouts { - create = "${var.terraform_create_rds_timeout}" - delete = "${var.terraform_delete_rds_timeout}" - update = "${var.terraform_update_rds_timeout}" + create = var.terraform_create_rds_timeout + delete = var.terraform_delete_rds_timeout + update = var.terraform_update_rds_timeout } final_snapshot_identifier = "${var.name}-final-snapshot" - skip_final_snapshot = "${var.skip_final_snapshot}" + skip_final_snapshot = var.skip_final_snapshot - tags = "${merge(var.default_tags, map("Name", var.name))}" + tags = merge(var.default_tags, map("Name", var.name)) } resource "aws_db_event_subscription" "event_subscription" { - count = "${(1 - var.create_replicate_source_db) * var.create_rds_notifications}" + count = (1 - var.create_replicate_source_db) * var.create_rds_notifications name = "${var.name}-event-subscription" - sns_topic = "${var.event_sns_topic_arn}" + sns_topic = var.event_sns_topic_arn source_type = "db-instance" source_ids = ["${aws_db_instance.db_instance.id}"] @@ -278,9 +278,9 @@ resource "aws_db_event_subscription" "event_subscription" { } resource "aws_db_event_subscription" "event_subscription_replica" { - count = "${var.create_replicate_source_db * var.create_rds_notifications}" + count = var.create_replicate_source_db * var.create_rds_notifications name = "${var.name}-event-subscription" - sns_topic = "${var.event_sns_topic_arn}" + sns_topic = var.event_sns_topic_arn source_type = "db-instance" source_ids = ["${aws_db_instance.db_instance_replica.id}"] @@ -302,33 +302,33 @@ resource "aws_db_event_subscription" "event_subscription_replica" { # output "rds_instance_id" { - value = "${join("", aws_db_instance.db_instance.*.id)}" + value = join("", aws_db_instance.db_instance.*.id) } output "rds_replica_id" { - value = "${join("", aws_db_instance.db_instance_replica.*.id)}" + value = join("", aws_db_instance.db_instance_replica.*.id) } output "rds_instance_resource_id" { - value = "${join("", aws_db_instance.db_instance.*.resource_id)}" + value = join("", aws_db_instance.db_instance.*.resource_id) } output "rds_replica_resource_id" { - value = "${join("", aws_db_instance.db_instance_replica.*.resource_id)}" + value = join("", aws_db_instance.db_instance_replica.*.resource_id) } output "rds_instance_endpoint" { - value = "${join("", aws_db_instance.db_instance.*.endpoint)}" + value = join("", aws_db_instance.db_instance.*.endpoint) } output "rds_replica_endpoint" { - value = "${join("", aws_db_instance.db_instance_replica.*.endpoint)}" + value = join("", aws_db_instance.db_instance_replica.*.endpoint) } output "rds_instance_address" { - value = "${join("", aws_db_instance.db_instance.*.address)}" + value = join("", aws_db_instance.db_instance.*.address) } output "rds_replica_address" { - value = "${join("", aws_db_instance.db_instance_replica.*.address)}" + value = join("", aws_db_instance.db_instance_replica.*.address) } diff --git a/terraform/projects/app-apt/README.md b/terraform/projects/app-apt/README.md index bf2a5968d..61ac01314 100644 --- a/terraform/projects/app-apt/README.md +++ b/terraform/projects/app-apt/README.md @@ -72,7 +72,7 @@ Apt node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-apt/main.tf b/terraform/projects/app-apt/main.tf index 54ca405e8..5c9105f19 100644 --- a/terraform/projects/app-apt/main.tf +++ b/terraform/projects/app-apt/main.tf @@ -4,81 +4,81 @@ * Apt node */ variable "aws_environment" { - type = "string" + type = string description = "AWS environment" } variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_public_secondary_certname" { - type = "string" + type = string description = "The ACM secondary cert domain name to find the ARN of" default = "" } variable "apt_1_subnet" { - type = "string" + type = string description = "Name of the subnet to place the apt instance 1 and EBS volume" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } variable "ebs_volume_size" { - type = "string" + type = string description = "EBS volume size" default = "40" } @@ -91,17 +91,17 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } @@ -120,28 +120,28 @@ module "apt_external_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-apt-external" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-apt-external-elb" - listener_certificate_domain_name = "${var.elb_external_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${local.external_lb_map}" + listener_certificate_domain_name = var.elb_external_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = local.external_lb_map subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_apt_external_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] target_group_health_check_path = "/" target_group_health_check_matcher = "200-499" - default_tags = "${map("Project", var.stackname, "aws_migration", "apt", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "apt", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "apt_external_service_record" { - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "apt.${var.external_domain_name}" type = "A" alias { - name = "${module.apt_external_lb.lb_dns_name}" - zone_id = "${module.apt_external_lb.lb_zone_id}" + name = module.apt_external_lb.lb_dns_name + zone_id = module.apt_external_lb.lb_zone_id evaluate_target_health = true } } @@ -150,42 +150,42 @@ module "apt_internal_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-apt-internal" internal = true - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-apt-internal-elb" - listener_certificate_domain_name = "${var.elb_internal_certname}" + listener_certificate_domain_name = var.elb_internal_certname listener_secondary_certificate_domain_name = "" - listener_action = "${local.internal_lb_map}" + listener_action = local.internal_lb_map subnets = ["${data.terraform_remote_state.infra_networking.private_subnet_ids}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_apt_internal_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] target_group_health_check_path = "/" target_group_health_check_matcher = "200-499" - default_tags = "${map("Project", var.stackname, "aws_migration", "apt", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "apt", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "gemstash_internal_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "gemstash.${var.internal_domain_name}" type = "A" alias { - name = "${module.apt_internal_lb.lb_dns_name}" - zone_id = "${module.apt_internal_lb.lb_zone_id}" + name = module.apt_internal_lb.lb_dns_name + zone_id = module.apt_internal_lb.lb_zone_id evaluate_target_health = true } } # used to allow carrenza production to use this aws production gemstash resource "aws_route53_record" "gemstash_external_service_record" { - count = "${var.aws_environment == "production" ? 1 : 0}" - zone_id = "${data.aws_route53_zone.external.zone_id}" + count = var.aws_environment == "production" ? 1 : 0 + zone_id = data.aws_route53_zone.external.zone_id name = "gemstash.${var.external_domain_name}" type = "A" alias { - name = "${module.apt_external_lb.lb_dns_name}" - zone_id = "${module.apt_external_lb.lb_zone_id}" + name = module.apt_external_lb.lb_dns_name + zone_id = module.apt_external_lb.lb_zone_id evaluate_target_health = true } } @@ -193,55 +193,59 @@ resource "aws_route53_record" "gemstash_external_service_record" { module "apt" { source = "../../modules/aws/node_group" name = "${var.stackname}-apt" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "apt", "aws_hostname", "apt-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.apt_1_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "apt", "aws_hostname", "apt-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.apt_1_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_apt_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_target_group_arns = ["${concat(module.apt_internal_lb.target_group_arns, module.apt_external_lb.target_group_arns)}"] - instance_target_group_arns_length = "${length(distinct(values(local.external_lb_map))) + length(distinct(values(local.internal_lb_map)))}" - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_target_group_arns_length = length(distinct(values(local.external_lb_map))) + length(distinct(values(local.internal_lb_map))) + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "20" } resource "aws_ebs_volume" "apt" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.apt_1_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.ebs_volume_size}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.apt_1_subnet) + encrypted = var.ebs_encrypted + size = var.ebs_volume_size type = "gp2" tags { Name = "${var.stackname}-apt" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "apt-1" aws_migration = "apt" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt Package Storage" } } resource "aws_iam_policy" "apt_1_iam_policy" { name = "${var.stackname}-apt-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "apt_1_iam_role_policy_attachment" { - role = "${module.apt.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.apt_1_iam_policy.arn}" + role = module.apt.instance_iam_role_name + policy_arn = aws_iam_policy.apt_1_iam_policy.arn } # Outputs # -------------------------------------------------------------- output "apt_external_service_dns_name" { - value = "${aws_route53_record.apt_external_service_record.fqdn}" + value = aws_route53_record.apt_external_service_record.fqdn description = "DNS name to access the Apt external service" } output "gemstash_internal_elb_dns_name" { - value = "${aws_route53_record.gemstash_internal_service_record.fqdn}" + value = aws_route53_record.gemstash_internal_service_record.fqdn description = "DNS name to access the Gemstash internal service" } diff --git a/terraform/projects/app-apt/remote_state.tf b/terraform/projects/app-apt/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-apt/remote_state.tf +++ b/terraform/projects/app-apt/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-apt/user_data_snippets.tf b/terraform/projects/app-apt/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-apt/user_data_snippets.tf +++ b/terraform/projects/app-apt/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-asset-master/main.tf b/terraform/projects/app-asset-master/main.tf index fb6ddb235..f6a78ead8 100644 --- a/terraform/projects/app-asset-master/main.tf +++ b/terraform/projects/app-asset-master/main.tf @@ -26,6 +26,10 @@ resource "aws_efs_file_system" "assets-efs-fs" { "Project" = var.stackname "aws_environment" = var.aws_environment "aws_migration" = "asset_master" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "Asset Manager File System" } } diff --git a/terraform/projects/app-backend-redis/main.tf b/terraform/projects/app-backend-redis/main.tf index 28af462a9..f150e6013 100644 --- a/terraform/projects/app-backend-redis/main.tf +++ b/terraform/projects/app-backend-redis/main.tf @@ -72,12 +72,12 @@ provider "aws" { } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } resource "aws_route53_record" "service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "backend-redis.${var.internal_domain_name}" type = "CNAME" ttl = 300 @@ -88,31 +88,31 @@ module "backend_redis_cluster" { source = "../../modules/aws/elasticache_redis_cluster" enable_clustering = var.enable_clustering name = "${var.stackname}-backend-redis" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "backend-redis")}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "backend-redis", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") subnet_ids = data.terraform_remote_state.infra_networking.outputs.private_subnet_elasticache_ids security_group_ids = [data.terraform_remote_state.infra_security_groups.outputs.sg_backend-redis_id] - elasticache_node_type = "${var.instance_type}" - elasticache_node_number = "${var.node_number}" - redis_engine_version = "${var.redis_engine_version}" - redis_parameter_group_name = "${var.redis_parameter_group_name}" + elasticache_node_type = var.instance_type + elasticache_node_number = var.node_number + redis_engine_version = var.redis_engine_version + redis_parameter_group_name = var.redis_parameter_group_name } module "alarms-elasticache-backend-redis" { source = "../../modules/aws/alarms/elasticache" name_prefix = "${var.stackname}-backend-redis" alarm_actions = [data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn] - cache_cluster_id = "${module.backend_redis_cluster.replication_group_id}" + cache_cluster_id = module.backend_redis_cluster.replication_group_id } # Outputs # -------------------------------------------------------------- output "backend_redis_configuration_endpoint_address" { - value = "${module.backend_redis_cluster.configuration_endpoint_address}" + value = module.backend_redis_cluster.configuration_endpoint_address description = "Backend VDC redis configuration endpoint address" } output "service_dns_name" { - value = "${aws_route53_record.service_record.fqdn}" + value = aws_route53_record.service_record.fqdn description = "DNS name to access the node service" } diff --git a/terraform/projects/app-backend-redis/remote_state.tf b/terraform/projects/app-backend-redis/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/app-backend-redis/remote_state.tf +++ b/terraform/projects/app-backend-redis/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/app-ci-agents/README.md b/terraform/projects/app-ci-agents/README.md index eec2c059c..17f14b10f 100644 --- a/terraform/projects/app-ci-agents/README.md +++ b/terraform/projects/app-ci-agents/README.md @@ -92,7 +92,7 @@ CI agents | [esm\_trusty\_token](#input\_esm\_trusty\_token) | n/a | `string` | n/a | yes | | [instance\_ami\_filter\_name](#input\_instance\_ami\_filter\_name) | Name to use to find AMI images | `string` | `""` | no | | [instance\_type](#input\_instance\_type) | Instance type used for EC2 resources | `string` | `"m5.2xlarge"` | no | -| [internal\_app\_service\_records](#input\_internal\_app\_service\_records) | List of application service names that get traffic via this loadbalancer | `list` | `[]` | no | +| [internal\_app\_service\_records](#input\_internal\_app\_service\_records) | List of application service names that get traffic via this loadbalancer | `list(string)` | `[]` | no | | [internal\_domain\_name](#input\_internal\_domain\_name) | The domain name of the internal DNS records, it could be different from the zone name | `string` | n/a | yes | | [internal\_zone\_name](#input\_internal\_zone\_name) | The name of the Route53 zone that contains internal records | `string` | n/a | yes | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | @@ -104,7 +104,7 @@ CI agents | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [root\_block\_device\_volume\_size](#input\_root\_block\_device\_volume\_size) | size of the root volume in GB | `string` | `"50"` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-ci-agents/main.tf b/terraform/projects/app-ci-agents/main.tf index 403f9edda..d99c63619 100644 --- a/terraform/projects/app-ci-agents/main.tf +++ b/terraform/projects/app-ci-agents/main.tf @@ -4,110 +4,110 @@ * CI agents */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "internal_app_service_records" { - type = "list" + type = list(string) description = "List of application service names that get traffic via this loadbalancer" default = [] } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.2xlarge" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "root_block_device_volume_size" { - type = "string" + type = string description = "size of the root volume in GB" default = "50" } variable "data_block_device_volume_size" { - type = "string" + type = string description = "Size of the data volume in GB" default = "130" } variable "docker_block_device_volume_size" { - type = "string" + type = string description = "Size of the Docker volume in GB" default = "130" } variable "ebs_volume_type" { - type = "string" + type = string description = "Volume type to use for data and Docker EBS volumes; see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html" default = "gp3" } variable "ebs_encrypted" { - type = "string" + type = string description = "whether or not the EBS volume is encrypted" default = "true" } variable "ci_agent_1_subnet" { - type = "string" + type = string description = "subnet to deploy EC2 and EBS of CI agent 1" default = "govuk_private_a" } variable "ci_agent_2_subnet" { - type = "string" + type = string description = "subnet to deploy EC2 and EBS of CI agent 2" default = "govuk_private_b" } variable "ci_agent_3_subnet" { - type = "string" + type = string description = "subnet to deploy EC2 and EBS of CI agent 3" default = "govuk_private_c" } variable "ci_agent_4_subnet" { - type = "string" + type = string description = "subnet to deploy EC2 and EBS of CI agent 4" default = "govuk_private_a" } variable "ci_agent_5_subnet" { - type = "string" + type = string description = "subnet to deploy EC2 and EBS of CI agent 5" default = "govuk_private_b" } @@ -120,24 +120,24 @@ terraform { } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_acm_certificate" "elb_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } resource "aws_iam_policy" "ci-agent_iam_policy" { name = "${var.stackname}-ci-agent-volume" path = "/" - policy = "${file("${path.module}/volume_policy.json")}" + policy = file("${path.module}/volume_policy.json") } /////////////////////ci-agent-1///////////////////////////////////////////////// @@ -149,7 +149,7 @@ resource "aws_elb" "ci-agent-1_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-agent-1-internal-elb" interval = 60 } @@ -175,17 +175,17 @@ resource "aws_elb" "ci-agent-1_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-agent-1", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent")}" + tags = map("Name", "${var.stackname}-ci-agent-1", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "CI agent") } resource "aws_route53_record" "ci-agent-1_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci-agent-1.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-agent-1_elb.dns_name}" - zone_id = "${aws_elb.ci-agent-1_elb.zone_id}" + name = aws_elb.ci-agent-1_elb.dns_name + zone_id = aws_elb.ci-agent-1_elb.zone_id evaluate_target_health = true } } @@ -193,65 +193,73 @@ resource "aws_route53_record" "ci-agent-1_service_record" { module "ci-agent-1" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-agent-1" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_1_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_1_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-agent-1_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.ci-agent-1_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - root_block_device_volume_size = "${var.root_block_device_volume_size}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + root_block_device_volume_size = var.root_block_device_volume_size } resource "aws_ebs_volume" "ci-agent-1-data" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_1_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.data_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_1_subnet) + encrypted = var.ebs_encrypted + size = var.data_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-1-data" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-agent-1" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_ebs_volume" "ci-agent-1-docker" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_1_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.docker_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_1_subnet) + encrypted = var.ebs_encrypted + size = var.docker_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-1-docker" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdg" aws_hostname = "ci-agent-1" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Docker Storage" } } resource "aws_iam_role_policy_attachment" "ci-agent-1_iam_role_policy_attachment" { - role = "${module.ci-agent-1.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-agent_iam_policy.arn}" + role = module.ci-agent-1.instance_iam_role_name + policy_arn = aws_iam_policy.ci-agent_iam_policy.arn } module "alarms-elb-ci-agent-1-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-agent-1-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.ci-agent-1_elb.name}" + elb_name = aws_elb.ci-agent-1_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -269,7 +277,7 @@ resource "aws_elb" "ci-agent-2_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-agent-2-internal-elb" interval = 60 } @@ -295,17 +303,17 @@ resource "aws_elb" "ci-agent-2_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-agent-2", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent")}" + tags = map("Name", "${var.stackname}-ci-agent-2", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "ci-agent-2_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci-agent-2.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-agent-2_elb.dns_name}" - zone_id = "${aws_elb.ci-agent-2_elb.zone_id}" + name = aws_elb.ci-agent-2_elb.dns_name + zone_id = aws_elb.ci-agent-2_elb.zone_id evaluate_target_health = true } } @@ -313,71 +321,79 @@ resource "aws_route53_record" "ci-agent-2_service_record" { module "ci-agent-2" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-agent-2" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-2")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_2_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-2", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_2_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-agent-2_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.ci-agent-2_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - root_block_device_volume_size = "${var.root_block_device_volume_size}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + root_block_device_volume_size = var.root_block_device_volume_size } resource "aws_ebs_volume" "ci-agent-2-data" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_2_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.data_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_2_subnet) + encrypted = var.ebs_encrypted + size = var.data_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-2-data" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-agent-2" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_ebs_volume" "ci-agent-2-docker" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_2_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.docker_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_2_subnet) + encrypted = var.ebs_encrypted + size = var.docker_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-2-docker" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdg" aws_hostname = "ci-agent-2" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Docker Storage" } } resource "aws_iam_policy" "ci-agent-2_iam_policy" { name = "${var.stackname}-ci-agent-2-volume" path = "/" - policy = "${file("${path.module}/volume_policy.json")}" + policy = file("${path.module}/volume_policy.json") } resource "aws_iam_role_policy_attachment" "ci-agent-2_iam_role_policy_attachment" { - role = "${module.ci-agent-2.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-agent_iam_policy.arn}" + role = module.ci-agent-2.instance_iam_role_name + policy_arn = aws_iam_policy.ci-agent_iam_policy.arn } module "alarms-elb-ci-agent-2-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-agent-2-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.ci-agent-2_elb.name}" + elb_name = aws_elb.ci-agent-2_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -395,7 +411,7 @@ resource "aws_elb" "ci-agent-3_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-agent-3-internal-elb" interval = 60 } @@ -421,17 +437,17 @@ resource "aws_elb" "ci-agent-3_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-agent-3", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent")}" + tags = map("Name", "${var.stackname}-ci-agent-3", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "ci-agent-3_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci-agent-3.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-agent-3_elb.dns_name}" - zone_id = "${aws_elb.ci-agent-3_elb.zone_id}" + name = aws_elb.ci-agent-3_elb.dns_name + zone_id = aws_elb.ci-agent-3_elb.zone_id evaluate_target_health = true } } @@ -439,65 +455,73 @@ resource "aws_route53_record" "ci-agent-3_service_record" { module "ci-agent-3" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-agent-3" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-3")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_3_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-3", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_3_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-agent-3_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.ci-agent-3_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - root_block_device_volume_size = "${var.root_block_device_volume_size}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + root_block_device_volume_size = var.root_block_device_volume_size } resource "aws_ebs_volume" "ci-agent-3-data" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_3_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.data_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_3_subnet) + encrypted = var.ebs_encrypted + size = var.data_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-3-data" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-agent-3" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_ebs_volume" "ci-agent-3-docker" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_3_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.docker_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_3_subnet) + encrypted = var.ebs_encrypted + size = var.docker_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-3-docker" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdg" aws_hostname = "ci-agent-3" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Docker Storage" } } resource "aws_iam_role_policy_attachment" "ci-agent-3_iam_role_policy_attachment" { - role = "${module.ci-agent-3.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-agent_iam_policy.arn}" + role = module.ci-agent-3.instance_iam_role_name + policy_arn = aws_iam_policy.ci-agent_iam_policy.arn } module "alarms-elb-ci-agent-3-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-agent-3-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.ci-agent-3_elb.name}" + elb_name = aws_elb.ci-agent-3_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -515,7 +539,7 @@ resource "aws_elb" "ci-agent-4_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-agent-4-internal-elb" interval = 60 } @@ -541,17 +565,17 @@ resource "aws_elb" "ci-agent-4_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-agent-4", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent")}" + tags = map("Name", "${var.stackname}-ci-agent-4", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "ci-agent-4_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci-agent-4.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-agent-4_elb.dns_name}" - zone_id = "${aws_elb.ci-agent-4_elb.zone_id}" + name = aws_elb.ci-agent-4_elb.dns_name + zone_id = aws_elb.ci-agent-4_elb.zone_id evaluate_target_health = true } } @@ -559,65 +583,73 @@ resource "aws_route53_record" "ci-agent-4_service_record" { module "ci-agent-4" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-agent-4" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-4")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_4_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-4", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_4_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-agent-4_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.ci-agent-4_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - root_block_device_volume_size = "${var.root_block_device_volume_size}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + root_block_device_volume_size = var.root_block_device_volume_size } resource "aws_ebs_volume" "ci-agent-4-data" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_4_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.data_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_4_subnet) + encrypted = var.ebs_encrypted + size = var.data_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-4-data" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-agent-4" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_ebs_volume" "ci-agent-4-docker" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_4_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.docker_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_4_subnet) + encrypted = var.ebs_encrypted + size = var.docker_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-4-docker" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdg" aws_hostname = "ci-agent-4" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_iam_role_policy_attachment" "ci-agent-4_iam_role_policy_attachment" { - role = "${module.ci-agent-4.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-agent_iam_policy.arn}" + role = module.ci-agent-4.instance_iam_role_name + policy_arn = aws_iam_policy.ci-agent_iam_policy.arn } module "alarms-elb-ci-agent-4-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-agent-4-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.ci-agent-4_elb.name}" + elb_name = aws_elb.ci-agent-4_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -635,7 +667,7 @@ resource "aws_elb" "ci-agent-5_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-agent-5-internal-elb" interval = 60 } @@ -661,17 +693,17 @@ resource "aws_elb" "ci-agent-5_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-agent-5", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent")}" + tags = map("Name", "${var.stackname}-ci-agent-5", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci-agent", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "ci-agent-5_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci-agent-5.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-agent-5_elb.dns_name}" - zone_id = "${aws_elb.ci-agent-5_elb.zone_id}" + name = aws_elb.ci-agent-5_elb.dns_name + zone_id = aws_elb.ci-agent-5_elb.zone_id evaluate_target_health = true } } @@ -679,65 +711,73 @@ resource "aws_route53_record" "ci-agent-5_service_record" { module "ci-agent-5" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-agent-5" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-5")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_5_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_agent", "aws_hostname", "ci-agent-5", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.ci_agent_5_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-agent-5_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.ci-agent-5_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - root_block_device_volume_size = "${var.root_block_device_volume_size}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + root_block_device_volume_size = var.root_block_device_volume_size } resource "aws_ebs_volume" "ci-agent-5-data" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_5_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.data_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_5_subnet) + encrypted = var.ebs_encrypted + size = var.data_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-5-data" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-agent-5" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Storage" } } resource "aws_ebs_volume" "ci-agent-5-docker" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_5_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.docker_block_device_volume_size}" - type = "${var.ebs_volume_type}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.ci_agent_5_subnet) + encrypted = var.ebs_encrypted + size = var.docker_block_device_volume_size + type = var.ebs_volume_type tags { Name = "${var.stackname}-ci-agent-5-docker" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdg" aws_hostname = "ci-agent-5" aws_migration = "ci_agent" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Agent Docker Storage" } } resource "aws_iam_role_policy_attachment" "ci-agent-5_iam_role_policy_attachment" { - role = "${module.ci-agent-5.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-agent_iam_policy.arn}" + role = module.ci-agent-5.instance_iam_role_name + policy_arn = aws_iam_policy.ci-agent_iam_policy.arn } module "alarms-elb-ci-agent-5-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-agent-5-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.ci-agent-5_elb.name}" + elb_name = aws_elb.ci-agent-5_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -750,51 +790,51 @@ module "alarms-elb-ci-agent-5-internal" { # -------------------------------------------------------------- output "ci-agent-1_elb_dns_name" { - value = "${aws_elb.ci-agent-1_elb.dns_name}" + value = aws_elb.ci-agent-1_elb.dns_name description = "DNS name to access the CI agent 1 service" } output "ci-agent-1_service_dns_name" { - value = "${aws_route53_record.ci-agent-1_service_record.name}" + value = aws_route53_record.ci-agent-1_service_record.name description = "DNS name to access the CI agent 1 service" } output "ci-agent-2_elb_dns_name" { - value = "${aws_elb.ci-agent-2_elb.dns_name}" + value = aws_elb.ci-agent-2_elb.dns_name description = "DNS name to access the CI agent 2 service" } output "ci-agent-2_service_dns_name" { - value = "${aws_route53_record.ci-agent-2_service_record.name}" + value = aws_route53_record.ci-agent-2_service_record.name description = "DNS name to access the CI agent 2 service" } output "ci-agent-3_elb_dns_name" { - value = "${aws_elb.ci-agent-3_elb.dns_name}" + value = aws_elb.ci-agent-3_elb.dns_name description = "DNS name to access the CI agent 3 service" } output "ci-agent-3_service_dns_name" { - value = "${aws_route53_record.ci-agent-3_service_record.name}" + value = aws_route53_record.ci-agent-3_service_record.name description = "DNS name to access the CI agent 3 service" } output "ci-agent-4_elb_dns_name" { - value = "${aws_elb.ci-agent-4_elb.dns_name}" + value = aws_elb.ci-agent-4_elb.dns_name description = "DNS name to access the CI agent 4 service" } output "ci-agent-4_service_dns_name" { - value = "${aws_route53_record.ci-agent-4_service_record.name}" + value = aws_route53_record.ci-agent-4_service_record.name description = "DNS name to access the CI agent 4 service" } output "ci-agent-5_elb_dns_name" { - value = "${aws_elb.ci-agent-5_elb.dns_name}" + value = aws_elb.ci-agent-5_elb.dns_name description = "DNS name to access the CI agent 5 service" } output "ci-agent-5_service_dns_name" { - value = "${aws_route53_record.ci-agent-5_service_record.name}" + value = aws_route53_record.ci-agent-5_service_record.name description = "DNS name to access the CI agent 5 service" } diff --git a/terraform/projects/app-ci-agents/remote_state.tf b/terraform/projects/app-ci-agents/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-ci-agents/remote_state.tf +++ b/terraform/projects/app-ci-agents/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-ci-agents/user_data_snippets.tf b/terraform/projects/app-ci-agents/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-ci-agents/user_data_snippets.tf +++ b/terraform/projects/app-ci-agents/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-ci-master/README.md b/terraform/projects/app-ci-master/README.md index a02f895fc..706e6f97e 100644 --- a/terraform/projects/app-ci-master/README.md +++ b/terraform/projects/app-ci-master/README.md @@ -72,9 +72,9 @@ CI Master Node | [instance\_ami\_filter\_name](#input\_instance\_ami\_filter\_name) | Name to use to find AMI images | `string` | `""` | no | | [instance\_type](#input\_instance\_type) | Instance type used for EC2 resources | `string` | `"t2.medium"` | no | | [internal\_domain\_name](#input\_internal\_domain\_name) | The domain name of the internal DNS records, it could be different from the zone name | `string` | n/a | yes | -| [internal\_service\_names](#input\_internal\_service\_names) | list of internal names for ci-master, used for DNS domain | `list` |
[
"ci"
]
| no | +| [internal\_service\_names](#input\_internal\_service\_names) | list of internal names for ci-master, used for DNS domain | `list(string)` |
[
"ci"
]
| no | | [internal\_zone\_name](#input\_internal\_zone\_name) | The name of the Route53 zone that contains internal records | `string` | n/a | yes | -| [public\_service\_names](#input\_public\_service\_names) | list of public names for ci-master, used for DNS domain | `list` |
[
"ci"
]
| no | +| [public\_service\_names](#input\_public\_service\_names) | list of public names for ci-master, used for DNS domain | `list(string)` |
[
"ci"
]
| no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_artefact\_bucket\_key\_stack](#input\_remote\_state\_infra\_artefact\_bucket\_key\_stack) | Override infra\_artefact\_bucket remote state path | `string` | `""` | no | | [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | @@ -84,7 +84,7 @@ CI Master Node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-ci-master/main.tf b/terraform/projects/app-ci-master/main.tf index f61b58ae0..1abe5aa2d 100644 --- a/terraform/projects/app-ci-master/main.tf +++ b/terraform/projects/app-ci-master/main.tf @@ -4,81 +4,81 @@ * CI Master Node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of, will be attached to external classic ELB" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of, will be attached to internal classic ELB" } variable "elb_public_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of, will be attached to external ALB" } variable "elb_public_secondary_certname" { - type = "string" + type = string description = "The ACM secondary cert domain name to find the ARN of, will be attached to external ALB" default = "" } variable "deploy_subnet" { - type = "string" + type = string description = "Name of the subnet to place the ci and EBS volume" } variable "remote_state_infra_artefact_bucket_key_stack" { - type = "string" + type = string description = "Override infra_artefact_bucket remote state path" default = "" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } @@ -88,19 +88,19 @@ variable "create_external_elb" { } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } variable "public_service_names" { - type = "list" + type = list(string) description = "list of public names for ci-master, used for DNS domain" default = ["ci"] } variable "internal_service_names" { - type = "list" + type = list(string) description = "list of internal names for ci-master, used for DNS domain" default = ["ci"] } @@ -113,27 +113,27 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_acm_certificate" "elb_external_cert" { - domain = "${var.elb_external_certname}" + domain = var.elb_external_certname statuses = ["ISSUED"] } resource "aws_elb" "ci-master_elb" { - count = "${var.create_external_elb}" + count = var.create_external_elb name = "${var.stackname}-ci-master" subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] @@ -141,7 +141,7 @@ resource "aws_elb" "ci-master_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-master-external-elb" interval = 60 } @@ -152,7 +152,7 @@ resource "aws_elb" "ci-master_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } health_check { @@ -169,11 +169,11 @@ resource "aws_elb" "ci-master_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-master", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master")}" + tags = map("Name", "${var.stackname}-ci-master", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname}") } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -184,7 +184,7 @@ resource "aws_elb" "ci-master_internal_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-ci-master-internal-elb" interval = 60 } @@ -195,7 +195,7 @@ resource "aws_elb" "ci-master_internal_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_internal_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_internal_cert.arn } health_check { @@ -212,96 +212,100 @@ resource "aws_elb" "ci-master_internal_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-ci-master-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master")}" + tags = map("Name", "${var.stackname}-ci-master-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname}") } resource "aws_route53_record" "service_record" { - count = "${var.create_external_elb}" + count = var.create_external_elb - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "ci.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.ci-master_elb.dns_name}" - zone_id = "${aws_elb.ci-master_elb.zone_id}" + name = aws_elb.ci-master_elb.dns_name + zone_id = aws_elb.ci-master_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "service_record_internal" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "ci.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.ci-master_internal_elb.dns_name}" - zone_id = "${aws_elb.ci-master_internal_elb.zone_id}" + name = aws_elb.ci-master_internal_elb.dns_name + zone_id = aws_elb.ci-master_internal_elb.zone_id evaluate_target_health = true } } locals { - instance_elb_ids_length = "${var.create_external_elb ? 2 : 1}" - instance_elb_ids = "${compact(list(join("", aws_elb.ci-master_elb.*.id), aws_elb.ci-master_internal_elb.id))}" + instance_elb_ids_length = var.create_external_elb ? 2 : 1 + instance_elb_ids = compact(list(join("", aws_elb.ci-master_elb.*.id), aws_elb.ci-master_internal_elb.id)) } module "ci-master" { source = "../../modules/aws/node_group" name = "${var.stackname}-ci-master" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master", "aws_hostname", "ci-master-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.deploy_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "ci_master", "aws_hostname", "ci-master-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname}") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.deploy_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_ci-master_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" - instance_elb_ids_length = "${local.instance_elb_ids_length}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) + instance_elb_ids_length = local.instance_elb_ids_length instance_elb_ids = ["${local.instance_elb_ids}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn } resource "aws_ebs_volume" "ci-master" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.deploy_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.deploy_subnet) + encrypted = var.ebs_encrypted size = 40 type = "gp3" tags { Name = "${var.stackname}-ci" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "ci-master-1" aws_migration = "ci_master" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CI Master" } } resource "aws_iam_policy" "ci-master_iam_policy" { name = "${var.stackname}-ci-master-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "ci-master_iam_role_policy_attachment" { - role = "${module.ci-master.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.ci-master_iam_policy.arn}" + role = module.ci-master.instance_iam_role_name + policy_arn = aws_iam_policy.ci-master_iam_policy.arn } locals { - elb_httpcode_backend_5xx_threshold = "${var.create_external_elb ? 50 : 0}" - elb_httpcode_elb_5xx_threshold = "${var.create_external_elb ? 50 : 0}" + elb_httpcode_backend_5xx_threshold = var.create_external_elb ? 50 : 0 + elb_httpcode_elb_5xx_threshold = var.create_external_elb ? 50 : 0 } module "alarms-elb-ci-master-external" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-ci-master-external" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${join("", aws_elb.ci-master_elb.*.name)}" + elb_name = join("", aws_elb.ci-master_elb.*.name) httpcode_backend_4xx_threshold = "0" - httpcode_backend_5xx_threshold = "${local.elb_httpcode_backend_5xx_threshold}" + httpcode_backend_5xx_threshold = local.elb_httpcode_backend_5xx_threshold httpcode_elb_4xx_threshold = "0" - httpcode_elb_5xx_threshold = "${local.elb_httpcode_elb_5xx_threshold}" + httpcode_elb_5xx_threshold = local.elb_httpcode_elb_5xx_threshold surgequeuelength_threshold = "0" healthyhostcount_threshold = "0" } @@ -312,32 +316,32 @@ module "ci_master_public_lb" { source = "../../modules/aws/lb" name = "govuk-ci-master-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/govuk-ci-master-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_ci-master_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", "govuk", "aws_migration", "ci_master", "aws_environment", var.aws_environment)}" + default_tags = map("Project", "govuk", "aws_migration", "ci_master", "aws_environment", var.aws_environment) } resource "aws_shield_protection" "ci_master_public_lb" { name = "${var.stackname}-ci-master-public_shield" - resource_arn = "${module.ci_master_public_lb.lb_id}" + resource_arn = module.ci_master_public_lb.lb_id } resource "aws_route53_record" "ci_master_public_service_names" { - count = "${length(var.public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id}" + count = length(var.public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id name = "${element(var.public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.external_root_domain_name}" type = "A" alias { - name = "${module.ci_master_public_lb.lb_dns_name}" - zone_id = "${module.ci_master_public_lb.lb_zone_id}" + name = module.ci_master_public_lb.lb_dns_name + zone_id = module.ci_master_public_lb.lb_zone_id evaluate_target_health = true } } @@ -355,14 +359,14 @@ data "aws_autoscaling_groups" "ci_master" { } resource "aws_autoscaling_attachment" "ci_master_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.ci_master.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.ci_master.names, 0)}" - alb_target_group_arn = "${element(module.ci_master_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.ci_master.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.ci_master.names, 0) + alb_target_group_arn = element(module.ci_master_public_lb.target_group_arns, 0) } resource "aws_route53_record" "ci_master_internal_service_names" { - count = "${length(var.internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.internal_root_zone_id}" + count = length(var.internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.internal_root_zone_id name = "${element(var.internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.internal_root_domain_name}" type = "CNAME" records = ["${element(var.internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.internal_root_domain_name}"] @@ -373,6 +377,6 @@ resource "aws_route53_record" "ci_master_internal_service_names" { # -------------------------------------------------------------- output "ci-master_elb_dns_name" { - value = "${join("", aws_elb.ci-master_elb.*.dns_name)}" + value = join("", aws_elb.ci-master_elb.*.dns_name) description = "DNS name to access the ci-master service" } diff --git a/terraform/projects/app-ci-master/remote_state.tf b/terraform/projects/app-ci-master/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-ci-master/remote_state.tf +++ b/terraform/projects/app-ci-master/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-ci-master/user_data_snippets.tf b/terraform/projects/app-ci-master/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-ci-master/user_data_snippets.tf +++ b/terraform/projects/app-ci-master/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-content-data-api-db-admin/README.md b/terraform/projects/app-content-data-api-db-admin/README.md index e56b86466..70ee3de42 100644 --- a/terraform/projects/app-content-data-api-db-admin/README.md +++ b/terraform/projects/app-content-data-api-db-admin/README.md @@ -57,7 +57,7 @@ DB admin boxes for the Content Data API RDS instance | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-content-data-api-db-admin/main.tf b/terraform/projects/app-content-data-api-db-admin/main.tf index 2cb69c54b..8355984c2 100644 --- a/terraform/projects/app-content-data-api-db-admin/main.tf +++ b/terraform/projects/app-content-data-api-db-admin/main.tf @@ -4,29 +4,29 @@ * DB admin boxes for the Content Data API RDS instance */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "remote_state_infra_database_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_database_backups_bucket remote state" default = "" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } @@ -39,31 +39,31 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } module "content-data-api-db-admin" { source = "../../modules/aws/node_group" name = "${var.stackname}-content-data-api-db-admin" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "content_data_api_db_admin", "aws_hostname", "content-data-api-db-admin-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "content_data_api_db_admin", "aws_hostname", "content-data-api-db-admin-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_content-data-api-db-admin_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "0" instance_elb_ids = [] asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "64" } module "alarms-autoscaling-content-data-api-db-admin" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-content-data-api-db-admin" - autoscaling_group_name = "${module.content-data-api-db-admin.autoscaling_group_name}" + autoscaling_group_name = module.content-data-api-db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -71,7 +71,7 @@ module "alarms-autoscaling-content-data-api-db-admin" { module "alarms-ec2-content-data-api-db-admin" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-content-data-api-db-admin" - autoscaling_group_name = "${module.content-data-api-db-admin.autoscaling_group_name}" + autoscaling_group_name = module.content-data-api-db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -80,23 +80,23 @@ data "terraform_remote_state" "infra_database_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_database_backups_bucket_key_stack, var.stackname)}/infra-database-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } # All environments should be able to write to the backups bucket for # the respective environment. resource "aws_iam_role_policy_attachment" "write_to_database_backups_bucket_iam_role_policy_attachment" { - role = "${module.content-data-api-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.content_data_api_dbadmin_write_database_backups_bucket_policy_arn}" + role = module.content-data-api-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.content_data_api_dbadmin_write_database_backups_bucket_policy_arn } # All environments should be able to read from the production database # backups bucket, to enable restoring the backups, and the overnight # data syncs. resource "aws_iam_role_policy_attachment" "read_from_production_database_backups_from_production_iam_role_policy_attachment" { - role = "${module.content-data-api-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_content_data_api_dbadmin_read_database_backups_bucket_policy_arn}" + role = module.content-data-api-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_content_data_api_dbadmin_read_database_backups_bucket_policy_arn } diff --git a/terraform/projects/app-content-data-api-db-admin/remote_state.tf b/terraform/projects/app-content-data-api-db-admin/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-content-data-api-db-admin/remote_state.tf +++ b/terraform/projects/app-content-data-api-db-admin/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-content-data-api-db-admin/user_data_snippets.tf b/terraform/projects/app-content-data-api-db-admin/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-content-data-api-db-admin/user_data_snippets.tf +++ b/terraform/projects/app-content-data-api-db-admin/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-content-data-api-postgresql/main.tf b/terraform/projects/app-content-data-api-postgresql/main.tf index 5437688b9..a8b6e95e9 100644 --- a/terraform/projects/app-content-data-api-postgresql/main.tf +++ b/terraform/projects/app-content-data-api-postgresql/main.tf @@ -4,55 +4,55 @@ * RDS PostgreSQL instance for the Content Data API */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "cloudwatch_log_retention" { - type = "string" + type = string description = "Number of days to retain Cloudwatch logs for" } variable "username" { - type = "string" + type = string description = "PostgreSQL username" } variable "password" { - type = "string" + type = string description = "DB password" } variable "multi_az" { - type = "string" + type = string description = "Enable multi-az." default = true } variable "skip_final_snapshot" { - type = "string" + type = string description = "Set to true to NOT create a final snapshot when the cluster is deleted." } variable "snapshot_identifier" { - type = "string" + type = string description = "Specifies whether or not to create the database from this snapshot" default = "" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for RDS resources" default = "db.m5.large" } @@ -65,7 +65,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -137,35 +137,39 @@ resource "aws_db_parameter_group" "content_data_api" { } tags { - aws_stackname = "${var.stackname}" + aws_stackname = var.stackname + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Content Data Api" } } module "content-data-api-postgresql-primary_rds_instance" { source = "../../modules/aws/rds_instance" name = "${var.stackname}-content-data-api-postgresql-primary" - parameter_group_name = "${aws_db_parameter_group.content_data_api.name}" + parameter_group_name = aws_db_parameter_group.content_data_api.name engine_name = "postgres" engine_version = "13.3" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "content_data_api_postgresql_primary")}" - subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_rds_ids}" - username = "${var.username}" - password = "${var.password}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "content_data_api_postgresql_primary", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_rds_ids + username = var.username + password = var.password allocated_storage = "1024" max_allocated_storage = "1300" - instance_class = "${var.instance_type}" + instance_class = var.instance_type instance_name = "${var.stackname}-content-data-api-postgresql-primary" - multi_az = "${var.multi_az}" + multi_az = var.multi_az security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_content-data-api-postgresql-primary_id}"] - event_sns_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn}" - skip_final_snapshot = "${var.skip_final_snapshot}" - snapshot_identifier = "${var.snapshot_identifier}" + event_sns_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn + skip_final_snapshot = var.skip_final_snapshot + snapshot_identifier = var.snapshot_identifier monitoring_interval = "60" - monitoring_role_arn = "${data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn}" + monitoring_role_arn = data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn } resource "aws_route53_record" "service_record" { - zone_id = "${data.terraform_remote_state.infra_stack_dns_zones.internal_zone_id}" + zone_id = data.terraform_remote_state.infra_stack_dns_zones.internal_zone_id name = "content-data-api-postgresql-primary.${data.terraform_remote_state.infra_stack_dns_zones.internal_domain_name}" type = "CNAME" ttl = 300 @@ -176,7 +180,7 @@ module "alarms-rds-content-data-api-postgresql-primary" { source = "../../modules/aws/alarms/rds" name_prefix = "${var.stackname}-content-data-api-postgresql-primary" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - db_instance_id = "${module.content-data-api-postgresql-primary_rds_instance.rds_instance_id}" + db_instance_id = module.content-data-api-postgresql-primary_rds_instance.rds_instance_id freestoragespace_threshold = "536870912000" } @@ -184,21 +188,21 @@ module "alarms-rds-content-data-api-postgresql-primary" { # -------------------------------------------------------------- output "content-data-api-postgresql-primary_id" { - value = "${module.content-data-api-postgresql-primary_rds_instance.rds_instance_id}" + value = module.content-data-api-postgresql-primary_rds_instance.rds_instance_id description = "postgresql instance ID" } output "content-data-api-postgresql-primary_resource_id" { - value = "${module.content-data-api-postgresql-primary_rds_instance.rds_instance_resource_id}" + value = module.content-data-api-postgresql-primary_rds_instance.rds_instance_resource_id description = "postgresql instance resource ID" } output "content-data-api-postgresql-primary_endpoint" { - value = "${module.content-data-api-postgresql-primary_rds_instance.rds_instance_endpoint}" + value = module.content-data-api-postgresql-primary_rds_instance.rds_instance_endpoint description = "postgresql instance endpoint" } output "content-data-api-postgresql-primary_address" { - value = "${module.content-data-api-postgresql-primary_rds_instance.rds_instance_address}" + value = module.content-data-api-postgresql-primary_rds_instance.rds_instance_address description = "postgresql instance address" } diff --git a/terraform/projects/app-content-data-api-postgresql/remote_state.tf b/terraform/projects/app-content-data-api-postgresql/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-content-data-api-postgresql/remote_state.tf +++ b/terraform/projects/app-content-data-api-postgresql/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-db-admin/README.md b/terraform/projects/app-db-admin/README.md index 98b9a0991..379d4968e 100644 --- a/terraform/projects/app-db-admin/README.md +++ b/terraform/projects/app-db-admin/README.md @@ -81,7 +81,7 @@ These nodes connect to RDS instances and administer them. | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-db-admin/main.tf b/terraform/projects/app-db-admin/main.tf index aa1be0f03..ead83e989 100644 --- a/terraform/projects/app-db-admin/main.tf +++ b/terraform/projects/app-db-admin/main.tf @@ -6,51 +6,51 @@ * These nodes connect to RDS instances and administer them. */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "remote_state_infra_content_publisher_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_content_publisher remote state" default = "" } variable "remote_state_infra_database_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_database_backups_bucket remote state" default = "" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } @@ -63,12 +63,12 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } @@ -79,7 +79,7 @@ resource "aws_elb" "db-admin_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-db-admin-internal-elb" interval = 60 } @@ -112,35 +112,35 @@ resource "aws_elb" "db-admin_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-db-admin", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "db_admin")}" + tags = map("Name", "${var.stackname}-db-admin", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "db_admin", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname}") } module "db-admin" { source = "../../modules/aws/node_group" name = "${var.stackname}-db-admin" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "db_admin", "aws_hostname", "db-admin-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "db_admin", "aws_hostname", "db-admin-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_db-admin_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.db-admin_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" + instance_ami_filter_name = var.instance_ami_filter_name asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "512" } resource "aws_route53_record" "db_admin_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "db-admin.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.db-admin_elb.dns_name}" - zone_id = "${aws_elb.db-admin_elb.zone_id}" + name = aws_elb.db-admin_elb.dns_name + zone_id = aws_elb.db-admin_elb.zone_id evaluate_target_health = true } } @@ -148,7 +148,7 @@ resource "aws_route53_record" "db_admin_service_record" { module "alarms-autoscaling-db-admin" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-db-admin" - autoscaling_group_name = "${module.db-admin.autoscaling_group_name}" + autoscaling_group_name = module.db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -156,7 +156,7 @@ module "alarms-autoscaling-db-admin" { module "alarms-ec2-db-admin" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-db-admin" - autoscaling_group_name = "${module.db-admin.autoscaling_group_name}" + autoscaling_group_name = module.db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -165,9 +165,9 @@ data "terraform_remote_state" "infra_database_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_database_backups_bucket_key_stack, var.stackname)}/infra-database-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -175,9 +175,9 @@ data "terraform_remote_state" "infra_content_publisher_active_storage_buckets" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_content_publisher_key_stack, var.stackname)}/infra-content-publisher.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -185,102 +185,102 @@ data "terraform_remote_state" "infra_content_publisher_active_storage_buckets" { # their respective environment. resource "aws_iam_role_policy_attachment" "write_db-admin_database_backups_iam_role_policy_attachment" { count = 1 - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.dbadmin_write_database_backups_bucket_policy_arn}" + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.dbadmin_write_database_backups_bucket_policy_arn } # All environments, except production for safety reasons, should be able to read from the production database # backups bucket, to enable restoring the backups, and the overnight # data syncs. resource "aws_iam_role_policy_attachment" "read_from_production_database_backups_from_production_iam_role_policy_attachment" { - count = "${var.aws_environment != "production" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_dbadmin_read_database_backups_bucket_policy_arn}" + count = var.aws_environment != "production" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_dbadmin_read_database_backups_bucket_policy_arn } # integration environment should be able to read integration and staging database backups resource "aws_iam_role_policy_attachment" "read_from_integration_database_backups_from_integration_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.integration_dbadmin_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.integration_dbadmin_read_database_backups_bucket_policy_arn } # staging environment should be able to read staging database backups resource "aws_iam_role_policy_attachment" "read_from_staging_database_backups_from_integration_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.staging_dbadmin_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "staging" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.staging_dbadmin_read_database_backups_bucket_policy_arn } resource "aws_iam_policy" "db-admin_iam_policy" { name = "${var.stackname}-db-admin-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "db-admin_iam_role_policy_attachment" { - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.db-admin_iam_policy.arn}" + role = module.db-admin.instance_iam_role_name + policy_arn = aws_iam_policy.db-admin_iam_policy.arn } resource "aws_iam_policy" "db-admin_elasticache_iam_policy" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}-db-admin-elasticache" path = "/" - policy = "${file("${path.module}/elasticache_policy.json")}" + policy = file("${path.module}/elasticache_policy.json") } resource "aws_iam_role_policy_attachment" "db-admin_elasticache_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.db-admin_elasticache_iam_policy.arn}" + count = var.aws_environment == "integration" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = aws_iam_policy.db-admin_elasticache_iam_policy.arn } resource "aws_iam_policy" "assets_env_sync_s3_writer" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 name = "govuk-${var.aws_environment}-asset-manager-env-sync-s3-writer-policy" description = "Read prod assets buckets, read/write integration/staging assets buckets. Should exist in Prod only." - policy = "${data.template_file.assets_env_sync_s3_writer_policy_template.rendered}" + policy = data.template_file.assets_env_sync_s3_writer_policy_template.rendered } resource "aws_iam_role_policy_attachment" "assets_env_sync_s3_writer" { - count = "${var.aws_environment == "production" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.assets_env_sync_s3_writer.arn}" + count = var.aws_environment == "production" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = aws_iam_policy.assets_env_sync_s3_writer.arn } data "template_file" "assets_env_sync_s3_writer_policy_template" { - template = "${file("s3_assets_sync_policy.tpl")}" + template = file("s3_assets_sync_policy.tpl") } resource "aws_iam_role_policy_attachment" "read_from_staging_content_publisher_active_storage_from_integration_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_content_publisher_active_storage_buckets.staging_content_publisher_active_storage_bucket_reader_policy_arn}" + count = var.aws_environment == "integration" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_content_publisher_active_storage_buckets.staging_content_publisher_active_storage_bucket_reader_policy_arn } resource "aws_iam_role_policy_attachment" "read_write_from_integration_content_publisher_active_storage_from_integration_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_content_publisher_active_storage_buckets.integration_content_publisher_active_storage_bucket_reader_writer_policy_arn}" + count = var.aws_environment == "integration" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_content_publisher_active_storage_buckets.integration_content_publisher_active_storage_bucket_reader_writer_policy_arn } resource "aws_iam_role_policy_attachment" "read_write_from_staging_content_publisher_active_storage_from_staging_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_content_publisher_active_storage_buckets.staging_content_publisher_active_storage_bucket_reader_writer_policy_arn}" + count = var.aws_environment == "staging" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_content_publisher_active_storage_buckets.staging_content_publisher_active_storage_bucket_reader_writer_policy_arn } resource "aws_iam_role_policy_attachment" "read_from_production_content_publisher_active_storage_from_staging_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 1 : 0}" - role = "${module.db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_content_publisher_active_storage_buckets.production_content_publisher_active_storage_bucket_reader_policy_arn}" + count = var.aws_environment == "staging" ? 1 : 0 + role = module.db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_content_publisher_active_storage_buckets.production_content_publisher_active_storage_bucket_reader_policy_arn } # Outputs # -------------------------------------------------------------- output "db-admin_elb_dns_name" { - value = "${aws_elb.db-admin_elb.dns_name}" + value = aws_elb.db-admin_elb.dns_name description = "DNS name to access the db-admin service" } diff --git a/terraform/projects/app-db-admin/remote_state.tf b/terraform/projects/app-db-admin/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-db-admin/remote_state.tf +++ b/terraform/projects/app-db-admin/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-db-admin/user_data_snippets.tf b/terraform/projects/app-db-admin/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-db-admin/user_data_snippets.tf +++ b/terraform/projects/app-db-admin/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-deploy/README.md b/terraform/projects/app-deploy/README.md index 92d090ef6..8f33c3d2f 100644 --- a/terraform/projects/app-deploy/README.md +++ b/terraform/projects/app-deploy/README.md @@ -87,7 +87,7 @@ Deploy node | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | | [tools\_govuk\_codecommit\_poweruser\_role\_arn](#input\_tools\_govuk\_codecommit\_poweruser\_role\_arn) | ARN of the role that Mirrorer Jenkins to assume the Tools govuk\_codecommit\_poweruser role | `string` | `""` | no | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-deploy/main.tf b/terraform/projects/app-deploy/main.tf index 1111568ba..cffd1cb18 100644 --- a/terraform/projects/app-deploy/main.tf +++ b/terraform/projects/app-deploy/main.tf @@ -4,76 +4,76 @@ * Deploy node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "tools_govuk_codecommit_poweruser_role_arn" { - type = "string" + type = string description = "ARN of the role that Mirrorer Jenkins to assume the Tools govuk_codecommit_poweruser role" default = "" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "deploy_subnet" { - type = "string" + type = string description = "Name of the subnet to place the apt instance 1 and EBS volume" } variable "remote_state_infra_artefact_bucket_key_stack" { - type = "string" + type = string description = "Override infra_artefact_bucket remote state path" default = "" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } @@ -83,7 +83,7 @@ variable "create_external_elb" { } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } @@ -101,34 +101,34 @@ data "terraform_remote_state" "artefact_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_artefact_bucket_key_stack, var.stackname)}/infra-artefact-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_acm_certificate" "elb_external_cert" { - domain = "${var.elb_external_certname}" + domain = var.elb_external_certname statuses = ["ISSUED"] } resource "aws_elb" "deploy_elb" { - count = "${var.create_external_elb}" + count = var.create_external_elb name = "${var.stackname}-deploy" subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] @@ -136,7 +136,7 @@ resource "aws_elb" "deploy_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-deploy-external-elb" interval = 60 } @@ -147,7 +147,7 @@ resource "aws_elb" "deploy_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } health_check { @@ -164,11 +164,11 @@ resource "aws_elb" "deploy_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-deploy", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins")}" + tags = map("Name", "${var.stackname}-deploy", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Deployment") } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -179,7 +179,7 @@ resource "aws_elb" "deploy_internal_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-deploy-internal-elb" interval = 60 } @@ -190,7 +190,7 @@ resource "aws_elb" "deploy_internal_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_internal_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_internal_cert.arn } health_check { @@ -207,89 +207,93 @@ resource "aws_elb" "deploy_internal_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-deploy-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins")}" + tags = map("Name", "${var.stackname}-deploy-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Deployment") } resource "aws_route53_record" "service_record" { - count = "${var.create_external_elb}" + count = var.create_external_elb - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "deploy.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.deploy_elb.dns_name}" - zone_id = "${aws_elb.deploy_elb.zone_id}" + name = aws_elb.deploy_elb.dns_name + zone_id = aws_elb.deploy_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "service_record_internal" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "deploy.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.deploy_internal_elb.dns_name}" - zone_id = "${aws_elb.deploy_internal_elb.zone_id}" + name = aws_elb.deploy_internal_elb.dns_name + zone_id = aws_elb.deploy_internal_elb.zone_id evaluate_target_health = true } } locals { - instance_elb_ids_length = "${var.create_external_elb ? 2 : 1}" - instance_elb_ids = "${compact(list(join("", aws_elb.deploy_elb.*.id), aws_elb.deploy_internal_elb.id))}" + instance_elb_ids_length = var.create_external_elb ? 2 : 1 + instance_elb_ids = compact(list(join("", aws_elb.deploy_elb.*.id), aws_elb.deploy_internal_elb.id)) } module "deploy" { source = "../../modules/aws/node_group" name = "${var.stackname}-deploy" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins", "aws_hostname", "jenkins-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.deploy_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jenkins", "aws_hostname", "jenkins-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.deploy_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_deploy_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" - instance_elb_ids_length = "${local.instance_elb_ids_length}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) + instance_elb_ids_length = local.instance_elb_ids_length instance_elb_ids = ["${local.instance_elb_ids}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn } resource "aws_ebs_volume" "deploy" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.deploy_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.deploy_subnet) + encrypted = var.ebs_encrypted size = 40 type = "gp2" tags { Name = "${var.stackname}-deploy" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" aws_hostname = "jenkins-1" aws_migration = "jenkins" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Deployment" } } resource "aws_iam_policy" "deploy_iam_policy" { name = "${var.stackname}-deploy-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } # Allow the Jenkins server in Production to assume the govuk-codecommit-poweruser role # in the Tools account to mirror GitHub repos in AWS CodeCommit resource "aws_iam_policy" "allow_assume_tools_codecommit_poweruser_policy" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 name = "govuk-${var.aws_environment}-tools-codecommit-poweruser-policy" description = "Allows assuming the role of 'govuk-codecommit-poweruser' in the Tools environment" - policy = "${data.aws_iam_policy_document.allow_assume_tools_codecommit_poweruser_policy_document.json}" + policy = data.aws_iam_policy_document.allow_assume_tools_codecommit_poweruser_policy_document.json } data "aws_iam_policy_document" "allow_assume_tools_codecommit_poweruser_policy_document" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 statement { actions = [ @@ -303,50 +307,50 @@ data "aws_iam_policy_document" "allow_assume_tools_codecommit_poweruser_policy_d } resource "aws_iam_role_policy_attachment" "deploy_iam_role_policy_attachment" { - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.deploy_iam_policy.arn}" + role = module.deploy.instance_iam_role_name + policy_arn = aws_iam_policy.deploy_iam_policy.arn } resource "aws_iam_role_policy_attachment" "allow_writes_from_artefact_bucket" { - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.artefact_bucket.write_artefact_bucket_policy_arn}" + role = module.deploy.instance_iam_role_name + policy_arn = data.terraform_remote_state.artefact_bucket.write_artefact_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "allow_reads_from_artefact_bucket" { - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.artefact_bucket.read_artefact_bucket_policy_arn}" + role = module.deploy.instance_iam_role_name + policy_arn = data.terraform_remote_state.artefact_bucket.read_artefact_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "allow_assume_role_concourse_code_commit" { - count = "${var.aws_environment == "production" ? 1 : 0}" - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.allow_assume_tools_codecommit_poweruser_policy.arn}" + count = var.aws_environment == "production" ? 1 : 0 + role = module.deploy.instance_iam_role_name + policy_arn = aws_iam_policy.allow_assume_tools_codecommit_poweruser_policy.arn } resource "aws_iam_role_policy_attachment" "related_links_jenkins" { - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.app_related_links.policy_related_links_jenkins_policy_arn}" + role = module.deploy.instance_iam_role_name + policy_arn = data.terraform_remote_state.app_related_links.policy_related_links_jenkins_policy_arn } resource "aws_iam_role_policy_attachment" "learn_to_rank_jenkins" { - role = "${module.deploy.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.app_search.scale_learntorank_asg_policy_arn}" + role = module.deploy.instance_iam_role_name + policy_arn = data.terraform_remote_state.app_search.scale_learntorank_asg_policy_arn } locals { - elb_httpcode_backend_5xx_threshold = "${var.create_external_elb ? 50 : 0}" - elb_httpcode_elb_5xx_threshold = "${var.create_external_elb ? 50 : 0}" + elb_httpcode_backend_5xx_threshold = var.create_external_elb ? 50 : 0 + elb_httpcode_elb_5xx_threshold = var.create_external_elb ? 50 : 0 } module "alarms-elb-deploy-external" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-deploy-external" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${join("", aws_elb.deploy_elb.*.name)}" + elb_name = join("", aws_elb.deploy_elb.*.name) httpcode_backend_4xx_threshold = "0" - httpcode_backend_5xx_threshold = "${local.elb_httpcode_backend_5xx_threshold}" + httpcode_backend_5xx_threshold = local.elb_httpcode_backend_5xx_threshold httpcode_elb_4xx_threshold = "0" - httpcode_elb_5xx_threshold = "${local.elb_httpcode_elb_5xx_threshold}" + httpcode_elb_5xx_threshold = local.elb_httpcode_elb_5xx_threshold surgequeuelength_threshold = "0" healthyhostcount_threshold = "0" } @@ -355,6 +359,6 @@ module "alarms-elb-deploy-external" { # -------------------------------------------------------------- output "deploy_elb_dns_name" { - value = "${join("", aws_elb.deploy_elb.*.dns_name)}" + value = join("", aws_elb.deploy_elb.*.dns_name) description = "DNS name to access the deploy service" } diff --git a/terraform/projects/app-deploy/remote_state.tf b/terraform/projects/app-deploy/remote_state.tf index 826be4fa0..b3ebeb463 100644 --- a/terraform/projects/app-deploy/remote_state.tf +++ b/terraform/projects/app-deploy/remote_state.tf @@ -7,54 +7,54 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_app_related_links_key_stack" { - type = "string" + type = string description = "Override app_related_links remote state path" default = "" } variable "remote_state_app_search_key_stack" { - type = "string" + type = string description = "Override app_search remote state path" default = "" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -66,9 +66,9 @@ data "terraform_remote_state" "app_search" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_app_search_key_stack, var.stackname)}/app-search.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -76,9 +76,9 @@ data "terraform_remote_state" "app_related_links" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/app-related-links.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -86,9 +86,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -96,9 +96,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -106,9 +106,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -116,9 +116,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -126,9 +126,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -136,8 +136,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-deploy/user_data_snippets.tf b/terraform/projects/app-deploy/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-deploy/user_data_snippets.tf +++ b/terraform/projects/app-deploy/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-docker-management/README.md b/terraform/projects/app-docker-management/README.md index 59aca502e..0adef7774 100644 --- a/terraform/projects/app-docker-management/README.md +++ b/terraform/projects/app-docker-management/README.md @@ -58,7 +58,7 @@ Docker management node, used to run run adhoc containers. | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-docker-management/main.tf b/terraform/projects/app-docker-management/main.tf index 06917c82f..fdbaea231 100644 --- a/terraform/projects/app-docker-management/main.tf +++ b/terraform/projects/app-docker-management/main.tf @@ -4,39 +4,39 @@ * Docker management node, used to run run adhoc containers. */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } @@ -49,12 +49,12 @@ terraform { } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -65,7 +65,7 @@ resource "aws_elb" "docker_management_etcd_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-docker-management-etcd-internal-elb" interval = 60 } @@ -91,17 +91,17 @@ resource "aws_elb" "docker_management_etcd_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-docker_management_etcd", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "docker_management_etcd")}" + tags = map("Name", "${var.stackname}-docker_management_etcd", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "docker_management_etcd", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Docker Management") } resource "aws_route53_record" "docker_management_etcd_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "etcd.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.docker_management_etcd_elb.dns_name}" - zone_id = "${aws_elb.docker_management_etcd_elb.zone_id}" + name = aws_elb.docker_management_etcd_elb.dns_name + zone_id = aws_elb.docker_management_etcd_elb.zone_id evaluate_target_health = true } } @@ -111,22 +111,22 @@ resource "aws_route53_record" "docker_management_etcd_service_record" { module "docker_management" { source = "../../modules/aws/node_group" name = "${var.stackname}-docker_management" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "docker_management", "aws_hostname", "docker-management-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "docker_management", "aws_hostname", "docker-management-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname}") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_docker_management_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.docker_management_etcd_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn } module "alarms-elb-docker-management-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-docker-management-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.docker_management_etcd_elb.name}" + elb_name = aws_elb.docker_management_etcd_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "50" httpcode_elb_4xx_threshold = "0" @@ -139,11 +139,11 @@ module "alarms-elb-docker-management-internal" { # -------------------------------------------------------------- output "docker_management_etcd_elb_dns_name" { - value = "${aws_elb.docker_management_etcd_elb.dns_name}" + value = aws_elb.docker_management_etcd_elb.dns_name description = "DNS name to access the docker_management service" } output "etcd_service_dns_name" { - value = "${aws_route53_record.docker_management_etcd_service_record.fqdn}" + value = aws_route53_record.docker_management_etcd_service_record.fqdn description = "DNS name to access the node service" } diff --git a/terraform/projects/app-docker-management/remote_state.tf b/terraform/projects/app-docker-management/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-docker-management/remote_state.tf +++ b/terraform/projects/app-docker-management/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-docker-management/user_data_snippets.tf b/terraform/projects/app-docker-management/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-docker-management/user_data_snippets.tf +++ b/terraform/projects/app-docker-management/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-elasticsearch6/main.tf b/terraform/projects/app-elasticsearch6/main.tf index 6c045d220..78e97c71b 100644 --- a/terraform/projects/app-elasticsearch6/main.tf +++ b/terraform/projects/app-elasticsearch6/main.tf @@ -25,6 +25,9 @@ provider "aws" { tags = { terraform_deployment = basename(abspath(path.root)) aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" } } } @@ -152,6 +155,10 @@ resource "aws_elasticsearch_domain" "elasticsearch6" { Name = "${var.stackname}-elasticsearch6" Project = var.stackname aws_stackname = var.stackname + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Elasticsearch" } } @@ -178,7 +185,13 @@ resource "aws_route53_record" "service_record" { resource "aws_s3_bucket" "manual_snapshots" { bucket = "govuk-${var.aws_environment}-elasticsearch6-manual-snapshots" - tags = { Name = "govuk-${var.aws_environment}-elasticsearch6-manual-snapshots" } + tags = { + Name = "govuk-${var.aws_environment}-elasticsearch6-manual-snapshots" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Elasticsearch Manual Snapshots" + } } resource "aws_s3_bucket_logging" "manual_snapshots" { diff --git a/terraform/projects/app-gatling/README.md b/terraform/projects/app-gatling/README.md index 845787e37..94e54590a 100644 --- a/terraform/projects/app-gatling/README.md +++ b/terraform/projects/app-gatling/README.md @@ -55,7 +55,7 @@ Gatling node | [esm\_trusty\_token](#input\_esm\_trusty\_token) | n/a | `string` | n/a | yes | | [external\_domain\_name](#input\_external\_domain\_name) | The domain name of the external DNS records, it could be different from the zone name | `string` | n/a | yes | | [external\_zone\_name](#input\_external\_zone\_name) | The name of the Route53 zone that contains external records | `string` | n/a | yes | -| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list` | n/a | yes | +| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list(string)` | n/a | yes | | [instance\_ami\_filter\_name](#input\_instance\_ami\_filter\_name) | Name to use to find AMI images | `string` | `""` | no | | [instance\_type](#input\_instance\_type) | Instance type used for EC2 resources | `string` | `"m5.2xlarge"` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | @@ -66,7 +66,7 @@ Gatling node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-gatling/main.tf b/terraform/projects/app-gatling/main.tf index c73bb2115..14c50a485 100644 --- a/terraform/projects/app-gatling/main.tf +++ b/terraform/projects/app-gatling/main.tf @@ -4,73 +4,73 @@ * Gatling node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "asg_desired_capacity" { - type = "string" + type = string description = "The autoscaling groups desired capacity" default = "0" } variable "asg_max_size" { - type = "string" + type = string description = "The autoscaling groups max_size" default = "0" } variable "asg_min_size" { - type = "string" + type = string description = "The autoscaling groups min_size" default = "0" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.2xlarge" } variable "gds_egress_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that will be allowed offsite access." } @@ -82,12 +82,12 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } @@ -101,28 +101,28 @@ module "gatling_external_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-gatling-external" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-gatling-external-elb" - listener_certificate_domain_name = "${var.elb_external_certname}" + listener_certificate_domain_name = var.elb_external_certname listener_secondary_certificate_domain_name = "" - listener_action = "${local.external_lb_map}" + listener_action = local.external_lb_map subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_gatling_external_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] target_group_health_check_path = "/" target_group_health_check_matcher = "200-499" - default_tags = "${map("Project", var.stackname, "aws_migration", "gatling", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "gatling", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") } resource "aws_route53_record" "gatling_external_service_record" { - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "gatling.${var.external_domain_name}" type = "A" alias { - name = "${module.gatling_external_lb.lb_dns_name}" - zone_id = "${module.gatling_external_lb.lb_zone_id}" + name = module.gatling_external_lb.lb_dns_name + zone_id = module.gatling_external_lb.lb_zone_id evaluate_target_health = true } } @@ -130,20 +130,20 @@ resource "aws_route53_record" "gatling_external_service_record" { module "gatling" { source = "../../modules/aws/node_group" name = "${var.stackname}-gatling" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "gatling", "aws_hostname", "gatling-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "gatling", "aws_hostname", "gatling-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_gatling_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "0" instance_elb_ids = [] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_max_size = "${var.asg_max_size}" - asg_min_size = "${var.asg_min_size}" - asg_desired_capacity = "${var.asg_desired_capacity}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" - instance_target_group_arns = "${module.gatling_external_lb.target_group_arns}" - instance_target_group_arns_length = "${length(distinct(values(local.external_lb_map)))}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_max_size = var.asg_max_size + asg_min_size = var.asg_min_size + asg_desired_capacity = var.asg_desired_capacity + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn + instance_target_group_arns = module.gatling_external_lb.target_group_arns + instance_target_group_arns_length = length(distinct(values(local.external_lb_map))) root_block_device_volume_size = "30" } @@ -157,8 +157,8 @@ resource "aws_s3_bucket" "results" { } resource "aws_s3_bucket_policy" "results" { - bucket = "${aws_s3_bucket.results.id}" - policy = "${data.aws_iam_policy_document.results_bucket_access.json}" + bucket = aws_s3_bucket.results.id + policy = data.aws_iam_policy_document.results_bucket_access.json } data "aws_iam_policy_document" "results_bucket_access" { @@ -188,6 +188,6 @@ data "aws_iam_policy_document" "results_bucket_access" { # -------------------------------------------------------------- output "instance_iam_role_name" { - value = "${module.gatling.instance_iam_role_name}" + value = module.gatling.instance_iam_role_name description = "name of the instance iam role" } diff --git a/terraform/projects/app-gatling/remote_state.tf b/terraform/projects/app-gatling/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-gatling/remote_state.tf +++ b/terraform/projects/app-gatling/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-gatling/user_data_snippets.tf b/terraform/projects/app-gatling/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-gatling/user_data_snippets.tf +++ b/terraform/projects/app-gatling/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-govuk-attachments/README.md b/terraform/projects/app-govuk-attachments/README.md index 25becade2..a51fb3c59 100644 --- a/terraform/projects/app-govuk-attachments/README.md +++ b/terraform/projects/app-govuk-attachments/README.md @@ -33,7 +33,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [additional\_policy\_attachment\_roles](#input\_additional\_policy\_attachment\_roles) | Additional roles to attach to the readwrite policy, for legacy compatibility. | `list` | `[]` | no | +| [additional\_policy\_attachment\_roles](#input\_additional\_policy\_attachment\_roles) | Additional roles to attach to the readwrite policy, for legacy compatibility. | `list(string)` | `[]` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | | [bucket\_name](#input\_bucket\_name) | n/a | `string` | `"govuk-attachments"` | no | diff --git a/terraform/projects/app-govuk-attachments/main.tf b/terraform/projects/app-govuk-attachments/main.tf index ee8c435e9..903f75697 100644 --- a/terraform/projects/app-govuk-attachments/main.tf +++ b/terraform/projects/app-govuk-attachments/main.tf @@ -4,53 +4,53 @@ * Creates S3 bucket for asset master attachments storage */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "bucket_name" { - type = "string" + type = string default = "govuk-attachments" } variable "team" { - type = "string" + type = string default = "Infrastructure" } variable "username" { - type = "string" + type = string default = "govuk-attachments" } variable "versioning" { - type = "string" + type = string default = "true" } variable "lifecycle" { - type = "string" + type = string default = false } variable "days_to_keep" { - type = "string" + type = string default = 30 } variable "additional_policy_attachment_roles" { - type = "list" + type = list(string) description = "Additional roles to attach to the readwrite policy, for legacy compatibility." default = [] } @@ -64,59 +64,64 @@ terraform { } resource "aws_s3_bucket" "bucket" { - count = "${var.lifecycle}" + count = var.lifecycle bucket = "${var.bucket_name}-${var.aws_environment}" acl = "private" tags { - Environment = "${var.aws_environment}" - Team = "${var.team}" + Environment = var.aws_environment + Team = var.team + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = var.bucket_name } versioning { - enabled = "${var.versioning}" + enabled = var.versioning } lifecycle_rule { prefix = "" - enabled = "${var.lifecycle}" + enabled = var.lifecycle expiration { - days = "${var.days_to_keep}" + days = var.days_to_keep } } } resource "aws_s3_bucket" "bucket_without_lifecycle" { - count = "${1 - var.lifecycle}" + count = 1 - var.lifecycle bucket = "${var.bucket_name}-${var.aws_environment}" acl = "private" tags { - Environment = "${var.aws_environment}" - Team = "${var.team}" + Environment = var.aws_environment + Team = var.team + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = var.bucket_name } versioning { - enabled = "${var.versioning}" + enabled = var.versioning } } resource "aws_iam_policy" "readwrite_policy" { name = "${var.bucket_name}_${var.username}-policy" description = "${var.bucket_name} allows writes" - policy = "${data.aws_iam_policy_document.readwrite_policy.json}" + policy = data.aws_iam_policy_document.readwrite_policy.json } resource "aws_iam_user" "iam_user" { - name = "${var.username}" + name = var.username } resource "aws_iam_policy_attachment" "iam_policy_attachment" { name = "${var.bucket_name}_${var.username}_attachment_policy" users = ["${aws_iam_user.iam_user.name}"] roles = ["${var.additional_policy_attachment_roles}"] - policy_arn = "${aws_iam_policy.readwrite_policy.arn}" + policy_arn = aws_iam_policy.readwrite_policy.arn } diff --git a/terraform/projects/app-govuk-rds/main.tf b/terraform/projects/app-govuk-rds/main.tf index bf4fe8834..0e6654af5 100644 --- a/terraform/projects/app-govuk-rds/main.tf +++ b/terraform/projects/app-govuk-rds/main.tf @@ -17,6 +17,9 @@ provider "aws" { Project = basename(abspath(path.root)) aws_stackname = var.stackname aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" } } } diff --git a/terraform/projects/app-govuk-rds/rds.tf b/terraform/projects/app-govuk-rds/rds.tf index e1c2770e2..7c9b14fa1 100644 --- a/terraform/projects/app-govuk-rds/rds.tf +++ b/terraform/projects/app-govuk-rds/rds.tf @@ -2,7 +2,13 @@ resource "aws_db_subnet_group" "subnet_group" { name = "${var.stackname}-govuk-rds-subnet" subnet_ids = data.terraform_remote_state.infra_networking.outputs.private_subnet_rds_ids - tags = { Name = "${var.stackname}-govuk-rds-subnet" } + tags = { + Name = "${var.stackname}-govuk-rds-subnet" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Database" + } } resource "aws_db_parameter_group" "engine_params" { @@ -59,7 +65,13 @@ resource "aws_db_instance" "instance" { final_snapshot_identifier = "${each.value.name}-final-snapshot" skip_final_snapshot = var.skip_final_snapshot - tags = { Name = "${var.stackname}-govuk-rds-${each.value.name}-${each.value.engine}" } + tags = { + Name = "${var.stackname}-govuk-rds-${each.value.name}-${each.value.engine}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} ${each.value.name} ${each.value.engine} Database" + } } resource "aws_db_event_subscription" "subscription" { diff --git a/terraform/projects/app-graphite/README.md b/terraform/projects/app-graphite/README.md index c33374ac6..a8773ade6 100644 --- a/terraform/projects/app-graphite/README.md +++ b/terraform/projects/app-graphite/README.md @@ -81,7 +81,7 @@ Graphite node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-graphite/main.tf b/terraform/projects/app-graphite/main.tf index 9ffe7693b..fa2413ee7 100644 --- a/terraform/projects/app-graphite/main.tf +++ b/terraform/projects/app-graphite/main.tf @@ -4,70 +4,70 @@ * Graphite node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "graphite_1_subnet" { - type = "string" + type = string description = "Name of the subnet to place the Graphite instance 1 and EBS volume" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "remote_state_infra_graphite_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_graphite_backups_bucket remote state" default = "govuk" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } @@ -77,13 +77,13 @@ variable "create_external_elb" { } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.xlarge" } variable "ebs_volume_size" { - type = "string" + type = string description = "EBS Volume size in GB" default = "250" } @@ -96,32 +96,32 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_acm_certificate" "elb_external_cert" { - domain = "${var.elb_external_certname}" + domain = var.elb_external_certname statuses = ["ISSUED"] } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } resource "aws_elb" "graphite_external_elb" { - count = "${var.create_external_elb}" + count = var.create_external_elb name = "${var.stackname}-graphite-external" subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] @@ -129,7 +129,7 @@ resource "aws_elb" "graphite_external_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-graphite-external-elb" interval = 60 } @@ -140,7 +140,7 @@ resource "aws_elb" "graphite_external_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } health_check { @@ -157,33 +157,33 @@ resource "aws_elb" "graphite_external_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-graphite-external", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite")}" + tags = map("Name", "${var.stackname}-graphite-external", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Graphite") } resource "aws_route53_record" "graphite_external_service_record" { - count = "${var.create_external_elb}" + count = var.create_external_elb - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "graphite.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.graphite_external_elb.dns_name}" - zone_id = "${aws_elb.graphite_external_elb.zone_id}" + name = aws_elb.graphite_external_elb.dns_name + zone_id = aws_elb.graphite_external_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "grafana_external_service_record" { - count = "${var.create_external_elb}" + count = var.create_external_elb - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "grafana.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.graphite_external_elb.dns_name}" - zone_id = "${aws_elb.graphite_external_elb.zone_id}" + name = aws_elb.graphite_external_elb.dns_name + zone_id = aws_elb.graphite_external_elb.zone_id evaluate_target_health = true } } @@ -195,7 +195,7 @@ resource "aws_elb" "graphite_internal_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-graphite-internal-elb" interval = 60 } @@ -220,7 +220,7 @@ resource "aws_elb" "graphite_internal_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_internal_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_internal_cert.arn } health_check { @@ -237,98 +237,102 @@ resource "aws_elb" "graphite_internal_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-graphite-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite")}" + tags = map("Name", "${var.stackname}-graphite-internal", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Graphite") } resource "aws_route53_record" "graphite_internal_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "graphite.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.graphite_internal_elb.dns_name}" - zone_id = "${aws_elb.graphite_internal_elb.zone_id}" + name = aws_elb.graphite_internal_elb.dns_name + zone_id = aws_elb.graphite_internal_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "grafana_internal_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "grafana.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.graphite_internal_elb.dns_name}" - zone_id = "${aws_elb.graphite_internal_elb.zone_id}" + name = aws_elb.graphite_internal_elb.dns_name + zone_id = aws_elb.graphite_internal_elb.zone_id evaluate_target_health = true } } locals { - instance_elb_ids_length = "${var.create_external_elb ? 2 : 1}" - instance_elb_ids = "${compact(list(aws_elb.graphite_internal_elb.id, join("", aws_elb.graphite_external_elb.*.id)))}" + instance_elb_ids_length = var.create_external_elb ? 2 : 1 + instance_elb_ids = compact(list(aws_elb.graphite_internal_elb.id, join("", aws_elb.graphite_external_elb.*.id))) } module "graphite-1" { source = "../../modules/aws/node_group" name = "${var.stackname}-graphite-1" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite", "aws_hostname", "graphite-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.graphite_1_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "graphite", "aws_hostname", "graphite-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Graphite") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.graphite_1_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_graphite_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" - instance_elb_ids_length = "${local.instance_elb_ids_length}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) + instance_elb_ids_length = local.instance_elb_ids_length instance_elb_ids = ["${local.instance_elb_ids}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn } resource "aws_ebs_volume" "graphite-1" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.graphite_1_subnet)}" - encrypted = "${var.ebs_encrypted}" - size = "${var.ebs_volume_size}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.graphite_1_subnet) + encrypted = var.ebs_encrypted + size = var.ebs_volume_size type = "io1" iops = 1000 tags { Name = "${var.stackname}-graphite-1" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "graphite" aws_hostname = "graphite-1" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Graphite" } } resource "aws_iam_policy" "graphite_1_iam_policy" { name = "${var.stackname}-graphite-1-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "graphite_1_iam_role_policy_attachment" { - role = "${module.graphite-1.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.graphite_1_iam_policy.arn}" + role = module.graphite-1.instance_iam_role_name + policy_arn = aws_iam_policy.graphite_1_iam_policy.arn } resource "aws_iam_role_policy_attachment" "graphite_1_iam_role_policy_cloudwatch_attachment" { - role = "${module.graphite-1.instance_iam_role_name}" + role = module.graphite-1.instance_iam_role_name policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess" } resource "aws_iam_role_policy_attachment" "access_graphite_backups_iam_role_policy_attachment" { - role = "${module.graphite-1.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_graphite_backups_bucket.access_graphite_backups_bucket_policy_arn}" + role = module.graphite-1.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_graphite_backups_bucket.access_graphite_backups_bucket_policy_arn } data "terraform_remote_state" "infra_graphite_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_graphite_backups_bucket_key_stack, var.stackname)}/infra-graphite-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -336,7 +340,7 @@ module "alarms-elb-graphite-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-graphite-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.graphite_internal_elb.name}" + elb_name = aws_elb.graphite_internal_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "100" httpcode_elb_4xx_threshold = "100" @@ -346,19 +350,19 @@ module "alarms-elb-graphite-internal" { } locals { - elb_httpcode_backend_5xx_threshold = "${var.create_external_elb ? 100 : 0}" - elb_httpcode_elb_5xx_threshold = "${var.create_external_elb ? 100 : 0}" + elb_httpcode_backend_5xx_threshold = var.create_external_elb ? 100 : 0 + elb_httpcode_elb_5xx_threshold = var.create_external_elb ? 100 : 0 } module "alarms-elb-graphite-external" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-graphite-external" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${join("", aws_elb.graphite_external_elb.*.name)}" + elb_name = join("", aws_elb.graphite_external_elb.*.name) httpcode_backend_4xx_threshold = "0" - httpcode_backend_5xx_threshold = "${local.elb_httpcode_backend_5xx_threshold}" + httpcode_backend_5xx_threshold = local.elb_httpcode_backend_5xx_threshold httpcode_elb_4xx_threshold = "0" - httpcode_elb_5xx_threshold = "${local.elb_httpcode_elb_5xx_threshold}" + httpcode_elb_5xx_threshold = local.elb_httpcode_elb_5xx_threshold surgequeuelength_threshold = "0" healthyhostcount_threshold = "0" } @@ -367,11 +371,11 @@ module "alarms-elb-graphite-external" { # -------------------------------------------------------------- output "graphite_internal_service_dns_name" { - value = "${aws_route53_record.graphite_internal_service_record.fqdn}" + value = aws_route53_record.graphite_internal_service_record.fqdn description = "DNS name to access the Graphite internal service" } output "graphite_external_elb_dns_name" { - value = "${join("", aws_route53_record.graphite_external_service_record.*.fqdn)}" + value = join("", aws_route53_record.graphite_external_service_record.*.fqdn) description = "DNS name to access the Graphite external service" } diff --git a/terraform/projects/app-graphite/remote_state.tf b/terraform/projects/app-graphite/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-graphite/remote_state.tf +++ b/terraform/projects/app-graphite/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-graphite/user_data_snippets.tf b/terraform/projects/app-graphite/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-graphite/user_data_snippets.tf +++ b/terraform/projects/app-graphite/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-jumpbox/README.md b/terraform/projects/app-jumpbox/README.md index 208717624..f5f542f56 100644 --- a/terraform/projects/app-jumpbox/README.md +++ b/terraform/projects/app-jumpbox/README.md @@ -59,7 +59,7 @@ Jumpbox node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-jumpbox/main.tf b/terraform/projects/app-jumpbox/main.tf index 135fb736e..d72920160 100644 --- a/terraform/projects/app-jumpbox/main.tf +++ b/terraform/projects/app-jumpbox/main.tf @@ -4,34 +4,34 @@ * Jumpbox node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } @@ -41,7 +41,7 @@ variable "create_external_elb" { } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.micro" } @@ -54,17 +54,17 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } resource "aws_elb" "jumpbox_external_elb" { - count = "${var.create_external_elb}" + count = var.create_external_elb name = "${var.stackname}-jumpbox" subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] @@ -72,7 +72,7 @@ resource "aws_elb" "jumpbox_external_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-jumpbox-external-elb" interval = 60 } @@ -97,70 +97,70 @@ resource "aws_elb" "jumpbox_external_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-jumpbox", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox")}" + tags = map("Name", "${var.stackname}-jumpbox", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Jumpbox") } resource "aws_route53_record" "service_record" { - count = "${var.create_external_elb}" + count = var.create_external_elb - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "jumpbox.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.jumpbox_external_elb.dns_name}" - zone_id = "${aws_elb.jumpbox_external_elb.zone_id}" + name = aws_elb.jumpbox_external_elb.dns_name + zone_id = aws_elb.jumpbox_external_elb.zone_id evaluate_target_health = true } } locals { - instance_elb_ids_length = "${var.create_external_elb ? 1 : 0}" - instance_elb_ids = "${compact(list(join("", aws_elb.jumpbox_external_elb.*.id)))}" + instance_elb_ids_length = var.create_external_elb ? 1 : 0 + instance_elb_ids = compact(list(join("", aws_elb.jumpbox_external_elb.*.id))) } module "jumpbox" { source = "../../modules/aws/node_group" name = "${var.stackname}-jumpbox" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox", "aws_hostname", "jumpbox-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox", "aws_hostname", "jumpbox-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Jumpbox") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_jumpbox_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids = ["${local.instance_elb_ids}"] - instance_elb_ids_length = "${local.instance_elb_ids_length}" - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_elb_ids_length = local.instance_elb_ids_length + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "64" } locals { - surgequeuelength_threshold = "${var.create_external_elb ? 200 : 0}" - healthyhostcount_threshold = "${var.create_external_elb ? 1 : 0}" + surgequeuelength_threshold = var.create_external_elb ? 200 : 0 + healthyhostcount_threshold = var.create_external_elb ? 1 : 0 } module "alarms-elb-jumpbox-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-jumpbox-external" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${join("", aws_elb.jumpbox_external_elb.*.name)}" + elb_name = join("", aws_elb.jumpbox_external_elb.*.name) httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "0" httpcode_elb_4xx_threshold = "0" httpcode_elb_5xx_threshold = "0" - surgequeuelength_threshold = "${local.surgequeuelength_threshold}" - healthyhostcount_threshold = "${local.healthyhostcount_threshold}" + surgequeuelength_threshold = local.surgequeuelength_threshold + healthyhostcount_threshold = local.healthyhostcount_threshold } # Outputs # -------------------------------------------------------------- output "jumpbox_elb_address" { - value = "${join("", aws_elb.jumpbox_external_elb.*.dns_name)}" + value = join("", aws_elb.jumpbox_external_elb.*.dns_name) description = "AWS' internal DNS name for the jumpbox ELB" } output "service_dns_name" { - value = "${join("", aws_route53_record.service_record.*.name)}" + value = join("", aws_route53_record.service_record.*.name) description = "DNS name to access the node service" } diff --git a/terraform/projects/app-jumpbox/remote_state.tf b/terraform/projects/app-jumpbox/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-jumpbox/remote_state.tf +++ b/terraform/projects/app-jumpbox/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-jumpbox/user_data_snippets.tf b/terraform/projects/app-jumpbox/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-jumpbox/user_data_snippets.tf +++ b/terraform/projects/app-jumpbox/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-licensify-backend/README.md b/terraform/projects/app-licensify-backend/README.md index 493993941..f5449fbdf 100644 --- a/terraform/projects/app-licensify-backend/README.md +++ b/terraform/projects/app-licensify-backend/README.md @@ -43,7 +43,7 @@ Licensify Backend nodes | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [app\_service\_records](#input\_app\_service\_records) | List of application service names that get traffic via the internal LB | `list` | `[]` | no | +| [app\_service\_records](#input\_app\_service\_records) | List of application service names that get traffic via the internal LB | `list(string)` | `[]` | no | | [asg\_size](#input\_asg\_size) | The autoscaling group's desired/max/min capacity. licensify-feed can only have one master instance and mastership is manually configured. | `string` | `"1"` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | @@ -59,7 +59,7 @@ Licensify Backend nodes | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-licensify-backend/main.tf b/terraform/projects/app-licensify-backend/main.tf index 75d62398d..152a3e672 100644 --- a/terraform/projects/app-licensify-backend/main.tf +++ b/terraform/projects/app-licensify-backend/main.tf @@ -4,46 +4,46 @@ * Licensify Backend nodes */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_internal_certname" { - type = "string" + type = string description = "The domain name of the ACM cert to use for the internal LB" } variable "app_service_records" { - type = "list" + type = list(string) description = "List of application service names that get traffic via the internal LB" default = [] } variable "asg_size" { - type = "string" + type = string description = "The autoscaling group's desired/max/min capacity. licensify-feed can only have one master instance and mastership is manually configured." default = "1" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.large" } @@ -56,17 +56,17 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${data.terraform_remote_state.infra_root_dns_zones.internal_root_domain_name}" + name = data.terraform_remote_state.infra_root_dns_zones.internal_root_domain_name private_zone = true } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -74,10 +74,10 @@ module "internal_lb" { source = "../../modules/aws/lb" name = "licensify-backend-internal" internal = true - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/licensify-backend-internal-elb" - listener_certificate_domain_name = "${var.elb_internal_certname}" + listener_certificate_domain_name = var.elb_internal_certname target_group_health_check_path = "/healthcheck" listener_action = { @@ -92,20 +92,24 @@ module "internal_lb" { Project = "${var.stackname}" aws_migration = "licensing_backend" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "Licensing" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Licensify" } } # For each service name (there is only licensify-admin for now), create DNS A # records pointing at the internal LB. resource "aws_route53_record" "internal_service_names" { - count = "${length(var.app_service_records)}" - zone_id = "${data.aws_route53_zone.internal.zone_id}" + count = length(var.app_service_records) + zone_id = data.aws_route53_zone.internal.zone_id name = "${element(var.app_service_records, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.internal_root_domain_name}" type = "A" alias { - name = "${module.internal_lb.lb_dns_name}" - zone_id = "${module.internal_lb.lb_zone_id}" + name = module.internal_lb.lb_dns_name + zone_id = module.internal_lb.lb_zone_id evaluate_target_health = true } } @@ -120,19 +124,23 @@ module "licensify-backend" { aws_environment = "${var.aws_environment}" aws_migration = "licensing_backend" aws_hostname = "licensify-backend-1" + Environment = "${var.aws_environment}" + Product = "Lienses" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt Package Storage" } - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_licensify-backend_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_target_group_arns_length = "1" instance_target_group_arns = ["${module.internal_lb.target_group_arns[0]}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_max_size = "${var.asg_size}" - asg_min_size = "${var.asg_size}" - asg_desired_capacity = "${var.asg_size}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_max_size = var.asg_size + asg_min_size = var.asg_size + asg_desired_capacity = var.asg_size + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } @@ -140,6 +148,6 @@ module "licensify-backend" { # -------------------------------------------------------------- output "licensify-backend_internal_elb_dns_name" { - value = "${module.internal_lb.lb_dns_name}" + value = module.internal_lb.lb_dns_name description = "Internal DNS name for the licensify-backend internal LB" } diff --git a/terraform/projects/app-licensify-backend/remote_state.tf b/terraform/projects/app-licensify-backend/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-licensify-backend/remote_state.tf +++ b/terraform/projects/app-licensify-backend/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-licensify-backend/user_data_snippets.tf b/terraform/projects/app-licensify-backend/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-licensify-backend/user_data_snippets.tf +++ b/terraform/projects/app-licensify-backend/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-licensify-documentdb/main.tf b/terraform/projects/app-licensify-documentdb/main.tf index b1b95da6b..13064f5c7 100644 --- a/terraform/projects/app-licensify-documentdb/main.tf +++ b/terraform/projects/app-licensify-documentdb/main.tf @@ -4,64 +4,64 @@ * DocumentDB cluster for Licensify */ variable "aws_environment" { - type = "string" + type = string description = "AWS environment" } variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "master_password" { - type = "string" + type = string description = "Password of master user on Licensify DocumentDB cluster" } variable "master_username" { - type = "string" + type = string description = "Username of master user on Licensify DocumentDB cluster" } variable "tls" { - type = "string" + type = string description = "Whether to enable or disable TLS for the Licensify DocumentDB cluster. Must be either 'enabled' or 'disabled'." default = "enabled" } variable "profiler" { - type = "string" + type = string description = "Whether to log slow queries to CloudWatch. Must be either 'enabled' or 'disabled'." default = "enabled" } variable "profiler_threshold_ms" { - type = "string" + type = string description = "Queries which take longer than this number of milliseconds are logged to CloudWatch if profiler is enabled. Minimum is 50." default = "300" } variable "backup_retention_period" { - type = "string" + type = string description = "Retention period in days for DocumentDB automatic snapshots" default = "1" } variable "instance_count" { - type = "string" + type = string description = "Instance count used for Licensify DocumentDB resources" default = "3" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for Licensify DocumentDB resources" default = "db.r5.large" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -73,7 +73,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -89,54 +89,58 @@ resource "aws_docdb_cluster_parameter_group" "licensify_parameter_group" { parameter { name = "tls" - value = "${var.tls}" + value = var.tls } parameter { name = "profiler" - value = "${var.profiler}" + value = var.profiler } parameter { name = "profiler_threshold_ms" - value = "${var.profiler_threshold_ms}" + value = var.profiler_threshold_ms } } resource "aws_docdb_cluster" "licensify_cluster" { cluster_identifier = "licensify-documentdb-${var.aws_environment}" availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - db_subnet_group_name = "${aws_docdb_subnet_group.licensify_cluster_subnet.name}" - db_cluster_parameter_group_name = "${aws_docdb_cluster_parameter_group.licensify_parameter_group.name}" - master_username = "${var.master_username}" - master_password = "${var.master_password}" + db_subnet_group_name = aws_docdb_subnet_group.licensify_cluster_subnet.name + db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.licensify_parameter_group.name + master_username = var.master_username + master_password = var.master_password storage_encrypted = true - backup_retention_period = "${var.backup_retention_period}" - kms_key_id = "${data.terraform_remote_state.infra_security.outputs.licensify_documentdb_kms_key_arn}" + backup_retention_period = var.backup_retention_period + kms_key_id = data.terraform_remote_state.infra_security.outputs.licensify_documentdb_kms_key_arn vpc_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_licensify_documentdb_id}"] # enabled_cloudwatch_logs_exports is ["profiler"] if profiling is enabled, otherwise []. - enabled_cloudwatch_logs_exports = "${slice("${list("profiler")}", 0, var.profiler == "enabled" ? 1 : 0)}" + enabled_cloudwatch_logs_exports = slice("${list("profiler")}", 0, var.profiler == "enabled" ? 1 : 0) tags = { - Service = "documentdb" - Customer = "licensify" - Name = "licensify-documentdb" - Source = "app-licensify-documentdb" + Service = "documentdb" + Customer = "licensify" + Name = "licensify-documentdb" + Source = "app-licensify-documentdb" + Environment = "${var.aws_environment}" + Product = "Licensing" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt Package Storage" } } resource "aws_docdb_cluster_instance" "licensify_cluster_instances" { - count = "${var.instance_count}" + count = var.instance_count identifier = "licensify-documentdb-${count.index}" - cluster_identifier = "${aws_docdb_cluster.licensify_cluster.id}" - instance_class = "${var.instance_type}" - tags = "${aws_docdb_cluster.licensify_cluster.tags}" + cluster_identifier = aws_docdb_cluster.licensify_cluster.id + instance_class = var.instance_type + tags = aws_docdb_cluster.licensify_cluster.tags } # Outputs # -------------------------------------------------------------- output "licensify_documentdb_endpoint" { - value = "${aws_docdb_cluster.licensify_cluster.endpoint}" + value = aws_docdb_cluster.licensify_cluster.endpoint description = "The endpoint of the Licensify DocumentDB" } diff --git a/terraform/projects/app-licensify-documentdb/remote_state.tf b/terraform/projects/app-licensify-documentdb/remote_state.tf index 49704fa46..9eb51a7c8 100644 --- a/terraform/projects/app-licensify-documentdb/remote_state.tf +++ b/terraform/projects/app-licensify-documentdb/remote_state.tf @@ -7,24 +7,24 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_key_stack" { - type = "string" + type = string description = "Override infra_security stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } diff --git a/terraform/projects/app-licensify-frontend/README.md b/terraform/projects/app-licensify-frontend/README.md index d414d3a3f..ff562e27e 100644 --- a/terraform/projects/app-licensify-frontend/README.md +++ b/terraform/projects/app-licensify-frontend/README.md @@ -45,7 +45,7 @@ Licensify Frontend nodes | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [app\_service\_records](#input\_app\_service\_records) | List of application service names that get traffic via this loadbalancer | `list` | `[]` | no | +| [app\_service\_records](#input\_app\_service\_records) | List of application service names that get traffic via this loadbalancer | `list(string)` | `[]` | no | | [asg\_size](#input\_asg\_size) | The autoscaling groups desired/max/min capacity | `string` | `"2"` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | @@ -65,7 +65,7 @@ Licensify Frontend nodes | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-licensify-frontend/main.tf b/terraform/projects/app-licensify-frontend/main.tf index 2e0463006..9ef732969 100644 --- a/terraform/projects/app-licensify-frontend/main.tf +++ b/terraform/projects/app-licensify-frontend/main.tf @@ -4,67 +4,67 @@ * Licensify Frontend nodes */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "asg_size" { - type = "string" + type = string description = "The autoscaling groups desired/max/min capacity" default = "2" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.large" } variable "app_service_records" { - type = "list" + type = list(string) description = "List of application service names that get traffic via this loadbalancer" default = [] } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } @@ -76,22 +76,22 @@ terraform { } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_acm_certificate" "elb_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -99,10 +99,10 @@ module "internal_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-licensify-frontend-internal" internal = true - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/licensify-frontend-internal-lb" - listener_certificate_domain_name = "${var.elb_internal_certname}" + listener_certificate_domain_name = var.elb_internal_certname target_group_health_check_path = "/api/licences" listener_action = { @@ -118,24 +118,28 @@ module "internal_lb" { aws_migration = "licensing_frontend" aws_stackname = "${var.stackname}" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "Licensing" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Licencing Frontend" } } resource "aws_route53_record" "service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "licensify.${var.internal_domain_name}" type = "A" alias { - name = "${module.internal_lb.lb_dns_name}" - zone_id = "${module.internal_lb.lb_zone_id}" + name = module.internal_lb.lb_dns_name + zone_id = module.internal_lb.lb_zone_id evaluate_target_health = true } } resource "aws_route53_record" "app_service_records" { - count = "${length(var.app_service_records)}" - zone_id = "${data.aws_route53_zone.external.zone_id}" + count = length(var.app_service_records) + zone_id = data.aws_route53_zone.external.zone_id name = "${element(var.app_service_records, count.index)}.${var.external_domain_name}" type = "CNAME" records = ["licensify.${var.external_domain_name}"] @@ -152,19 +156,23 @@ module "licensify-frontend" { aws_environment = "${var.aws_environment}" aws_migration = "licensing_frontend" aws_hostname = "licensify-frontend-1" + Environment = "${var.aws_environment}" + Product = "Licensing" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Licencing Frontend" } - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_licensify-frontend_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_target_group_arns_length = "1" instance_target_group_arns = ["${module.internal_lb.target_group_arns[0]}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_max_size = "${var.asg_size}" - asg_min_size = "${var.asg_size}" - asg_desired_capacity = "${var.asg_size}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_max_size = var.asg_size + asg_min_size = var.asg_size + asg_desired_capacity = var.asg_size + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } @@ -172,6 +180,6 @@ module "licensify-frontend" { # -------------------------------------------------------------- output "service_dns_name" { - value = "${aws_route53_record.service_record.name}" + value = aws_route53_record.service_record.name description = "DNS name to access the node service" } diff --git a/terraform/projects/app-licensify-frontend/remote_state.tf b/terraform/projects/app-licensify-frontend/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-licensify-frontend/remote_state.tf +++ b/terraform/projects/app-licensify-frontend/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-licensify-frontend/user_data_snippets.tf b/terraform/projects/app-licensify-frontend/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-licensify-frontend/user_data_snippets.tf +++ b/terraform/projects/app-licensify-frontend/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-mongo/README.md b/terraform/projects/app-mongo/README.md index 5e310a2b3..661d403f4 100644 --- a/terraform/projects/app-mongo/README.md +++ b/terraform/projects/app-mongo/README.md @@ -98,7 +98,7 @@ Mongo hosts | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-mongo/main.tf b/terraform/projects/app-mongo/main.tf index 4eb3a33f7..ce0894a2b 100644 --- a/terraform/projects/app-mongo/main.tf +++ b/terraform/projects/app-mongo/main.tf @@ -4,95 +4,95 @@ * Mongo hosts */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "mongo_1_subnet" { - type = "string" + type = string description = "Name of the subnet to place the Mongo instance 1 and EBS volume" } variable "mongo_2_subnet" { - type = "string" + type = string description = "Name of the subnet to place the Mongo 2 and EBS volume" } variable "mongo_3_subnet" { - type = "string" + type = string description = "Name of the subnet to place the Mongo 3 and EBS volume" } variable "mongo_1_reserved_ips_subnet" { - type = "string" + type = string description = "Name of the subnet to place the reserved IP of the instance" } variable "mongo_2_reserved_ips_subnet" { - type = "string" + type = string description = "Name of the subnet to place the reserved IP of the instance" } variable "mongo_3_reserved_ips_subnet" { - type = "string" + type = string description = "Name of the subnet to place the reserved IP of the instance" } variable "mongo_1_ip" { - type = "string" + type = string description = "IP address of the private IP to assign to the instance" } variable "mongo_2_ip" { - type = "string" + type = string description = "IP address of the private IP to assign to the instance" } variable "mongo_3_ip" { - type = "string" + type = string description = "IP address of the private IP to assign to the instance" } variable "remote_state_infra_database_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_database_backups_bucket remote state" default = "" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.large" } @@ -105,33 +105,37 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } # Instance 1 resource "aws_network_interface" "mongo-1_eni" { - subnet_id = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_1_reserved_ips_subnet)}" + subnet_id = lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_1_reserved_ips_subnet) private_ips = ["${var.mongo_1_ip}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}"] tags { Name = "${var.stackname}-mongo-1" - Project = "${var.stackname}" + Project = var.stackname aws_hostname = "mongo-1" aws_migration = "mongo" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo" } } resource "aws_route53_record" "mongo_1_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "mongo-1.${var.internal_domain_name}" type = "A" records = ["${var.mongo_1_ip}"] @@ -141,54 +145,62 @@ resource "aws_route53_record" "mongo_1_service_record" { module "mongo-1" { source = "../../modules/aws/node_group" name = "${var.stackname}-mongo-1" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_1_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Mongo") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_1_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "0" instance_elb_ids = [] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } resource "aws_ebs_volume" "mongo-1" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_1_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_1_subnet) + encrypted = var.ebs_encrypted type = "gp2" size = 300 tags { Name = "${var.stackname}-mongo-1" - Project = "${var.stackname}" + Project = var.stackname ManagedBy = "terraform" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "mongo" aws_hostname = "mongo-1" Device = "xvdf" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo Storage" } } # Instance 2 resource "aws_network_interface" "mongo-2_eni" { - subnet_id = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_2_reserved_ips_subnet)}" + subnet_id = lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_2_reserved_ips_subnet) private_ips = ["${var.mongo_2_ip}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}"] tags { Name = "${var.stackname}-mongo-2" - Project = "${var.stackname}" + Project = var.stackname aws_hostname = "mongo-2" aws_migration = "mongo" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo Storage" } } resource "aws_route53_record" "mongo_2_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "mongo-2.${var.internal_domain_name}" type = "A" records = ["${var.mongo_2_ip}"] @@ -198,54 +210,62 @@ resource "aws_route53_record" "mongo_2_service_record" { module "mongo-2" { source = "../../modules/aws/node_group" name = "${var.stackname}-mongo-2" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-2")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_2_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-2", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Mongo") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_2_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "0" instance_elb_ids = [] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } resource "aws_ebs_volume" "mongo-2" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_2_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_2_subnet) + encrypted = var.ebs_encrypted type = "gp2" size = 300 tags { Name = "${var.stackname}-mongo-2" - Project = "${var.stackname}" + Project = var.stackname ManagedBy = "terraform" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "mongo" aws_hostname = "mongo-2" Device = "xvdf" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo" } } # Instance 3 resource "aws_network_interface" "mongo-3_eni" { - subnet_id = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_3_reserved_ips_subnet)}" + subnet_id = lookup(data.terraform_remote_state.infra_networking.private_subnet_reserved_ips_names_ids_map, var.mongo_3_reserved_ips_subnet) private_ips = ["${var.mongo_3_ip}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}"] tags { Name = "${var.stackname}-mongo-3" - Project = "${var.stackname}" + Project = var.stackname aws_hostname = "mongo-3" aws_migration = "mongo" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo" } } resource "aws_route53_record" "mongo_3_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "mongo-3.${var.internal_domain_name}" type = "A" records = ["${var.mongo_3_ip}"] @@ -255,61 +275,65 @@ resource "aws_route53_record" "mongo_3_service_record" { module "mongo-3" { source = "../../modules/aws/node_group" name = "${var.stackname}-mongo-3" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-3")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_3_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "mongo", "aws_hostname", "mongo-3", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Mongo") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.mongo_3_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_mongo_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "0" instance_elb_ids = [] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } resource "aws_ebs_volume" "mongo-3" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_3_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.mongo_3_subnet) + encrypted = var.ebs_encrypted type = "gp2" size = 300 tags { Name = "${var.stackname}-mongo-3" - Project = "${var.stackname}" + Project = var.stackname ManagedBy = "terraform" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "mongo" aws_hostname = "mongo-3" Device = "xvdf" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Mongo Storage" } } resource "aws_iam_policy" "mongo-iam_policy" { name = "${var.stackname}-mongo-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "mongo-1_iam_role_policy_attachment" { - role = "${module.mongo-1.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.mongo-iam_policy.arn}" + role = module.mongo-1.instance_iam_role_name + policy_arn = aws_iam_policy.mongo-iam_policy.arn } resource "aws_iam_role_policy_attachment" "mongo-2_iam_role_policy_attachment" { - role = "${module.mongo-2.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.mongo-iam_policy.arn}" + role = module.mongo-2.instance_iam_role_name + policy_arn = aws_iam_policy.mongo-iam_policy.arn } resource "aws_iam_role_policy_attachment" "mongo-3_iam_role_policy_attachment" { - role = "${module.mongo-3.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.mongo-iam_policy.arn}" + role = module.mongo-3.instance_iam_role_name + policy_arn = aws_iam_policy.mongo-iam_policy.arn } module "alarms-autoscaling-mongo-1" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-mongo-1" - autoscaling_group_name = "${module.mongo-1.autoscaling_group_name}" + autoscaling_group_name = module.mongo-1.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -317,7 +341,7 @@ module "alarms-autoscaling-mongo-1" { module "alarms-ec2-mongo-1" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-mongo-1" - autoscaling_group_name = "${module.mongo-1.autoscaling_group_name}" + autoscaling_group_name = module.mongo-1.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -325,7 +349,7 @@ module "alarms-ec2-mongo-1" { module "alarms-autoscaling-mongo-2" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-mongo-2" - autoscaling_group_name = "${module.mongo-2.autoscaling_group_name}" + autoscaling_group_name = module.mongo-2.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -333,7 +357,7 @@ module "alarms-autoscaling-mongo-2" { module "alarms-ec2-mongo-2" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-mongo-2" - autoscaling_group_name = "${module.mongo-2.autoscaling_group_name}" + autoscaling_group_name = module.mongo-2.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -341,7 +365,7 @@ module "alarms-ec2-mongo-2" { module "alarms-autoscaling-mongo-3" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-mongo-3" - autoscaling_group_name = "${module.mongo-3.autoscaling_group_name}" + autoscaling_group_name = module.mongo-3.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -349,7 +373,7 @@ module "alarms-autoscaling-mongo-3" { module "alarms-ec2-mongo-3" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-mongo-3" - autoscaling_group_name = "${module.mongo-3.autoscaling_group_name}" + autoscaling_group_name = module.mongo-3.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -358,86 +382,86 @@ data "terraform_remote_state" "infra_database_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_database_backups_bucket_key_stack, var.stackname)}/infra-database-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } resource "aws_iam_role_policy_attachment" "write_mongo_api_database_backups_iam_role_policy_attachment" { count = 3 - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.mongo_api_write_database_backups_bucket_policy_arn}" + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.mongo_api_write_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "write_mongodb_database_backups_iam_role_policy_attachment" { count = 3 - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.mongodb_write_database_backups_bucket_policy_arn}" + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.mongodb_write_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "integration_read_mongoapi_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.integration_mongo_api_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.integration_mongo_api_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "integration_read_mongodb_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.integration_mongodb_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.integration_mongodb_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "staging_read_mongoapi_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.staging_mongo_api_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "staging" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.staging_mongo_api_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "staging_read_mongodb_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.staging_mongodb_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "staging" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.staging_mongodb_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "integration_read_production_mongoapi_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_mongo_api_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_mongo_api_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "integration_read_production_mongodb_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_mongodb_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_mongodb_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "staging_read_production_mongoapi_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_mongo_api_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "staging" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_mongo_api_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "staging_read_production_mongodb_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "staging" ? 3 : 0}" - role = "${element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index)}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_mongodb_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "staging" ? 3 : 0 + role = element(list(module.mongo-1.instance_iam_role_name, module.mongo-2.instance_iam_role_name, module.mongo-3.instance_iam_role_name), count.index) + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_mongodb_read_database_backups_bucket_policy_arn } # Outputs # -------------------------------------------------------------- output "mongo_1_service_dns_name" { - value = "${aws_route53_record.mongo_1_service_record.fqdn}" + value = aws_route53_record.mongo_1_service_record.fqdn description = "DNS name to access the Mongo 1 internal service" } output "mongo_2_service_dns_name" { - value = "${aws_route53_record.mongo_2_service_record.fqdn}" + value = aws_route53_record.mongo_2_service_record.fqdn description = "DNS name to access the Mongo 2 internal service" } output "mongo_3_service_dns_name" { - value = "${aws_route53_record.mongo_3_service_record.fqdn}" + value = aws_route53_record.mongo_3_service_record.fqdn description = "DNS name to access the Mongo 3 internal service" } diff --git a/terraform/projects/app-mongo/remote_state.tf b/terraform/projects/app-mongo/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-mongo/remote_state.tf +++ b/terraform/projects/app-mongo/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-mongo/user_data_snippets.tf b/terraform/projects/app-mongo/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-mongo/user_data_snippets.tf +++ b/terraform/projects/app-mongo/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-monitoring/README.md b/terraform/projects/app-monitoring/README.md index 860637cae..76acaf87d 100644 --- a/terraform/projects/app-monitoring/README.md +++ b/terraform/projects/app-monitoring/README.md @@ -76,7 +76,7 @@ Monitoring node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-monitoring/main.tf b/terraform/projects/app-monitoring/main.tf index 189fbeaa6..d7ae65719 100644 --- a/terraform/projects/app-monitoring/main.tf +++ b/terraform/projects/app-monitoring/main.tf @@ -4,69 +4,69 @@ * Monitoring node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "ebs_encrypted" { - type = "string" + type = string description = "Whether or not the EBS volume is encrypted" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "elb_external_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "monitoring_subnet" { - type = "string" + type = string description = "Name of the subnet to place the monitoring instance and the EBS volume" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "external_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains external records" } variable "external_domain_name" { - type = "string" + type = string description = "The domain name of the external DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.xlarge" } @@ -79,27 +79,27 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_route53_zone" "external" { - name = "${var.external_zone_name}" + name = var.external_zone_name private_zone = false } data "aws_acm_certificate" "elb_external_cert" { - domain = "${var.elb_external_certname}" + domain = var.elb_external_certname statuses = ["ISSUED"] } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -113,7 +113,7 @@ resource "aws_elb" "monitoring_external_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-monitoring-external-elb" interval = 60 } @@ -124,7 +124,7 @@ resource "aws_elb" "monitoring_external_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } listener { @@ -133,7 +133,7 @@ resource "aws_elb" "monitoring_external_elb" { lb_port = 6514 lb_protocol = "ssl" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } listener { @@ -142,7 +142,7 @@ resource "aws_elb" "monitoring_external_elb" { lb_port = 6515 lb_protocol = "ssl" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } listener { @@ -151,7 +151,7 @@ resource "aws_elb" "monitoring_external_elb" { lb_port = 6516 lb_protocol = "ssl" - ssl_certificate_id = "${data.aws_acm_certificate.elb_external_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_external_cert.arn } health_check { @@ -168,7 +168,7 @@ resource "aws_elb" "monitoring_external_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-monitoring", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring")}" + tags = map("Name", "${var.stackname}-monitoring", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Monitoring") } resource "aws_elb" "monitoring_internal_elb" { @@ -197,7 +197,7 @@ resource "aws_elb" "monitoring_internal_elb" { lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_internal_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_internal_cert.arn } health_check { @@ -214,51 +214,55 @@ resource "aws_elb" "monitoring_internal_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-monitoring", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring")}" + tags = map("Name", "${var.stackname}-monitoring", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Monitoring") } module "monitoring" { source = "../../modules/aws/node_group" name = "${var.stackname}-monitoring" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring", "aws_hostname", "monitoring-1")}" - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.monitoring_subnet))}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "monitoring", "aws_hostname", "monitoring-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Monitoring") + instance_subnet_ids = matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.monitoring_subnet)) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_monitoring_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "2" instance_elb_ids = ["${aws_elb.monitoring_external_elb.id}", "${aws_elb.monitoring_internal_elb.id}"] - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "40" } resource "aws_ebs_volume" "monitoring" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.monitoring_subnet)}" - encrypted = "${var.ebs_encrypted}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.monitoring_subnet) + encrypted = var.ebs_encrypted type = "gp2" size = 40 tags { Name = "${var.stackname}-monitoring" - Project = "${var.stackname}" + Project = var.stackname ManagedBy = "terraform" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "monitoring" aws_hostname = "monitoring-1" Device = "xvdf" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Monitoring Storage" } } resource "aws_iam_policy" "monitoring-iam_policy" { name = "${var.stackname}-monitoring-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "monitoring_iam_role_policy_attachment" { - role = "${module.monitoring.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.monitoring-iam_policy.arn}" + role = module.monitoring.instance_iam_role_name + policy_arn = aws_iam_policy.monitoring-iam_policy.arn } resource "aws_iam_policy" "list_fastly_logs" { @@ -283,43 +287,43 @@ EOF } resource "aws_iam_role_policy_attachment" "monitoring_can_list_fastly_logs" { - role = "${module.monitoring.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.list_fastly_logs.arn}" + role = module.monitoring.instance_iam_role_name + policy_arn = aws_iam_policy.list_fastly_logs.arn } resource "aws_route53_record" "external_service_record" { - zone_id = "${data.aws_route53_zone.external.zone_id}" + zone_id = data.aws_route53_zone.external.zone_id name = "alert.${var.external_domain_name}" type = "A" alias { - name = "${aws_elb.monitoring_external_elb.dns_name}" - zone_id = "${aws_elb.monitoring_external_elb.zone_id}" + name = aws_elb.monitoring_external_elb.dns_name + zone_id = aws_elb.monitoring_external_elb.zone_id evaluate_target_health = true } } # This DNS record is used by fastly rsyslog resource "aws_route53_record" "fastly_external_service_record" { - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id}" + zone_id = data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id name = "monitoring.${data.terraform_remote_state.infra_root_dns_zones.external_root_domain_name}" type = "A" alias { - name = "${aws_elb.monitoring_external_elb.dns_name}" - zone_id = "${aws_elb.monitoring_external_elb.zone_id}" + name = aws_elb.monitoring_external_elb.dns_name + zone_id = aws_elb.monitoring_external_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "internal_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "alert.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.monitoring_internal_elb.dns_name}" - zone_id = "${aws_elb.monitoring_internal_elb.zone_id}" + name = aws_elb.monitoring_internal_elb.dns_name + zone_id = aws_elb.monitoring_internal_elb.zone_id evaluate_target_health = true } } @@ -328,7 +332,7 @@ module "alarms-elb-monitoring-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-monitoring-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.monitoring_internal_elb.name}" + elb_name = aws_elb.monitoring_internal_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "0" httpcode_elb_4xx_threshold = "0" @@ -341,7 +345,7 @@ module "alarms-elb-monitoring-external" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-monitoring-external" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.monitoring_external_elb.name}" + elb_name = aws_elb.monitoring_external_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "100" httpcode_elb_4xx_threshold = "0" @@ -354,11 +358,11 @@ module "alarms-elb-monitoring-external" { # -------------------------------------------------------------- output "monitoring_external_elb_dns_name" { - value = "${aws_elb.monitoring_external_elb.dns_name}" + value = aws_elb.monitoring_external_elb.dns_name description = "External DNS name to access the monitoring service" } output "monitoring_internal_elb_dns_name" { - value = "${aws_elb.monitoring_internal_elb.dns_name}" + value = aws_elb.monitoring_internal_elb.dns_name description = "Internal DNS name to access the monitoring service" } diff --git a/terraform/projects/app-monitoring/remote_state.tf b/terraform/projects/app-monitoring/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-monitoring/remote_state.tf +++ b/terraform/projects/app-monitoring/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-monitoring/user_data_snippets.tf b/terraform/projects/app-monitoring/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-monitoring/user_data_snippets.tf +++ b/terraform/projects/app-monitoring/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-prometheus/README.md b/terraform/projects/app-prometheus/README.md index b5fd0e36e..7b57b73c9 100644 --- a/terraform/projects/app-prometheus/README.md +++ b/terraform/projects/app-prometheus/README.md @@ -66,7 +66,7 @@ Prometheus node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-prometheus/main.tf b/terraform/projects/app-prometheus/main.tf index 86f7aa591..74b4841c4 100644 --- a/terraform/projects/app-prometheus/main.tf +++ b/terraform/projects/app-prometheus/main.tf @@ -4,23 +4,23 @@ * Prometheus node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" # default = "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" @@ -28,33 +28,33 @@ variable "instance_ami_filter_name" { } variable "prometheus_1_subnet" { - type = "string" + type = string description = "Name of the subnet to place the Prometheus instance and EBS volume" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t3.medium" } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name (e.g. *.production.govuk-internal.digital) to find the ARN of" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "ebs_volume_size" { - type = "string" + type = string description = "EBS volume size" default = "64" } @@ -67,49 +67,53 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } module "prometheus-1" { source = "../../modules/aws/node_group" name = "${var.stackname}-prometheus-1" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", - var.aws_environment, "aws_migration", "prometheus", "aws_hostname", "prometheus-1")}" + default_tags = (map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", + var.aws_environment, "aws_migration", "prometheus", "aws_hostname", "prometheus-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Prometheus")) - instance_subnet_ids = "${matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), - keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.prometheus_1_subnet))}" + instance_subnet_ids = (matchkeys(values(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), + keys(data.terraform_remote_state.infra_networking.private_subnet_names_ids_map), list(var.prometheus_1_subnet))) instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_prometheus_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn } resource "aws_ebs_volume" "prometheus-1" { - availability_zone = "${lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.prometheus_1_subnet)}" - size = "${var.ebs_volume_size}" + availability_zone = lookup(data.terraform_remote_state.infra_networking.private_subnet_names_azs_map, var.prometheus_1_subnet) + size = var.ebs_volume_size type = "gp3" tags { Name = "${var.stackname}-prometheus-1" - Project = "${var.stackname}" + Project = var.stackname Device = "xvdf" - aws_stackname = "${var.stackname}" - aws_environment = "${var.aws_environment}" + aws_stackname = var.stackname + aws_environment = var.aws_environment aws_migration = "prometheus" aws_hostname = "prometheus-1" + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Prometheus Storage" } } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } @@ -117,30 +121,30 @@ module "prometheus_internal_alb" { source = "../../modules/aws/lb" name = "${var.stackname}-prometheus-internal" internal = true - vpc_id = "${data.terraform_remote_state.infra_vpc.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-prometheus-internal-alb" - listener_certificate_domain_name = "${var.elb_internal_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_internal_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = ["${data.terraform_remote_state.infra_networking.private_subnet_ids}"] target_group_health_check_path = "/-/ready" # See https://prometheus.io/docs/prometheus/latest/management_api/ security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_prometheus_internal_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "prometheus", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "prometheus", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Prometheus") } resource "aws_autoscaling_attachment" "internal_lb" { - autoscaling_group_name = "${module.prometheus-1.autoscaling_group_name}" - alb_target_group_arn = "${module.prometheus_internal_alb.target_group_arns[0]}" + autoscaling_group_name = module.prometheus-1.autoscaling_group_name + alb_target_group_arn = module.prometheus_internal_alb.target_group_arns[0] } resource "aws_lb_listener_rule" "internal_lb" { - listener_arn = "${module.prometheus_internal_alb.load_balancer_ssl_listeners[0]}" + listener_arn = module.prometheus_internal_alb.load_balancer_ssl_listeners[0] action { type = "forward" - target_group_arn = "${module.prometheus_internal_alb.target_group_arns[0]}" + target_group_arn = module.prometheus_internal_alb.target_group_arns[0] } condition { @@ -150,13 +154,13 @@ resource "aws_lb_listener_rule" "internal_lb" { } resource "aws_route53_record" "service_record_internal" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "prometheus.${var.internal_domain_name}" type = "A" alias { - name = "${module.prometheus_internal_alb.lb_dns_name}" - zone_id = "${module.prometheus_internal_alb.lb_zone_id}" + name = module.prometheus_internal_alb.lb_dns_name + zone_id = module.prometheus_internal_alb.lb_zone_id evaluate_target_health = true } } @@ -164,15 +168,15 @@ resource "aws_route53_record" "service_record_internal" { resource "aws_iam_policy" "prometheus_1_iam_policy" { name = "${var.stackname}-prometheus-1-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "prometheus_1_iam_role_policy_attachment" { - role = "${module.prometheus-1.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.prometheus_1_iam_policy.arn}" + role = module.prometheus-1.instance_iam_role_name + policy_arn = aws_iam_policy.prometheus_1_iam_policy.arn } resource "aws_iam_role_policy_attachment" "prometheus_1_iam_role_policy_cloudwatch_attachment" { - role = "${module.prometheus-1.instance_iam_role_name}" + role = module.prometheus-1.instance_iam_role_name policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess" } diff --git a/terraform/projects/app-prometheus/remote-state.tf b/terraform/projects/app-prometheus/remote-state.tf index 43c36fa9b..8edd1efc0 100644 --- a/terraform/projects/app-prometheus/remote-state.tf +++ b/terraform/projects/app-prometheus/remote-state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,7 +54,7 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" region = "eu-west-1" } @@ -64,7 +64,7 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" region = "eu-west-1" } @@ -74,7 +74,7 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" region = "eu-west-1" } @@ -84,7 +84,7 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" region = "eu-west-1" } @@ -94,7 +94,7 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" region = "eu-west-1" } @@ -104,7 +104,7 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" region = "eu-west-1" } diff --git a/terraform/projects/app-prometheus/userdata-snippet.tf b/terraform/projects/app-prometheus/userdata-snippet.tf index 4d6d9e8f9..d14ea5772 100644 --- a/terraform/projects/app-prometheus/userdata-snippet.tf +++ b/terraform/projects/app-prometheus/userdata-snippet.tf @@ -9,7 +9,7 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } @@ -17,9 +17,9 @@ variable "user_data_snippets" { # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${file("../../userdata/${element(var.user_data_snippets, count.index)}")}" + snippet = file("../../userdata/${element(var.user_data_snippets, count.index)}") } } diff --git a/terraform/projects/app-publishing-amazonmq/main.tf b/terraform/projects/app-publishing-amazonmq/main.tf index 098655ad8..3f184d7ee 100644 --- a/terraform/projects/app-publishing-amazonmq/main.tf +++ b/terraform/projects/app-publishing-amazonmq/main.tf @@ -73,6 +73,9 @@ locals { Project = var.stackname aws_stackname = var.stackname aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" } } # -------------------------------------------------------------- diff --git a/terraform/projects/app-puppetmaster/README.md b/terraform/projects/app-puppetmaster/README.md index 19253d79e..4854145e2 100644 --- a/terraform/projects/app-puppetmaster/README.md +++ b/terraform/projects/app-puppetmaster/README.md @@ -70,7 +70,7 @@ Puppetmaster node | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-puppetmaster/main.tf b/terraform/projects/app-puppetmaster/main.tf index 4b14b47a9..101c8eedb 100644 --- a/terraform/projects/app-puppetmaster/main.tf +++ b/terraform/projects/app-puppetmaster/main.tf @@ -4,50 +4,50 @@ * Puppetmaster node */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS environment" } variable "instance_ami_filter_name" { - type = "string" + type = string description = "Name to use to find AMI images" default = "" } variable "enable_bootstrap" { - type = "string" + type = string description = "Whether to create the ELB which allows a user to SSH to the Puppetmaster from the office" default = false } variable "elb_internal_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name." } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "m5.xlarge" } @@ -60,30 +60,30 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_acm_certificate" "elb_internal_cert" { - domain = "${var.elb_internal_certname}" + domain = var.elb_internal_certname statuses = ["ISSUED"] } data "aws_caller_identity" "current" {} data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } resource "aws_elb" "puppetmaster_bootstrap_elb" { - count = "${var.enable_bootstrap}" + count = var.enable_bootstrap name = "${var.stackname}-puppetmaster-bootstrap" subnets = ["${data.terraform_remote_state.infra_networking.public_subnet_ids}"] security_groups = ["${data.terraform_remote_state.infra_security_groups.sg_offsite_ssh_id}"] access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-puppetmaster-bootstrap-external-elb" interval = 60 } @@ -109,19 +109,23 @@ resource "aws_elb" "puppetmaster_bootstrap_elb" { connection_draining_timeout = 400 tags { - Name = "${var.stackname}_puppetmaster_bootstrap" - Project = "${var.stackname}" + Name = "${var.stackname}_puppetmaster_bootstrap" + Project = var.stackname + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Puppetmaster" } } resource "aws_security_group_rule" "puppetmaster_ingress_offsite-ssh_22" { - count = "${var.enable_bootstrap}" + count = var.enable_bootstrap type = "ingress" from_port = "22" to_port = "22" protocol = "tcp" - source_security_group_id = "${data.terraform_remote_state.infra_security_groups.sg_offsite_ssh_id}" - security_group_id = "${data.terraform_remote_state.infra_security_groups.sg_puppetmaster_id}" + source_security_group_id = data.terraform_remote_state.infra_security_groups.sg_offsite_ssh_id + security_group_id = data.terraform_remote_state.infra_security_groups.sg_puppetmaster_id } resource "aws_elb" "puppetmaster_internal_elb" { @@ -131,7 +135,7 @@ resource "aws_elb" "puppetmaster_internal_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-puppetmaster-internal-elb" interval = 60 } @@ -149,7 +153,7 @@ resource "aws_elb" "puppetmaster_internal_elb" { lb_port = "443" lb_protocol = "https" - ssl_certificate_id = "${data.aws_acm_certificate.elb_internal_cert.arn}" + ssl_certificate_id = data.aws_acm_certificate.elb_internal_cert.arn } health_check { @@ -165,29 +169,29 @@ resource "aws_elb" "puppetmaster_internal_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-puppetmaster", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "puppetmaster")}" + tags = map("Name", "${var.stackname}-puppetmaster", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "puppetmaster", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Puppet") } resource "aws_route53_record" "service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "puppet.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.puppetmaster_internal_elb.dns_name}" - zone_id = "${aws_elb.puppetmaster_internal_elb.zone_id}" + name = aws_elb.puppetmaster_internal_elb.dns_name + zone_id = aws_elb.puppetmaster_internal_elb.zone_id evaluate_target_health = true } } resource "aws_route53_record" "puppetdb_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "puppetdb.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.puppetmaster_internal_elb.dns_name}" - zone_id = "${aws_elb.puppetmaster_internal_elb.zone_id}" + name = aws_elb.puppetmaster_internal_elb.dns_name + zone_id = aws_elb.puppetmaster_internal_elb.zone_id evaluate_target_health = true } } @@ -195,27 +199,27 @@ resource "aws_route53_record" "puppetdb_service_record" { module "puppetmaster" { source = "../../modules/aws/node_group" name = "${var.stackname}-puppetmaster" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "puppetmaster", "aws_hostname", "puppetmaster-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "puppetmaster", "aws_hostname", "puppetmaster-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Puppet") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_puppetmaster_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids = ["${aws_elb.puppetmaster_internal_elb.id}", "${aws_elb.puppetmaster_bootstrap_elb.*.id}"] - instance_elb_ids_length = "${var.enable_bootstrap > 0 ? 2 : 1}" - instance_ami_filter_name = "${var.instance_ami_filter_name}" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + instance_elb_ids_length = var.enable_bootstrap > 0 ? 2 : 1 + instance_ami_filter_name = var.instance_ami_filter_name + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "50" } resource "aws_iam_policy" "puppetmaster_iam_policy" { name = "${var.stackname}-puppetmaster-additional" path = "/" - policy = "${file("${path.module}/additional_policy.json")}" + policy = file("${path.module}/additional_policy.json") } resource "aws_iam_role_policy_attachment" "puppetmaster_iam_role_policy_attachment" { - role = "${module.puppetmaster.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.puppetmaster_iam_policy.arn}" + role = module.puppetmaster.instance_iam_role_name + policy_arn = aws_iam_policy.puppetmaster_iam_policy.arn } data "aws_iam_policy_document" "ssm_getparameter_policy_doc" { @@ -235,19 +239,19 @@ data "aws_iam_policy_document" "ssm_getparameter_policy_doc" { resource "aws_iam_policy" "puppetmaster_ssm_getparameter_policy" { name = "${var.stackname}-puppetmaster-ssm-getparameter" - policy = "${data.aws_iam_policy_document.ssm_getparameter_policy_doc.json}" + policy = data.aws_iam_policy_document.ssm_getparameter_policy_doc.json } resource "aws_iam_role_policy_attachment" "puppetmaster_iam_role_policy_attachment_2" { - role = "${module.puppetmaster.instance_iam_role_name}" - policy_arn = "${aws_iam_policy.puppetmaster_ssm_getparameter_policy.arn}" + role = module.puppetmaster.instance_iam_role_name + policy_arn = aws_iam_policy.puppetmaster_ssm_getparameter_policy.arn } module "alarms-elb-puppetmaster-internal" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-puppetmaster-internal" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.puppetmaster_internal_elb.name}" + elb_name = aws_elb.puppetmaster_internal_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "0" httpcode_elb_4xx_threshold = "0" @@ -260,21 +264,21 @@ module "alarms-elb-puppetmaster-internal" { # -------------------------------------------------------------- output "puppetmaster_internal_elb_dns_name" { - value = "${aws_elb.puppetmaster_internal_elb.dns_name}" + value = aws_elb.puppetmaster_internal_elb.dns_name description = "DNS name to access the puppetmaster service" } output "puppetmaster_bootstrap_elb_dns_name" { - value = "${join("", aws_elb.puppetmaster_bootstrap_elb.*.dns_name)}" + value = join("", aws_elb.puppetmaster_bootstrap_elb.*.dns_name) description = "DNS name to access the puppetmaster bootstrap service" } output "service_dns_name" { - value = "${aws_route53_record.service_record.fqdn}" + value = aws_route53_record.service_record.fqdn description = "DNS name to access the node service" } output "puppetdb_service_dns_name" { - value = "${aws_route53_record.puppetdb_service_record.fqdn}" + value = aws_route53_record.puppetdb_service_record.fqdn description = "DNS name to access the node service" } diff --git a/terraform/projects/app-puppetmaster/remote_state.tf b/terraform/projects/app-puppetmaster/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-puppetmaster/remote_state.tf +++ b/terraform/projects/app-puppetmaster/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-puppetmaster/user_data_snippets.tf b/terraform/projects/app-puppetmaster/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-puppetmaster/user_data_snippets.tf +++ b/terraform/projects/app-puppetmaster/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-related-links/main.tf b/terraform/projects/app-related-links/main.tf index b32f40f25..f3aada7bc 100644 --- a/terraform/projects/app-related-links/main.tf +++ b/terraform/projects/app-related-links/main.tf @@ -6,28 +6,28 @@ * Run resource intensive scripts for data science purposes. */ variable "aws_environment" { - type = "string" + type = string description = "AWS environment" } variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "jenkins_ssh_public_key" { - type = "string" + type = string description = "Jenkins SSH public key" } locals { - content_store_bucket_name = "${data.terraform_remote_state.infra_database_backups_bucket.s3_database_backups_bucket_name}" + content_store_bucket_name = data.terraform_remote_state.infra_database_backups_bucket.s3_database_backups_bucket_name related_links_bucket_name = "govuk-related-links-${var.aws_environment}" } @@ -40,7 +40,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "1.40.0" } @@ -57,15 +57,19 @@ data "aws_secretsmanager_secret" "secret_publishing_api_bearer_token" { } resource "aws_s3_bucket" "s3_bucket" { - bucket = "${local.related_links_bucket_name}" + bucket = local.related_links_bucket_name versioning { enabled = true } tags { - aws_environment = "${var.aws_environment}" - Name = "${local.related_links_bucket_name}" + aws_environment = var.aws_environment + Name = local.related_links_bucket_name + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${local.related_links_bucket_name} Bucket" } } @@ -82,12 +86,12 @@ data "aws_ami" "ubuntu_bionic" { } data "template_file" "ec2_assume_policy_template" { - template = "${file("${path.module}/../../policies/ec2_assume_policy.tpl")}" + template = file("${path.module}/../../policies/ec2_assume_policy.tpl") } resource "aws_iam_role" "ec2_role" { name = "${var.stackname}-ec2-role" - assume_role_policy = "${data.template_file.ec2_assume_policy_template.rendered}" + assume_role_policy = data.template_file.ec2_assume_policy_template.rendered } data "aws_iam_policy_document" "read_content_store_backups_bucket_policy_document" { @@ -150,16 +154,16 @@ data "aws_iam_policy_document" "read_secrets_from_secrets_manager_policy_documen } data "template_file" "provision-generation-instance-userdata" { - template = "${file("${path.module}/provision-generation-instance.tpl")}" + template = file("${path.module}/provision-generation-instance.tpl") vars { - database_backups_bucket_name = "${data.terraform_remote_state.infra_database_backups_bucket.s3_database_backups_bucket_name}" + database_backups_bucket_name = data.terraform_remote_state.infra_database_backups_bucket.s3_database_backups_bucket_name related_links_bucket_name = "govuk-related-links-${var.aws_environment}" } } data "template_file" "provision-ingestion-instance-userdata" { - template = "${file("${path.module}/provision-ingestion-instance.tpl")}" + template = file("${path.module}/provision-ingestion-instance.tpl") vars { publishing_api_uri = "https://publishing-api.${var.aws_environment}.govuk-internal.digital" @@ -227,62 +231,62 @@ data "aws_iam_policy_document" "related_links_jenkins_policy_document" { resource "aws_iam_policy" "read_content_store_backups_bucket_policy" { name = "read_content_store_backups_bucket_policy" - policy = "${data.aws_iam_policy_document.read_content_store_backups_bucket_policy_document.json}" + policy = data.aws_iam_policy_document.read_content_store_backups_bucket_policy_document.json } resource "aws_iam_policy" "read_write_related_links_bucket_policy" { name = "read_write_related_links_bucket_policy" - policy = "${data.aws_iam_policy_document.read_write_related_links_bucket_policy_document.json}" + policy = data.aws_iam_policy_document.read_write_related_links_bucket_policy_document.json } resource "aws_iam_policy" "read_secrets_from_secrets_manager_policy" { name = "read_secrets_from_secrets_manager_policy" - policy = "${data.aws_iam_policy_document.read_secrets_from_secrets_manager_policy_document.json}" + policy = data.aws_iam_policy_document.read_secrets_from_secrets_manager_policy_document.json } resource "aws_iam_role_policy_attachment" "attach_read_content_store_backups_bucket_policy" { - role = "${aws_iam_role.ec2_role.name}" - policy_arn = "${aws_iam_policy.read_content_store_backups_bucket_policy.arn}" + role = aws_iam_role.ec2_role.name + policy_arn = aws_iam_policy.read_content_store_backups_bucket_policy.arn } resource "aws_iam_role_policy_attachment" "attach_read_write_related_links_bucket_policy" { - role = "${aws_iam_role.ec2_role.name}" - policy_arn = "${aws_iam_policy.read_write_related_links_bucket_policy.arn}" + role = aws_iam_role.ec2_role.name + policy_arn = aws_iam_policy.read_write_related_links_bucket_policy.arn } resource "aws_iam_role_policy_attachment" "attach_read_secrets_from_secrets_manager_policy" { - role = "${aws_iam_role.ec2_role.name}" - policy_arn = "${aws_iam_policy.read_secrets_from_secrets_manager_policy.arn}" + role = aws_iam_role.ec2_role.name + policy_arn = aws_iam_policy.read_secrets_from_secrets_manager_policy.arn } resource "aws_iam_policy" "related_links_jenkins_policy" { name = "related_links_jenkins_policy" - policy = "${data.aws_iam_policy_document.related_links_jenkins_policy_document.json}" + policy = data.aws_iam_policy_document.related_links_jenkins_policy_document.json } resource "aws_iam_instance_profile" "related-links_instance-profile" { name = "related-links_instance-profile" - role = "${aws_iam_role.ec2_role.name}" + role = aws_iam_role.ec2_role.name } resource "aws_key_pair" "jenkins_public_key" { key_name = "jenkins-public-key" - public_key = "${var.jenkins_ssh_public_key}" + public_key = var.jenkins_ssh_public_key } resource "aws_launch_template" "related-links-generation_launch-template" { name = "related-links-generation_launch-template" - image_id = "${data.aws_ami.ubuntu_bionic.id}" + image_id = data.aws_ami.ubuntu_bionic.id instance_type = "m5.8xlarge" vpc_security_group_ids = [ "${data.terraform_remote_state.infra_security_groups.sg_related-links_id}", ] - key_name = "${aws_key_pair.jenkins_public_key.key_name}" + key_name = aws_key_pair.jenkins_public_key.key_name iam_instance_profile { - name = "${aws_iam_instance_profile.related-links_instance-profile.name}" + name = aws_iam_instance_profile.related-links_instance-profile.name } instance_initiated_shutdown_behavior = "terminate" @@ -299,7 +303,7 @@ resource "aws_launch_template" "related-links-generation_launch-template" { } } - user_data = "${base64encode(data.template_file.provision-generation-instance-userdata.rendered)}" + user_data = base64encode(data.template_file.provision-generation-instance-userdata.rendered) } resource "aws_autoscaling_group" "related-links-generation" { @@ -309,7 +313,7 @@ resource "aws_autoscaling_group" "related-links-generation" { desired_capacity = 0 launch_template { - id = "${aws_launch_template.related-links-generation_launch-template.id}" + id = aws_launch_template.related-links-generation_launch-template.id version = "$Latest" } @@ -319,12 +323,16 @@ resource "aws_autoscaling_group" "related-links-generation" { key = "Name" value = "related-links-generation" propagate_at_launch = true + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${local.related_links_bucket_name} Bucket" } } resource "aws_launch_template" "related-links-ingestion_launch-template" { name = "related-links-ingestion_launch-template" - image_id = "${data.aws_ami.ubuntu_bionic.id}" + image_id = data.aws_ami.ubuntu_bionic.id instance_type = "t2.micro" vpc_security_group_ids = [ @@ -332,10 +340,10 @@ resource "aws_launch_template" "related-links-ingestion_launch-template" { "${data.terraform_remote_state.infra_security_groups.sg_management_id}", ] - key_name = "${aws_key_pair.jenkins_public_key.key_name}" + key_name = aws_key_pair.jenkins_public_key.key_name iam_instance_profile { - name = "${aws_iam_instance_profile.related-links_instance-profile.name}" + name = aws_iam_instance_profile.related-links_instance-profile.name } instance_initiated_shutdown_behavior = "terminate" @@ -352,7 +360,7 @@ resource "aws_launch_template" "related-links-ingestion_launch-template" { } } - user_data = "${base64encode(data.template_file.provision-ingestion-instance-userdata.rendered)}" + user_data = base64encode(data.template_file.provision-ingestion-instance-userdata.rendered) } resource "aws_autoscaling_group" "related-links-ingestion" { @@ -362,7 +370,7 @@ resource "aws_autoscaling_group" "related-links-ingestion" { desired_capacity = 0 launch_template { - id = "${aws_launch_template.related-links-ingestion_launch-template.id}" + id = aws_launch_template.related-links-ingestion_launch-template.id version = "$Latest" } @@ -372,6 +380,10 @@ resource "aws_autoscaling_group" "related-links-ingestion" { key = "Name" value = "related-links-ingestion" propagate_at_launch = true + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${local.related_links_bucket_name} Bucket" } } @@ -379,16 +391,16 @@ resource "aws_autoscaling_group" "related-links-ingestion" { # -------------------------------------------------------------- output "policy_read_content_store_backups_bucket_policy_arn" { - value = "${aws_iam_policy.read_content_store_backups_bucket_policy.arn}" + value = aws_iam_policy.read_content_store_backups_bucket_policy.arn description = "ARN of the policy used to read content store backups from the database backups bucket" } output "policy_read_write_related_links_bucket_policy_arn" { - value = "${aws_iam_policy.read_write_related_links_bucket_policy.arn}" + value = aws_iam_policy.read_write_related_links_bucket_policy.arn description = "ARN of the policy used to read/write data from/to the related links bucket" } output "policy_related_links_jenkins_policy_arn" { - value = "${aws_iam_policy.related_links_jenkins_policy.arn}" + value = aws_iam_policy.related_links_jenkins_policy.arn description = "ARN of the policy used by Jenkins to manage related links generation and ingestion" } diff --git a/terraform/projects/app-related-links/remote-state.tf b/terraform/projects/app-related-links/remote-state.tf index 6f62941b1..9647f1b5b 100644 --- a/terraform/projects/app-related-links/remote-state.tf +++ b/terraform/projects/app-related-links/remote-state.tf @@ -7,48 +7,48 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } variable "remote_state_infra_database_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_database_backups_bucket remote state" default = "" } @@ -60,9 +60,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -70,9 +70,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -80,9 +80,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -90,9 +90,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -100,9 +100,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -110,9 +110,9 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -120,8 +120,8 @@ data "terraform_remote_state" "infra_database_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_database_backups_bucket_key_stack, var.stackname)}/infra-database-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-router-backend/README.md b/terraform/projects/app-router-backend/README.md index 79d3419e1..10d1414a3 100644 --- a/terraform/projects/app-router-backend/README.md +++ b/terraform/projects/app-router-backend/README.md @@ -79,7 +79,7 @@ Router backend hosts both Mongo and router-api | [router-backend\_3\_reserved\_ips\_subnet](#input\_router-backend\_3\_reserved\_ips\_subnet) | Name of the subnet to place the reserved IP of the instance | `any` | n/a | yes | | [router-backend\_3\_subnet](#input\_router-backend\_3\_subnet) | Name of the subnet to place the Router Mongo 3 | `any` | n/a | yes | | [stackname](#input\_stackname) | Stackname | `any` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(any)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-router-backend/main.tf b/terraform/projects/app-router-backend/main.tf index 2b83fa4bd..c05d27d67 100644 --- a/terraform/projects/app-router-backend/main.tf +++ b/terraform/projects/app-router-backend/main.tf @@ -24,6 +24,10 @@ locals { "aws_stackname" = var.stackname "aws_environment" = var.aws_environment "aws_migration" = "router_backend" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "${var.stackname} Router" } } @@ -39,6 +43,10 @@ resource "aws_network_interface" "router-backend-1_eni" { tags = merge(local.default_tags, { Name = "${var.stackname}-router-backend-1" aws_hostname = "router-backend-1" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Router" }) } @@ -55,6 +63,10 @@ module "router-backend-1" { name = "${var.stackname}-router-backend-1" default_tags = merge(local.default_tags, { "aws_hostname" = "router-backend-1" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "${var.stackname} Backend" }) instance_subnet_ids = matchkeys( values(data.terraform_remote_state.infra_networking.outputs.private_subnet_names_ids_map), @@ -84,6 +96,10 @@ resource "aws_network_interface" "router-backend-2_eni" { tags = merge(local.default_tags, { Name = "${var.stackname}-router-backend-2" aws_hostname = "router-backend-2" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Backend" }) } @@ -100,6 +116,10 @@ module "router-backend-2" { name = "${var.stackname}-router-backend-2" default_tags = merge(local.default_tags, { "aws_hostname" = "router-backend-2" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "${var.stackname} Backend" }) instance_subnet_ids = matchkeys( values(data.terraform_remote_state.infra_networking.outputs.private_subnet_names_ids_map), @@ -129,6 +149,10 @@ resource "aws_network_interface" "router-backend-3_eni" { tags = merge(local.default_tags, { Name = "${var.stackname}-router-backend-3" aws_hostname = "router-backend-3" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Backend" }) } @@ -145,6 +169,10 @@ module "router-backend-3" { name = "${var.stackname}-router-backend-3" default_tags = merge(local.default_tags, { "aws_hostname" = "router-backend-3" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "${var.stackname} Backend" }) instance_subnet_ids = matchkeys( values(data.terraform_remote_state.infra_networking.outputs.private_subnet_names_ids_map), diff --git a/terraform/projects/app-router-backend/user_data_snippets.tf b/terraform/projects/app-router-backend/user_data_snippets.tf index ce6766cb2..ef7b69bcf 100644 --- a/terraform/projects/app-router-backend/user_data_snippets.tf +++ b/terraform/projects/app-router-backend/user_data_snippets.tf @@ -1,5 +1,5 @@ variable "user_data_snippets" { - type = list + type = list(any) description = "List of user-data snippets" } diff --git a/terraform/projects/app-search/README.md b/terraform/projects/app-search/README.md index f369e4a69..84def16a8 100644 --- a/terraform/projects/app-search/README.md +++ b/terraform/projects/app-search/README.md @@ -81,7 +81,7 @@ Search application servers | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `any` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(any)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-search/main.tf b/terraform/projects/app-search/main.tf index fd334f370..92fc12de5 100644 --- a/terraform/projects/app-search/main.tf +++ b/terraform/projects/app-search/main.tf @@ -22,6 +22,10 @@ module "search" { "aws_environment" = var.aws_environment "aws_migration" = "search" "aws_hostname" = "search-1" + "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "${var.stackname} Search" } instance_subnet_ids = data.terraform_remote_state.infra_networking.outputs.private_subnet_ids instance_security_group_ids = [ @@ -45,6 +49,10 @@ resource "aws_s3_bucket" "sitemaps_bucket" { tags = { Name = "govuk-${var.aws_environment}-sitemaps" aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "${var.stackname} Search" } logging { target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id @@ -120,6 +128,10 @@ resource "aws_s3_bucket" "search_relevancy_bucket" { Name = "govuk-${var.aws_environment}-search-relevancy" Description = "S3 bucket for Search Relevancy" aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt Package Storage" } logging { @@ -298,6 +310,10 @@ resource "aws_autoscaling_group" "learntorank-generation" { key = "Name" value = "govuk-${var.aws_environment}-search-ltr-generation" propagate_at_launch = true + Environment = var.aws_environment + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt Package Storage" } } diff --git a/terraform/projects/app-search/user_data_snippets.tf b/terraform/projects/app-search/user_data_snippets.tf index ce6766cb2..ef7b69bcf 100644 --- a/terraform/projects/app-search/user_data_snippets.tf +++ b/terraform/projects/app-search/user_data_snippets.tf @@ -1,5 +1,5 @@ variable "user_data_snippets" { - type = list + type = list(any) description = "List of user-data snippets" } diff --git a/terraform/projects/app-shared-documentdb/main.tf b/terraform/projects/app-shared-documentdb/main.tf index 9c93d28c8..eb9853ff5 100644 --- a/terraform/projects/app-shared-documentdb/main.tf +++ b/terraform/projects/app-shared-documentdb/main.tf @@ -5,78 +5,78 @@ * 1. asset-manager */ variable "aws_environment" { - type = "string" + type = string description = "AWS environment" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for DocumentDB resources" default = "db.r5.large" } variable "instance_count" { - type = "string" + type = string description = "Instance count used for DocumentDB resources" default = "3" } variable "master_username" { - type = "string" + type = string description = "Username of master user on DocumentDB cluster" } variable "master_password" { - type = "string" + type = string description = "Password of master user on DocumentDB cluster" } variable "tls" { - type = "string" + type = string description = "Whether to enable or disable TLS for the DocumentDB cluster. Must be either 'enabled' or 'disabled'." default = "disabled" } variable "profiler" { - type = "string" + type = string description = "Whether to log slow queries to CloudWatch. Must be either 'enabled' or 'disabled'." default = "enabled" } variable "profiler_threshold_ms" { - type = "string" + type = string description = "Queries which take longer than this number of milliseconds are logged to CloudWatch if profiler is enabled. Minimum is 50." default = "300" } variable "backup_retention_period" { - type = "string" + type = string description = "Retention period in days for DocumentDB automatic snapshots" default = "1" } @@ -89,16 +89,16 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } resource "aws_docdb_cluster_instance" "cluster_instances" { - count = "${var.instance_count}" + count = var.instance_count identifier = "shared-documentdb-${count.index}" - cluster_identifier = "${aws_docdb_cluster.cluster.id}" - instance_class = "${var.instance_type}" - tags = "${aws_docdb_cluster.cluster.tags}" + cluster_identifier = aws_docdb_cluster.cluster.id + instance_class = var.instance_type + tags = aws_docdb_cluster.cluster.tags } resource "aws_docdb_subnet_group" "cluster_subnet" { @@ -113,45 +113,49 @@ resource "aws_docdb_cluster_parameter_group" "parameter_group" { parameter { name = "tls" - value = "${var.tls}" + value = var.tls } parameter { name = "profiler" - value = "${var.profiler}" + value = var.profiler } parameter { name = "profiler_threshold_ms" - value = "${var.profiler_threshold_ms}" + value = var.profiler_threshold_ms } } resource "aws_docdb_cluster" "cluster" { cluster_identifier = "shared-documentdb-${var.aws_environment}" availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - db_subnet_group_name = "${aws_docdb_subnet_group.cluster_subnet.name}" - master_username = "${var.master_username}" - master_password = "${var.master_password}" + db_subnet_group_name = aws_docdb_subnet_group.cluster_subnet.name + master_username = var.master_username + master_password = var.master_password storage_encrypted = true - backup_retention_period = "${var.backup_retention_period}" - db_cluster_parameter_group_name = "${aws_docdb_cluster_parameter_group.parameter_group.name}" - kms_key_id = "${data.terraform_remote_state.infra_security.outputs.shared_documentdb_kms_key_arn}" + backup_retention_period = var.backup_retention_period + db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.parameter_group.name + kms_key_id = data.terraform_remote_state.infra_security.outputs.shared_documentdb_kms_key_arn vpc_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_shared_documentdb_id}"] # enabled_cloudwatch_logs_exports is ["profiler"] if profiling is enabled, otherwise []. - enabled_cloudwatch_logs_exports = "${slice("${list("profiler")}", 0, var.profiler == "enabled" ? 1 : 0)}" + enabled_cloudwatch_logs_exports = slice("${list("profiler")}", 0, var.profiler == "enabled" ? 1 : 0) tags = { - Service = "shared documentdb" - Customer = "asset-manager" - Name = "shared-documentdb" - Source = "app-shared-documentdb" + Service = "shared documentdb" + Customer = "asset-manager" + Name = "shared-documentdb" + Source = "app-shared-documentdb" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "DocumentDB" } } resource "aws_route53_record" "share-documentdb_internal_service_cname" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "shared-documentdb.${var.internal_domain_name}" type = "CNAME" ttl = 300 @@ -161,6 +165,6 @@ resource "aws_route53_record" "share-documentdb_internal_service_cname" { # Outputs # -------------------------------------------------------------- output "shared_documentdb_endpoint" { - value = "${aws_docdb_cluster.cluster.endpoint}" + value = aws_docdb_cluster.cluster.endpoint description = "The endpoint of the shared DocumentDB" } diff --git a/terraform/projects/app-shared-documentdb/remote_state.tf b/terraform/projects/app-shared-documentdb/remote_state.tf index 76079290a..8e460df80 100644 --- a/terraform/projects/app-shared-documentdb/remote_state.tf +++ b/terraform/projects/app-shared-documentdb/remote_state.tf @@ -7,48 +7,48 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_key_stack" { - type = "string" + type = string description = "Override infra_security stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/app-transition-db-admin/README.md b/terraform/projects/app-transition-db-admin/README.md index 325f39b6f..222572ebb 100644 --- a/terraform/projects/app-transition-db-admin/README.md +++ b/terraform/projects/app-transition-db-admin/README.md @@ -64,7 +64,7 @@ DB admin boxes for Transition's RDS instance | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-transition-db-admin/main.tf b/terraform/projects/app-transition-db-admin/main.tf index 256145e45..3e8381b93 100644 --- a/terraform/projects/app-transition-db-admin/main.tf +++ b/terraform/projects/app-transition-db-admin/main.tf @@ -4,39 +4,39 @@ * DB admin boxes for Transition's RDS instance */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "remote_state_infra_database_backups_bucket_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_database_backups_bucket remote state" default = "" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for EC2 resources" default = "t2.medium" } @@ -49,12 +49,12 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } @@ -65,7 +65,7 @@ resource "aws_elb" "transition-db-admin_elb" { internal = "true" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-transition-db-admin-internal-elb" interval = 60 } @@ -91,34 +91,34 @@ resource "aws_elb" "transition-db-admin_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-transition-db-admin", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_db_admin")}" + tags = map("Name", "${var.stackname}-transition-db-admin", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_db_admin", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Transition Database") } module "transition-db-admin" { source = "../../modules/aws/node_group" name = "${var.stackname}-transition-db-admin" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_db_admin", "aws_hostname", "transition-db-admin-1")}" - instance_subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_ids}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_db_admin", "aws_hostname", "transition-db-admin-1", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Transition Database") + instance_subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_ids instance_security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_transition-db-admin_id}", "${data.terraform_remote_state.infra_security_groups.sg_management_id}"] - instance_type = "${var.instance_type}" - instance_additional_user_data = "${join("\n", null_resource.user_data.*.triggers.snippet)}" + instance_type = var.instance_type + instance_additional_user_data = join("\n", null_resource.user_data.*.triggers.snippet) instance_elb_ids_length = "1" instance_elb_ids = ["${aws_elb.transition-db-admin_elb.id}"] asg_max_size = "1" asg_min_size = "1" asg_desired_capacity = "1" - asg_notification_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn}" + asg_notification_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_autoscaling_group_events_arn root_block_device_volume_size = "64" } resource "aws_route53_record" "transition_db_admin_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "transition-db-admin.${var.internal_domain_name}" type = "A" alias { - name = "${aws_elb.transition-db-admin_elb.dns_name}" - zone_id = "${aws_elb.transition-db-admin_elb.zone_id}" + name = aws_elb.transition-db-admin_elb.dns_name + zone_id = aws_elb.transition-db-admin_elb.zone_id evaluate_target_health = true } } @@ -126,7 +126,7 @@ resource "aws_route53_record" "transition_db_admin_service_record" { module "alarms-autoscaling-transition-db-admin" { source = "../../modules/aws/alarms/autoscaling" name_prefix = "${var.stackname}-transition-db-admin" - autoscaling_group_name = "${module.transition-db-admin.autoscaling_group_name}" + autoscaling_group_name = module.transition-db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] groupinserviceinstances_threshold = "1" } @@ -134,7 +134,7 @@ module "alarms-autoscaling-transition-db-admin" { module "alarms-ec2-transition-db-admin" { source = "../../modules/aws/alarms/ec2" name_prefix = "${var.stackname}-transition-db-admin" - autoscaling_group_name = "${module.transition-db-admin.autoscaling_group_name}" + autoscaling_group_name = module.transition-db-admin.autoscaling_group_name alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] cpuutilization_threshold = "85" } @@ -143,41 +143,41 @@ data "terraform_remote_state" "infra_database_backups_bucket" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_database_backups_bucket_key_stack, var.stackname)}/infra-database-backups-bucket.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } resource "aws_iam_role_policy_attachment" "write_transition-db-admin_database_backups_iam_role_policy_attachment" { count = 1 - role = "${module.transition-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.transition_dbadmin_write_database_backups_bucket_policy_arn}" + role = module.transition-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.transition_dbadmin_write_database_backups_bucket_policy_arn } # Non-production environments should be able to read the database backups from production to pull data for syncing. resource "aws_iam_role_policy_attachment" "read_production_transition-db-admin_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment != "production" ? 1 : 0}" - role = "${module.transition-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.production_transition_dbadmin_read_database_backups_bucket_policy_arn}" + count = var.aws_environment != "production" ? 1 : 0 + role = module.transition-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.production_transition_dbadmin_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "read_integration_transition-db-admin_database_backups_iam_role_policy_attachment" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - role = "${module.transition-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.integration_transition_dbadmin_read_database_backups_bucket_policy_arn}" + count = var.aws_environment == "integration" ? 1 : 0 + role = module.transition-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.integration_transition_dbadmin_read_database_backups_bucket_policy_arn } resource "aws_iam_role_policy_attachment" "read_staging_transition-db-admin_database_backups_iam_role_policy_attachment" { - count = "${(var.aws_environment == "staging") || (var.aws_environment == "production") ? 1 : 0}" - role = "${module.transition-db-admin.instance_iam_role_name}" - policy_arn = "${data.terraform_remote_state.infra_database_backups_bucket.staging_transition_dbadmin_read_database_backups_bucket_policy_arn}" + count = (var.aws_environment == "staging") || (var.aws_environment == "production") ? 1 : 0 + role = module.transition-db-admin.instance_iam_role_name + policy_arn = data.terraform_remote_state.infra_database_backups_bucket.staging_transition_dbadmin_read_database_backups_bucket_policy_arn } # Outputs # -------------------------------------------------------------- output "transition-db-admin_elb_dns_name" { - value = "${aws_elb.transition-db-admin_elb.dns_name}" + value = aws_elb.transition-db-admin_elb.dns_name description = "DNS name to access the transition-db-admin service" } diff --git a/terraform/projects/app-transition-db-admin/remote_state.tf b/terraform/projects/app-transition-db-admin/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-transition-db-admin/remote_state.tf +++ b/terraform/projects/app-transition-db-admin/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-transition-db-admin/user_data_snippets.tf b/terraform/projects/app-transition-db-admin/user_data_snippets.tf index 02e8d1eba..9d921788c 100644 --- a/terraform/projects/app-transition-db-admin/user_data_snippets.tf +++ b/terraform/projects/app-transition-db-admin/user_data_snippets.tf @@ -9,21 +9,21 @@ # variable "user_data_snippets" { - type = "list" + type = list(string) description = "List of user-data snippets" } variable "esm_trusty_token" { - type = "string" + type = string } # Resources # -------------------------------------------------------------- resource "null_resource" "user_data" { - count = "${length(var.user_data_snippets)}" + count = length(var.user_data_snippets) triggers { - snippet = "${replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}")}" + snippet = replace(file("../../userdata/${element(var.user_data_snippets, count.index)}"), "ESM_TRUSTY_TOKEN", "${var.esm_trusty_token}") } } diff --git a/terraform/projects/app-transition-postgresql/main.tf b/terraform/projects/app-transition-postgresql/main.tf index e52fa7a02..bbe3361ef 100644 --- a/terraform/projects/app-transition-postgresql/main.tf +++ b/terraform/projects/app-transition-postgresql/main.tf @@ -4,65 +4,65 @@ * RDS Transition PostgreSQL Primary instance */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "cloudwatch_log_retention" { - type = "string" + type = string description = "Number of days to retain Cloudwatch logs for" } variable "username" { - type = "string" + type = string description = "PostgreSQL username" } variable "password" { - type = "string" + type = string description = "DB password" } variable "multi_az" { - type = "string" + type = string description = "Enable multi-az." default = true } variable "skip_final_snapshot" { - type = "string" + type = string description = "Set to true to NOT create a final snapshot when the cluster is deleted." } variable "snapshot_identifier" { - type = "string" + type = string description = "Specifies whether or not to create the database from this snapshot" default = "" } variable "internal_zone_name" { - type = "string" + type = string description = "The name of the Route53 zone that contains internal records" } variable "internal_domain_name" { - type = "string" + type = string description = "The domain name of the internal DNS records, it could be different from the zone name" } variable "instance_type" { - type = "string" + type = string description = "Instance type used for RDS resources" default = "db.m5.large" } @@ -75,12 +75,12 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } data "aws_route53_zone" "internal" { - name = "${var.internal_zone_name}" + name = var.internal_zone_name private_zone = true } @@ -115,26 +115,26 @@ module "transition-postgresql-primary_rds_instance" { name = "${var.stackname}-transition-postgresql-primary" engine_name = "postgres" engine_version = "13" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_postgresql_primary")}" - subnet_ids = "${data.terraform_remote_state.infra_networking.private_subnet_rds_ids}" - username = "${var.username}" - password = "${var.password}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_postgresql_primary", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Transition Database") + subnet_ids = data.terraform_remote_state.infra_networking.private_subnet_rds_ids + username = var.username + password = var.password allocated_storage = "120" max_allocated_storage = "500" - instance_class = "${var.instance_type}" + instance_class = var.instance_type instance_name = "${var.stackname}-transition-postgresql-primary" - multi_az = "${var.multi_az}" + multi_az = var.multi_az security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_transition-postgresql-primary_id}"] - event_sns_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn}" - skip_final_snapshot = "${var.skip_final_snapshot}" - snapshot_identifier = "${var.snapshot_identifier}" - parameter_group_name = "${aws_db_parameter_group.app_transition_pg.name}" + event_sns_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn + skip_final_snapshot = var.skip_final_snapshot + snapshot_identifier = var.snapshot_identifier + parameter_group_name = aws_db_parameter_group.app_transition_pg.name monitoring_interval = "60" - monitoring_role_arn = "${data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn}" + monitoring_role_arn = data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn } resource "aws_route53_record" "service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "transition-postgresql-primary.${var.internal_domain_name}" type = "CNAME" ttl = 300 @@ -145,23 +145,23 @@ module "transition-postgresql-standby_rds_instance" { source = "../../modules/aws/rds_instance" name = "${var.stackname}-transition-postgresql-standby" - default_tags = "${map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_postgresql_standby")}" - instance_class = "${var.instance_type}" + default_tags = map("Project", var.stackname, "aws_stackname", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "transition_postgresql_standby", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "${var.stackname} Transition Database") + instance_class = var.instance_type instance_name = "${var.stackname}-transition-postgresql-standby" security_group_ids = ["${data.terraform_remote_state.infra_security_groups.sg_transition-postgresql-standby_id}"] create_replicate_source_db = "1" allocated_storage = "120" max_allocated_storage = "500" - replicate_source_db = "${module.transition-postgresql-primary_rds_instance.rds_instance_id}" - event_sns_topic_arn = "${data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn}" - skip_final_snapshot = "${var.skip_final_snapshot}" - parameter_group_name = "${aws_db_parameter_group.app_transition_pg.name}" + replicate_source_db = module.transition-postgresql-primary_rds_instance.rds_instance_id + event_sns_topic_arn = data.terraform_remote_state.infra_monitoring.sns_topic_rds_events_arn + skip_final_snapshot = var.skip_final_snapshot + parameter_group_name = aws_db_parameter_group.app_transition_pg.name monitoring_interval = "60" - monitoring_role_arn = "${data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn}" + monitoring_role_arn = data.terraform_remote_state.infra_monitoring.rds_enhanced_monitoring_role_arn } resource "aws_route53_record" "replica_service_record" { - zone_id = "${data.aws_route53_zone.internal.zone_id}" + zone_id = data.aws_route53_zone.internal.zone_id name = "transition-postgresql-standby.${var.internal_domain_name}" type = "CNAME" ttl = 300 @@ -172,14 +172,14 @@ module "alarms-rds-transition-postgresql-primary" { source = "../../modules/aws/alarms/rds" name_prefix = "${var.stackname}-transition-postgresql-primary" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - db_instance_id = "${module.transition-postgresql-primary_rds_instance.rds_instance_id}" + db_instance_id = module.transition-postgresql-primary_rds_instance.rds_instance_id } module "alarms-rds-transition-postgresql-standby" { source = "../../modules/aws/alarms/rds" name_prefix = "${var.stackname}-transition-postgresql-standby" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.sns_topic_cloudwatch_alarms_arn}"] - db_instance_id = "${module.transition-postgresql-standby_rds_instance.rds_replica_id}" + db_instance_id = module.transition-postgresql-standby_rds_instance.rds_replica_id replicalag_threshold = "300" } @@ -187,31 +187,31 @@ module "alarms-rds-transition-postgresql-standby" { # -------------------------------------------------------------- output "transition-postgresql-primary_id" { - value = "${module.transition-postgresql-primary_rds_instance.rds_instance_id}" + value = module.transition-postgresql-primary_rds_instance.rds_instance_id description = "transition-postgresql instance ID" } output "transition-postgresql-primary_resource_id" { - value = "${module.transition-postgresql-primary_rds_instance.rds_instance_resource_id}" + value = module.transition-postgresql-primary_rds_instance.rds_instance_resource_id description = "transition-postgresql instance resource ID" } output "transition-postgresql-primary_endpoint" { - value = "${module.transition-postgresql-primary_rds_instance.rds_instance_endpoint}" + value = module.transition-postgresql-primary_rds_instance.rds_instance_endpoint description = "transition-postgresql instance endpoint" } output "transition-postgresql-primary_address" { - value = "${module.transition-postgresql-primary_rds_instance.rds_instance_address}" + value = module.transition-postgresql-primary_rds_instance.rds_instance_address description = "transition-postgresql instance address" } output "transition-postgresql-standby-endpoint" { - value = "${module.transition-postgresql-standby_rds_instance.rds_replica_endpoint}" + value = module.transition-postgresql-standby_rds_instance.rds_replica_endpoint description = "transition-postgresql replica instance endpoint" } output "transition-postgresql-standby-address" { - value = "${module.transition-postgresql-standby_rds_instance.rds_replica_address}" + value = module.transition-postgresql-standby_rds_instance.rds_replica_address description = "transition-postgresql replica instance address" } diff --git a/terraform/projects/app-transition-postgresql/remote_state.tf b/terraform/projects/app-transition-postgresql/remote_state.tf index fee326ea3..7e9222d71 100644 --- a/terraform/projects/app-transition-postgresql/remote_state.tf +++ b/terraform/projects/app-transition-postgresql/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } @@ -54,9 +54,9 @@ data "terraform_remote_state" "infra_vpc" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_vpc_key_stack, var.stackname)}/infra-vpc.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -64,9 +64,9 @@ data "terraform_remote_state" "infra_networking" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_networking_key_stack, var.stackname)}/infra-networking.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -74,9 +74,9 @@ data "terraform_remote_state" "infra_security_groups" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_security_groups_key_stack, var.stackname)}/infra-security-groups.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -84,9 +84,9 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -94,9 +94,9 @@ data "terraform_remote_state" "infra_stack_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_stack_dns_zones_key_stack, var.stackname)}/infra-stack-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } @@ -104,8 +104,8 @@ data "terraform_remote_state" "infra_monitoring" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } diff --git a/terraform/projects/app-whitehall-backend/README.md b/terraform/projects/app-whitehall-backend/README.md index 51253c668..f9c84c3bd 100644 --- a/terraform/projects/app-whitehall-backend/README.md +++ b/terraform/projects/app-whitehall-backend/README.md @@ -48,7 +48,7 @@ No modules. | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `any` | n/a | yes | -| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list` | n/a | yes | +| [user\_data\_snippets](#input\_user\_data\_snippets) | List of user-data snippets | `list(any)` | n/a | yes | ## Outputs diff --git a/terraform/projects/app-whitehall-backend/main.tf b/terraform/projects/app-whitehall-backend/main.tf index 44be31842..39488f41e 100644 --- a/terraform/projects/app-whitehall-backend/main.tf +++ b/terraform/projects/app-whitehall-backend/main.tf @@ -19,6 +19,10 @@ resource "aws_s3_bucket" "whitehall_csvs" { tags = { name = "govuk-${var.aws_environment}-whitehall-csvs" aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Whitehall CSVS" } logging { diff --git a/terraform/projects/app-whitehall-backend/user_data_snippets.tf b/terraform/projects/app-whitehall-backend/user_data_snippets.tf index ce6766cb2..ef7b69bcf 100644 --- a/terraform/projects/app-whitehall-backend/user_data_snippets.tf +++ b/terraform/projects/app-whitehall-backend/user_data_snippets.tf @@ -1,5 +1,5 @@ variable "user_data_snippets" { - type = list + type = list(any) description = "List of user-data snippets" } diff --git a/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/main.tf b/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/main.tf index 2253767d5..62f79e2ba 100644 --- a/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/main.tf +++ b/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/main.tf @@ -11,18 +11,18 @@ * November 3rd 2023 they will be removed (we can then remove this bucket). */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -34,7 +34,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -44,10 +44,14 @@ resource "aws_s3_bucket" "bucket" { tags = { Name = "govuk-${var.aws_environment}-accounts-pre-digital-identity-backups" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Pre-Identity Backups" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-accounts-pre-digital-identity-backups/" } diff --git a/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/remote_state.tf b/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/remote_state.tf +++ b/terraform/projects/infra-accounts-pre-digital-identity-backups-bucket/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-artefact-bucket/main.tf b/terraform/projects/infra-artefact-bucket/main.tf index 71fc623d1..16957472b 100644 --- a/terraform/projects/infra-artefact-bucket/main.tf +++ b/terraform/projects/infra-artefact-bucket/main.tf @@ -23,79 +23,79 @@ * */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_secondary_region" { - type = "string" + type = string description = "Secondary region for cross-replication" default = "eu-west-2" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "aws_subscription_account_id" { - type = "string" + type = string description = "The AWS Account ID that will appear on the subscription" } variable "create_sns_topic" { - type = "string" + type = string default = false description = "Indicates whether to create an SNS Topic" } variable "create_sns_subscription" { - type = "string" + type = string default = false description = "Indicates whether to create an SNS subscription" } variable "aws_subscription_account_region" { - type = "string" + type = string default = "eu-west-1" description = "AWS region of the SNS topic" } variable "artefact_source" { - type = "string" + type = string description = "Identifies the source artefact environment" } variable "aws_s3_access_account" { - type = "string" + type = string description = "Here we define the account that will have access to the Artefact S3 bucket." } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } variable "whole_bucket_lifecycle_rule_integration_enabled" { - type = "string" + type = string description = "Set to true in Integration data to only apply these rules for Integration" default = "false" } variable "replication_setting" { - type = "string" + type = string description = "Whether replication is Enabled or Disabled" default = "Enabled" } @@ -108,19 +108,19 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } provider "aws" { alias = "secondary" - region = "${var.aws_secondary_region}" + region = var.aws_secondary_region version = "2.46.0" } provider "aws" { alias = "subscription" - region = "${var.aws_subscription_account_region}" + region = var.aws_subscription_account_region version = "2.46.0" } @@ -153,7 +153,7 @@ resource "aws_s3_bucket" "artefact_replication_destination" { lifecycle_rule { id = "whole_bucket_lifecycle_rule_integration" prefix = "" - enabled = "${var.whole_bucket_lifecycle_rule_integration_enabled}" + enabled = var.whole_bucket_lifecycle_rule_integration_enabled expiration { days = "7" @@ -173,6 +173,10 @@ resource "aws_s3_bucket" "artefact" { tags = { Name = "govuk-${var.aws_environment}-artefact" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Artefacts" } versioning { @@ -180,20 +184,20 @@ resource "aws_s3_bucket" "artefact" { } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-artefact/" } replication_configuration { - role = "${aws_iam_role.artefact_replication.arn}" + role = aws_iam_role.artefact_replication.arn rules { id = "govuk-artefact-replication-whole-bucket-rule" - status = "${var.replication_setting}" + status = var.replication_setting prefix = "" destination { - bucket = "${aws_s3_bucket.artefact_replication_destination.arn}" + bucket = aws_s3_bucket.artefact_replication_destination.arn } } } @@ -236,26 +240,26 @@ data "aws_iam_policy_document" "govuk-artefact-bucket" { } resource "aws_s3_bucket_policy" "govuk-artefact-bucket-policy" { - bucket = "${aws_s3_bucket.artefact.id}" - policy = "${data.aws_iam_policy_document.govuk-artefact-bucket.json}" + bucket = aws_s3_bucket.artefact.id + policy = data.aws_iam_policy_document.govuk-artefact-bucket.json } # Create an AWS SNS Topic resource "aws_sns_topic" "artefact_topic" { - count = "${var.create_sns_topic ? 1 : 0}" + count = var.create_sns_topic ? 1 : 0 name = "govuk-${var.aws_environment}-artefact" } # AWS SNS Topic Policy resource "aws_sns_topic_policy" "artefact_topic_policy" { - count = "${var.create_sns_topic ? 1 : 0}" - arn = "${aws_sns_topic.artefact_topic[0].arn}" - policy = "${data.aws_iam_policy_document.artefact_sns_topic_policy[0].json}" + count = var.create_sns_topic ? 1 : 0 + arn = aws_sns_topic.artefact_topic[0].arn + policy = data.aws_iam_policy_document.artefact_sns_topic_policy[0].json } # AWS SNS Topic Policy Data data "aws_iam_policy_document" "artefact_sns_topic_policy" { - count = "${var.create_sns_topic ? 1 : 0}" + count = var.create_sns_topic ? 1 : 0 policy_id = "__default_policy_ID" statement { @@ -288,19 +292,19 @@ data "aws_iam_policy_document" "artefact_sns_topic_policy" { # AWS S3 Bucket Event resource "aws_s3_bucket_notification" "artefact_bucket_notification" { - count = "${var.create_sns_topic ? 1 : 0}" - bucket = "${aws_s3_bucket.artefact.id}" + count = var.create_sns_topic ? 1 : 0 + bucket = aws_s3_bucket.artefact.id depends_on = ["aws_sns_topic.artefact_topic"] topic { - topic_arn = "${aws_sns_topic.artefact_topic[0].arn}" + topic_arn = aws_sns_topic.artefact_topic[0].arn events = ["s3:ObjectCreated:*"] } } # AWS SNS Subscription resource "aws_sns_topic_subscription" "artefact_topic_subscription" { - count = "${var.create_sns_subscription ? 1 : 0}" + count = var.create_sns_subscription ? 1 : 0 provider = "aws.subscription" topic_arn = "arn:aws:sns:${var.aws_subscription_account_region}:${var.aws_subscription_account_id}:govuk-${var.artefact_source}-artefact" protocol = "lambda" @@ -315,20 +319,20 @@ data "archive_file" "artefact_lambda" { } resource "aws_lambda_function" "artefact_lambda_function" { - count = "${var.create_sns_subscription ? 1 : 0}" + count = var.create_sns_subscription ? 1 : 0 - filename = "${data.archive_file.artefact_lambda.output_path}" - source_code_hash = "${data.archive_file.artefact_lambda.output_base64sha256}" + filename = data.archive_file.artefact_lambda.output_path + source_code_hash = data.archive_file.artefact_lambda.output_base64sha256 function_name = "govuk-${var.aws_environment}-artefact" - role = "${aws_iam_role.govuk_artefact_lambda_role[0].arn}" + role = aws_iam_role.govuk_artefact_lambda_role[0].arn handler = "main.lambda_handler" runtime = "python3.8" } # AWS Lambda Role resource "aws_iam_role" "govuk_artefact_lambda_role" { - count = "${var.create_sns_subscription ? 1 : 0}" + count = var.create_sns_subscription ? 1 : 0 name = "govuk_artefact_lambda_role" assume_role_policy = < [aws\_region](#input\_aws\_region) | AWS region | `string` | n/a | yes | | [certificate\_external\_domain\_name](#input\_certificate\_external\_domain\_name) | Domain name for which the external certificate should be issued | `string` | n/a | yes | -| [certificate\_external\_subject\_alternative\_names](#input\_certificate\_external\_subject\_alternative\_names) | List of domains that should be SANs in the external issued certificate | `list` | `[]` | no | +| [certificate\_external\_subject\_alternative\_names](#input\_certificate\_external\_subject\_alternative\_names) | List of domains that should be SANs in the external issued certificate | `list(string)` | `[]` | no | | [certificate\_internal\_domain\_name](#input\_certificate\_internal\_domain\_name) | Domain name for which the internal certificate should be issued | `string` | n/a | yes | -| [certificate\_internal\_subject\_alternative\_names](#input\_certificate\_internal\_subject\_alternative\_names) | List of domains that should be SANs in the internal issued certificate | `list` | `[]` | no | +| [certificate\_internal\_subject\_alternative\_names](#input\_certificate\_internal\_subject\_alternative\_names) | List of domains that should be SANs in the internal issued certificate | `list(string)` | `[]` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_root\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_root\_dns\_zones\_key\_stack) | Override stackname path to infra\_root\_dns\_zones remote state | `string` | `""` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | diff --git a/terraform/projects/infra-certificates/main.tf b/terraform/projects/infra-certificates/main.tf index 29b37fcfe..2d435a7c7 100644 --- a/terraform/projects/infra-certificates/main.tf +++ b/terraform/projects/infra-certificates/main.tf @@ -4,45 +4,45 @@ * This module creates the environment certificates */ variable "aws_region" { - type = "string" + type = string description = "AWS region" } variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "certificate_external_domain_name" { - type = "string" + type = string description = "Domain name for which the external certificate should be issued" } variable "certificate_external_subject_alternative_names" { - type = "list" + type = list(string) description = "List of domains that should be SANs in the external issued certificate" default = [] } variable "certificate_internal_domain_name" { - type = "string" + type = string description = "Domain name for which the internal certificate should be issued" } variable "certificate_internal_subject_alternative_names" { - type = "list" + type = list(string) description = "List of domains that should be SANs in the internal issued certificate" default = [] } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -54,7 +54,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -62,51 +62,51 @@ data "terraform_remote_state" "infra_root_dns_zones" { backend = "s3" config { - bucket = "${var.remote_state_bucket}" + bucket = var.remote_state_bucket key = "${coalesce(var.remote_state_infra_root_dns_zones_key_stack, var.stackname)}/infra-root-dns-zones.tfstate" - region = "${var.aws_region}" + region = var.aws_region } } resource "aws_acm_certificate" "certificate_external" { - domain_name = "${var.certificate_external_domain_name}" + domain_name = var.certificate_external_domain_name subject_alternative_names = ["${var.certificate_external_subject_alternative_names}"] validation_method = "DNS" } resource "aws_route53_record" "certificate_external_validation" { - count = "${length(aws_acm_certificate.certificate_external.domain_validation_options)}" + count = length(aws_acm_certificate.certificate_external.domain_validation_options) - name = "${lookup(aws_acm_certificate.certificate_external.domain_validation_options[count.index], "resource_record_name")}" - type = "${lookup(aws_acm_certificate.certificate_external.domain_validation_options[count.index], "resource_record_type")}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id}" + name = lookup(aws_acm_certificate.certificate_external.domain_validation_options[count.index], "resource_record_name") + type = lookup(aws_acm_certificate.certificate_external.domain_validation_options[count.index], "resource_record_type") + zone_id = data.terraform_remote_state.infra_root_dns_zones.external_root_zone_id records = ["${lookup(aws_acm_certificate.certificate_external.domain_validation_options[count.index], "resource_record_value")}"] ttl = 60 } resource "aws_acm_certificate_validation" "certificate_external" { - certificate_arn = "${aws_acm_certificate.certificate_external.arn}" + certificate_arn = aws_acm_certificate.certificate_external.arn validation_record_fqdns = ["${aws_route53_record.certificate_external_validation.*.fqdn}"] } resource "aws_acm_certificate" "certificate_internal" { - domain_name = "${var.certificate_internal_domain_name}" + domain_name = var.certificate_internal_domain_name subject_alternative_names = ["${var.certificate_internal_subject_alternative_names}"] validation_method = "DNS" } resource "aws_route53_record" "certificate_internal_validation" { - count = "${length(aws_acm_certificate.certificate_internal.domain_validation_options)}" + count = length(aws_acm_certificate.certificate_internal.domain_validation_options) - name = "${lookup(aws_acm_certificate.certificate_internal.domain_validation_options[count.index], "resource_record_name")}" - type = "${lookup(aws_acm_certificate.certificate_internal.domain_validation_options[count.index], "resource_record_type")}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.internal_root_dns_validation_zone_id}" + name = lookup(aws_acm_certificate.certificate_internal.domain_validation_options[count.index], "resource_record_name") + type = lookup(aws_acm_certificate.certificate_internal.domain_validation_options[count.index], "resource_record_type") + zone_id = data.terraform_remote_state.infra_root_dns_zones.internal_root_dns_validation_zone_id records = ["${lookup(aws_acm_certificate.certificate_internal.domain_validation_options[count.index], "resource_record_value")}"] ttl = 60 } resource "aws_acm_certificate_validation" "certificate_internal" { - certificate_arn = "${aws_acm_certificate.certificate_internal.arn}" + certificate_arn = aws_acm_certificate.certificate_internal.arn validation_record_fqdns = ["${aws_route53_record.certificate_internal_validation.*.fqdn}"] } @@ -114,11 +114,11 @@ resource "aws_acm_certificate_validation" "certificate_internal" { # -------------------------------------------------------------- output "external_certificate_arn" { - value = "${aws_acm_certificate_validation.certificate_external.certificate_arn}" + value = aws_acm_certificate_validation.certificate_external.certificate_arn description = "ARN of the external certificate" } output "internal_certificate_arn" { - value = "${aws_acm_certificate_validation.certificate_internal.certificate_arn}" + value = aws_acm_certificate_validation.certificate_internal.certificate_arn description = "ARN of the internal certificate" } diff --git a/terraform/projects/infra-content-data-admin/main.tf b/terraform/projects/infra-content-data-admin/main.tf index c39677760..0d21b09ba 100644 --- a/terraform/projects/infra-content-data-admin/main.tf +++ b/terraform/projects/infra-content-data-admin/main.tf @@ -5,18 +5,18 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -28,7 +28,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -39,10 +39,14 @@ resource "aws_s3_bucket" "content_data_csvs" { tags = { name = "govuk-${var.aws_environment}-content-data-csvs" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Content Data CSVS" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-content-data-csvs/" } @@ -62,18 +66,18 @@ resource "aws_iam_user" "content_data_admin_app" { resource "aws_iam_policy" "s3_writer" { name = "govuk-${var.aws_environment}-content-data-admin-app-s3-writer-policy" - policy = "${data.template_file.s3_writer_policy_template.rendered}" + policy = data.template_file.s3_writer_policy_template.rendered description = "Allows writing to the govuk-${var.aws_environment}-content-data-csvs S3 bucket" } resource "aws_iam_policy_attachment" "s3_writer" { name = "archive-writer-policy-attachment" users = ["${aws_iam_user.content_data_admin_app.name}"] - policy_arn = "${aws_iam_policy.s3_writer.arn}" + policy_arn = aws_iam_policy.s3_writer.arn } data "template_file" "s3_writer_policy_template" { - template = "${file("${path.module}/../../policies/content_data_admin_s3_writer_policy.tpl")}" + template = file("${path.module}/../../policies/content_data_admin_s3_writer_policy.tpl") vars = { aws_environment = "${var.aws_environment}" diff --git a/terraform/projects/infra-content-data-admin/remote_state.tf b/terraform/projects/infra-content-data-admin/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-content-data-admin/remote_state.tf +++ b/terraform/projects/infra-content-data-admin/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-content-publisher/env_sync.tf b/terraform/projects/infra-content-publisher/env_sync.tf index a9247411c..61f14c4d2 100644 --- a/terraform/projects/infra-content-publisher/env_sync.tf +++ b/terraform/projects/infra-content-publisher/env_sync.tf @@ -1,17 +1,17 @@ variable "aws_test_account_root_arn" { - type = "string" + type = string description = "root arn of the aws test account of govuk" default = "" } variable "aws_staging_account_root_arn" { - type = "string" + type = string description = "root arn of the aws staging account of govuk" default = "" } variable "aws_integration_account_root_arn" { - type = "string" + type = string description = "root arn of the aws integration account of govuk" default = "" } @@ -19,9 +19,9 @@ variable "aws_integration_account_root_arn" { # Resources # -------------------------------------------------------------- resource "aws_s3_bucket_policy" "test_cross_account_access_to_integration" { - count = "${var.aws_environment == "integration" ? 1 : 0}" - bucket = "${aws_s3_bucket.activestorage.id}" - policy = "${data.aws_iam_policy_document.test_cross_account_access_to_integration.json}" + count = var.aws_environment == "integration" ? 1 : 0 + bucket = aws_s3_bucket.activestorage.id + policy = data.aws_iam_policy_document.test_cross_account_access_to_integration.json } data "aws_iam_policy_document" "test_cross_account_access_to_integration" { @@ -49,9 +49,9 @@ data "aws_iam_policy_document" "test_cross_account_access_to_integration" { } resource "aws_s3_bucket_policy" "integration_cross_account_access_to_staging" { - count = "${var.aws_environment == "staging" ? 1 : 0}" - bucket = "${aws_s3_bucket.activestorage.id}" - policy = "${data.aws_iam_policy_document.integration_cross_account_access_to_staging.json}" + count = var.aws_environment == "staging" ? 1 : 0 + bucket = aws_s3_bucket.activestorage.id + policy = data.aws_iam_policy_document.integration_cross_account_access_to_staging.json } data "aws_iam_policy_document" "integration_cross_account_access_to_staging" { @@ -79,9 +79,9 @@ data "aws_iam_policy_document" "integration_cross_account_access_to_staging" { } resource "aws_s3_bucket_policy" "staging_cross_account_access_to_production" { - count = "${var.aws_environment == "production" ? 1 : 0}" - bucket = "${aws_s3_bucket.activestorage.id}" - policy = "${data.aws_iam_policy_document.staging_cross_account_access_to_production.json}" + count = var.aws_environment == "production" ? 1 : 0 + bucket = aws_s3_bucket.activestorage.id + policy = data.aws_iam_policy_document.staging_cross_account_access_to_production.json } data "aws_iam_policy_document" "staging_cross_account_access_to_production" { @@ -110,7 +110,7 @@ data "aws_iam_policy_document" "staging_cross_account_access_to_production" { resource "aws_iam_policy" "integration_content_publisher_active_storage_reader_writer" { name = "integration_content_publisher_active_storage-reader_writer-policy" - policy = "${data.aws_iam_policy_document.integration_content_publisher_active_storage_reader_writer.json}" + policy = data.aws_iam_policy_document.integration_content_publisher_active_storage_reader_writer.json description = "Allows reading and writing the integration content publisher active storage bucket" } @@ -135,7 +135,7 @@ data "aws_iam_policy_document" "integration_content_publisher_active_storage_rea resource "aws_iam_policy" "staging_content_publisher_active_storage_reader" { name = "staging_content_publisher_active_storage-reader-policy" - policy = "${data.aws_iam_policy_document.staging_content_publisher_active_storage_reader.json}" + policy = data.aws_iam_policy_document.staging_content_publisher_active_storage_reader.json description = "Allows reading the staging content publisher active storage bucket" } @@ -158,7 +158,7 @@ data "aws_iam_policy_document" "staging_content_publisher_active_storage_reader" resource "aws_iam_policy" "staging_content_publisher_active_storage_reader_writer" { name = "staging_content_publisher_active_storage-reader_writer-policy" - policy = "${data.aws_iam_policy_document.staging_content_publisher_active_storage_reader_writer.json}" + policy = data.aws_iam_policy_document.staging_content_publisher_active_storage_reader_writer.json description = "Allows reading and writing the staging content publisher active storage bucket" } @@ -183,7 +183,7 @@ data "aws_iam_policy_document" "staging_content_publisher_active_storage_reader_ resource "aws_iam_policy" "production_content_publisher_active_storage_reader" { name = "production_content_publisher_active_storage-reader-policy" - policy = "${data.aws_iam_policy_document.production_content_publisher_active_storage_reader.json}" + policy = data.aws_iam_policy_document.production_content_publisher_active_storage_reader.json description = "Allows reading the production content publisher active storage bucket" } @@ -208,21 +208,21 @@ data "aws_iam_policy_document" "production_content_publisher_active_storage_read # -------------------------------------------------------------- output "integration_content_publisher_active_storage_bucket_reader_writer_policy_arn" { - value = "${aws_iam_policy.integration_content_publisher_active_storage_reader_writer.arn}" + value = aws_iam_policy.integration_content_publisher_active_storage_reader_writer.arn description = "ARN of the staging content publisher storage bucket reader writer policy" } output "staging_content_publisher_active_storage_bucket_reader_policy_arn" { - value = "${aws_iam_policy.staging_content_publisher_active_storage_reader.arn}" + value = aws_iam_policy.staging_content_publisher_active_storage_reader.arn description = "ARN of the staging content publisher storage bucket reader policy" } output "staging_content_publisher_active_storage_bucket_reader_writer_policy_arn" { - value = "${aws_iam_policy.staging_content_publisher_active_storage_reader_writer.arn}" + value = aws_iam_policy.staging_content_publisher_active_storage_reader_writer.arn description = "ARN of the staging content publisher storage bucket reader writer policy" } output "production_content_publisher_active_storage_bucket_reader_policy_arn" { - value = "${aws_iam_policy.production_content_publisher_active_storage_reader.arn}" + value = aws_iam_policy.production_content_publisher_active_storage_reader.arn description = "ARN of the production content publisher storage bucket reader policy" } diff --git a/terraform/projects/infra-content-publisher/main.tf b/terraform/projects/infra-content-publisher/main.tf index 022451e27..990cdcee8 100644 --- a/terraform/projects/infra-content-publisher/main.tf +++ b/terraform/projects/infra-content-publisher/main.tf @@ -5,35 +5,35 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_replica_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-2" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "whole_bucket_lifecycle_rule_integration_enabled" { - type = "string" + type = string description = "Set to true in Integration data to only apply these rules for Integration" default = "false" } variable "replication_setting" { - type = "string" + type = string description = "Whether replication is Enabled or Disabled" default = "Enabled" } @@ -46,12 +46,12 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } provider "aws" { - region = "${var.aws_replica_region}" + region = var.aws_replica_region alias = "aws_replica" version = "2.46.0" } @@ -62,10 +62,14 @@ resource "aws_s3_bucket" "activestorage" { tags = { Name = "govuk-${var.aws_environment}-content-publisher-activestorage" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Content Publisher Active Storage" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-content-publisher-activestorage/" } @@ -74,15 +78,15 @@ resource "aws_s3_bucket" "activestorage" { } replication_configuration { - role = "${aws_iam_role.govuk_content_publisher_activestorage_replication_role.arn}" + role = aws_iam_role.govuk_content_publisher_activestorage_replication_role.arn rules { id = "govuk-content-publisher-activestorage-replication-whole-bucket-rule" prefix = "" - status = "${var.replication_setting}" + status = var.replication_setting destination { - bucket = "${aws_s3_bucket.activestorage_replica.arn}" + bucket = aws_s3_bucket.activestorage_replica.arn storage_class = "STANDARD" } } @@ -91,7 +95,7 @@ resource "aws_s3_bucket" "activestorage" { resource "aws_s3_bucket" "activestorage_replica" { bucket = "govuk-${var.aws_environment}-content-publisher-activestorage-replica" - region = "${var.aws_replica_region}" + region = var.aws_replica_region provider = "aws.aws_replica" tags = { @@ -106,7 +110,7 @@ resource "aws_s3_bucket" "activestorage_replica" { lifecycle_rule { id = "whole_bucket_lifecycle_rule_integration" prefix = "" - enabled = "${var.whole_bucket_lifecycle_rule_integration_enabled}" + enabled = var.whole_bucket_lifecycle_rule_integration_enabled expiration { days = "7" @@ -119,16 +123,16 @@ resource "aws_s3_bucket" "activestorage_replica" { } data "template_file" "s3_govuk_content_publisher_activestorage_replication_role_template" { - template = "${file("${path.module}/../../policies/s3_govuk_content_publisher_activestorage_replication_role.tpl")}" + template = file("${path.module}/../../policies/s3_govuk_content_publisher_activestorage_replication_role.tpl") } resource "aws_iam_role" "govuk_content_publisher_activestorage_replication_role" { name = "${var.stackname}-content-publisher-activestorage-replication-role" - assume_role_policy = "${data.template_file.s3_govuk_content_publisher_activestorage_replication_role_template.rendered}" + assume_role_policy = data.template_file.s3_govuk_content_publisher_activestorage_replication_role_template.rendered } data "template_file" "s3_govuk_content_publisher_activestorage_policy_template" { - template = "${file("${path.module}/../../policies/s3_govuk_content_publisher_activestorage_replication_policy.tpl")}" + template = file("${path.module}/../../policies/s3_govuk_content_publisher_activestorage_replication_policy.tpl") vars = { govuk_content_publisher_activestorage_arn = "${aws_s3_bucket.activestorage.arn}" @@ -138,14 +142,14 @@ data "template_file" "s3_govuk_content_publisher_activestorage_policy_template" resource "aws_iam_policy" "govuk_content_publisher_activestorage_replication_policy" { name = "govuk-${var.aws_environment}-content-publisher-activestorage-replication-policy" - policy = "${data.template_file.s3_govuk_content_publisher_activestorage_policy_template.rendered}" + policy = data.template_file.s3_govuk_content_publisher_activestorage_policy_template.rendered description = "Allows replication of the content publisher activestorage bucket" } resource "aws_iam_policy_attachment" "govuk_content_publisher_activestorage_replication_policy_attachment" { name = "s3-govuk-content-publisher-activestorage-replication-policy-attachment" roles = ["${aws_iam_role.govuk_content_publisher_activestorage_replication_role.name}"] - policy_arn = "${aws_iam_policy.govuk_content_publisher_activestorage_replication_policy.arn}" + policy_arn = aws_iam_policy.govuk_content_publisher_activestorage_replication_policy.arn } resource "aws_iam_user" "app_user" { @@ -154,17 +158,17 @@ resource "aws_iam_user" "app_user" { resource "aws_iam_policy" "s3_writer" { name = "govuk-${var.aws_environment}-content-publisher-app-s3-writer-policy" - policy = "${data.template_file.s3_writer_policy.rendered}" + policy = data.template_file.s3_writer_policy.rendered } resource "aws_iam_policy_attachment" "s3_writer" { name = "govuk-${var.aws_environment}-content-publisher-s3-writer-policy-attachment" users = ["${aws_iam_user.app_user.name}"] - policy_arn = "${aws_iam_policy.s3_writer.arn}" + policy_arn = aws_iam_policy.s3_writer.arn } data "template_file" "s3_writer_policy" { - template = "${file("s3_writer_policy.tpl")}" + template = file("s3_writer_policy.tpl") vars = { bucket = "${aws_s3_bucket.activestorage.id}" @@ -172,5 +176,5 @@ data "template_file" "s3_writer_policy" { } output "activestorage_s3_bucket_arn" { - value = "${aws_s3_bucket.activestorage.arn}" + value = aws_s3_bucket.activestorage.arn } diff --git a/terraform/projects/infra-content-publisher/remote_state.tf b/terraform/projects/infra-content-publisher/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-content-publisher/remote_state.tf +++ b/terraform/projects/infra-content-publisher/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-csp-reporter/:w b/terraform/projects/infra-csp-reporter/:w new file mode 100644 index 000000000..ed5f2abec --- /dev/null +++ b/terraform/projects/infra-csp-reporter/:w @@ -0,0 +1,27 @@ +# Bucket to store data from Kinesis Firehose, stores both successes and errors +resource "aws_s3_bucket" "csp_reports" { + bucket = "govuk-${var.aws_environment}-csp-reports" + + tags = { + Name = "govuk-${var.aws_environment}-csp-reports" + aws_environment = var.aws_environment + project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "csp_reports_lifecycle" { + bucket = aws_s3_bucket.csp_reports.id + + rule { + id = "govuk-${var.aws_environment}-csp-reports-lifecycle" + status = "Enabled" + + expiration { + days = 30 + } + } +} diff --git a/terraform/projects/infra-csp-reporter/api_gateway.tf b/terraform/projects/infra-csp-reporter/api_gateway.tf index 09043cc52..ac5b2d8ef 100644 --- a/terraform/projects/infra-csp-reporter/api_gateway.tf +++ b/terraform/projects/infra-csp-reporter/api_gateway.tf @@ -6,6 +6,10 @@ resource "aws_apigatewayv2_api" "csp_reporter" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } } @@ -21,6 +25,10 @@ resource "aws_apigatewayv2_domain_name" "csp_reporter" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } } @@ -66,6 +74,10 @@ resource "aws_cloudwatch_log_group" "csp_reporter_log_group" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } } diff --git a/terraform/projects/infra-csp-reporter/buckets.tf b/terraform/projects/infra-csp-reporter/buckets.tf index 44aac2869..ed5f2abec 100644 --- a/terraform/projects/infra-csp-reporter/buckets.tf +++ b/terraform/projects/infra-csp-reporter/buckets.tf @@ -6,6 +6,10 @@ resource "aws_s3_bucket" "csp_reports" { Name = "govuk-${var.aws_environment}-csp-reports" aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } } diff --git a/terraform/projects/infra-csp-reporter/firehose.tf b/terraform/projects/infra-csp-reporter/firehose.tf index 688d60d8d..72c510923 100644 --- a/terraform/projects/infra-csp-reporter/firehose.tf +++ b/terraform/projects/infra-csp-reporter/firehose.tf @@ -36,6 +36,10 @@ resource "aws_kinesis_firehose_delivery_stream" "delivery_stream" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } depends_on = [aws_iam_role_policy.firehose_glue_policy] diff --git a/terraform/projects/infra-csp-reporter/glue.tf b/terraform/projects/infra-csp-reporter/glue.tf index b4aa9ab30..1664018ff 100644 --- a/terraform/projects/infra-csp-reporter/glue.tf +++ b/terraform/projects/infra-csp-reporter/glue.tf @@ -61,6 +61,10 @@ resource "aws_glue_crawler" "csp_reports" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } s3_target { diff --git a/terraform/projects/infra-csp-reporter/lambda.tf b/terraform/projects/infra-csp-reporter/lambda.tf index f7de95c9f..548dec7ad 100644 --- a/terraform/projects/infra-csp-reporter/lambda.tf +++ b/terraform/projects/infra-csp-reporter/lambda.tf @@ -23,6 +23,10 @@ resource "aws_lambda_function" "lambda" { tags = { aws_environment = var.aws_environment project = local.project_name + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CSP Reporter" } } diff --git a/terraform/projects/infra-csw/main.tf b/terraform/projects/infra-csw/main.tf index b52b82b9e..d6a8652c9 100644 --- a/terraform/projects/infra-csw/main.tf +++ b/terraform/projects/infra-csw/main.tf @@ -9,7 +9,7 @@ variable "csw_prefix" { } variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } @@ -24,13 +24,13 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } module "csw_inspector_role" { source = "git::https://github.com/alphagov/csw-client-role.git" - region = "${var.aws_region}" - csw_prefix = "${var.csw_prefix}" - csw_agent_account_id = "${var.csw_agent_account_id}" + region = var.aws_region + csw_prefix = var.csw_prefix + csw_agent_account_id = var.csw_agent_account_id } diff --git a/terraform/projects/infra-cyber-security-audit/main.tf b/terraform/projects/infra-cyber-security-audit/main.tf index 664674d37..34c9d2af2 100644 --- a/terraform/projects/infra-cyber-security-audit/main.tf +++ b/terraform/projects/infra-cyber-security-audit/main.tf @@ -5,12 +5,12 @@ */ variable "chain_account_id" { - type = "string" + type = string default = "988997429095" } variable "aws_region" { - type = "string" + type = string default = "eu-west-1" } @@ -22,7 +22,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } diff --git a/terraform/projects/infra-database-backups-bucket/main.tf b/terraform/projects/infra-database-backups-bucket/main.tf index 47cd30475..3f6b93cb3 100644 --- a/terraform/projects/infra-database-backups-bucket/main.tf +++ b/terraform/projects/infra-database-backups-bucket/main.tf @@ -13,6 +13,10 @@ locals { tags = { terraform_deployment = basename(abspath(path.root)) aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Database Backups" } timelock_enabled = var.aws_environment == "production" timelock_days = 120 @@ -32,14 +36,26 @@ provider "aws" { resource "aws_s3_bucket" "main" { bucket = "govuk-${var.aws_environment}-database-backups" object_lock_enabled = local.timelock_enabled - tags = { Name = "govuk-${var.aws_environment}-database-backups" } + tags = { + Name = "govuk-${var.aws_environment}-database-backups" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Database Backups" + } } resource "aws_s3_bucket" "replica" { bucket = "govuk-${var.aws_environment}-database-backups-replica" provider = aws.eu-west-2 object_lock_enabled = local.timelock_enabled - tags = { Name = "govuk-${var.aws_environment}-database-backups-replica" } + tags = { + Name = "govuk-${var.aws_environment}-database-backups-replica" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Database Backups" + } } resource "aws_s3_bucket_object_lock_configuration" "main" { diff --git a/terraform/projects/infra-datagovuk-organogram-bucket/README.md b/terraform/projects/infra-datagovuk-organogram-bucket/README.md index 9255f1b33..10948de24 100644 --- a/terraform/projects/infra-datagovuk-organogram-bucket/README.md +++ b/terraform/projects/infra-datagovuk-organogram-bucket/README.md @@ -1,23 +1,17 @@ -## Project: datagovuk-organogram-bucket - -This creates an s3 bucket - -datagovuk-organogram-bucket: A bucket to hold data.gov.uk organogram files - ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 0.12.31 | -| [aws](#requirement\_aws) | 2.46.0 | -| [fastly](#requirement\_fastly) | ~> 0.26.0 | +| [terraform](#requirement\_terraform) | ~> 1.6 | +| [aws](#requirement\_aws) | ~> 5.0 | +| [fastly](#requirement\_fastly) | ~> 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 2.46.0 | -| [fastly](#provider\_fastly) | ~> 0.26.0 | +| [aws](#provider\_aws) | ~> 5.0 | +| [fastly](#provider\_fastly) | ~> 5.0 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -28,14 +22,17 @@ No modules. | Name | Type | |------|------| -| [aws_iam_policy.s3_datagovuk_organogram_writer_policy](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy_attachment.s3_datagovuk_organogram_writer_user_policy](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_user.s3_datagovuk_organogram_writer_user](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/resources/iam_user) | resource | -| [aws_s3_bucket.datagovuk-organogram](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_policy.govuk_datagovuk_organogram_read_policy](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/resources/s3_bucket_policy) | resource | -| [aws_iam_policy_document.s3_datagovuk_organogram_writer_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.s3_fastly_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/2.46.0/docs/data-sources/iam_policy_document) | data source | -| [fastly_ip_ranges.fastly](https://registry.terraform.io/providers/hashicorp/fastly/latest/docs/data-sources/ip_ranges) | data source | +| [aws_iam_policy.s3_datagovuk_organogram_writer_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_attachment.s3_datagovuk_organogram_writer_user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_user.s3_datagovuk_organogram_writer_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | +| [aws_s3_bucket.datagovuk-organogram](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_cors_configuration.datagovuk_organogram](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource | +| [aws_s3_bucket_logging.datagovuk_organogram](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_policy.govuk_datagovuk_organogram_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_versioning.datagovuk_organogram](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_iam_policy_document.s3_datagovuk_organogram_writer_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_fastly_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [fastly_ip_ranges.fastly](https://registry.terraform.io/providers/fastly/fastly/latest/docs/data-sources/ip_ranges) | data source | | [terraform_remote_state.infra_monitoring](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -46,8 +43,6 @@ No modules. | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | | [domain](#input\_domain) | The domain of the data.gov.uk service to manage | `string` | n/a | yes | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | -| [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | -| [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | ## Outputs diff --git a/terraform/projects/infra-datagovuk-organogram-bucket/datagovuk-write-policy.tf b/terraform/projects/infra-datagovuk-organogram-bucket/datagovuk-write-policy.tf index 159493343..be3e59e6a 100644 --- a/terraform/projects/infra-datagovuk-organogram-bucket/datagovuk-write-policy.tf +++ b/terraform/projects/infra-datagovuk-organogram-bucket/datagovuk-write-policy.tf @@ -25,7 +25,7 @@ data "aws_iam_policy_document" "s3_datagovuk_organogram_writer_policy_doc" { resource "aws_iam_policy" "s3_datagovuk_organogram_writer_policy" { name = "s3_datagovuk_writer_policy_for_${aws_s3_bucket.datagovuk-organogram.id}" - policy = "${data.aws_iam_policy_document.s3_datagovuk_organogram_writer_policy_doc.json}" + policy = data.aws_iam_policy_document.s3_datagovuk_organogram_writer_policy_doc.json } resource "aws_iam_user" "s3_datagovuk_organogram_writer_user" { @@ -34,6 +34,6 @@ resource "aws_iam_user" "s3_datagovuk_organogram_writer_user" { resource "aws_iam_policy_attachment" "s3_datagovuk_organogram_writer_user_policy" { name = "s3_datagovuk_organogram_writers_user_policy_attachment" - users = ["${aws_iam_user.s3_datagovuk_organogram_writer_user.name}"] - policy_arn = "${aws_iam_policy.s3_datagovuk_organogram_writer_policy.arn}" + users = [aws_iam_user.s3_datagovuk_organogram_writer_user.name] + policy_arn = aws_iam_policy.s3_datagovuk_organogram_writer_policy.arn } diff --git a/terraform/projects/infra-datagovuk-organogram-bucket/main.tf b/terraform/projects/infra-datagovuk-organogram-bucket/main.tf index 4a712fdea..c6279a197 100644 --- a/terraform/projects/infra-datagovuk-organogram-bucket/main.tf +++ b/terraform/projects/infra-datagovuk-organogram-bucket/main.tf @@ -1,92 +1,71 @@ -/** -* ## Project: datagovuk-organogram-bucket -* -* This creates an s3 bucket -* -* datagovuk-organogram-bucket: A bucket to hold data.gov.uk organogram files -* -*/ +// datagovuk-organogram-bucket defines an S3 bucket to hold data.gov.uk organogram files. -variable "aws_region" { - type = "string" - description = "AWS region" - default = "eu-west-1" -} - -variable "aws_environment" { - type = "string" - description = "AWS Environment" -} - -variable "domain" { - type = "string" - description = "The domain of the data.gov.uk service to manage" -} - -variable "stackname" { - type = "string" - description = "Stackname" -} - -variable "remote_state_bucket" { - type = "string" - description = "S3 bucket we store our terraform state in" -} - -variable "remote_state_infra_monitoring_key_stack" { - type = "string" - description = "Override stackname path to infra_monitoring remote state " - default = "" -} - -# Set up the backend & provider for each region terraform { backend "s3" {} - required_version = "~> 0.12.31" + required_version = "~> 1.6" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + fastly = { + source = "fastly/fastly" + version = "~> 5.0" + } + } } provider "aws" { - region = "${var.aws_region}" - version = "2.46.0" + region = var.aws_region + default_tags { + tags = { + terraform_deployment = basename(abspath(path.root)) + aws_environment = var.aws_environment + } + } } +provider "fastly" { api_key = "test" } + data "terraform_remote_state" "infra_monitoring" { backend = "s3" config = { - bucket = "${var.remote_state_bucket}" - key = "${coalesce(var.remote_state_infra_monitoring_key_stack, var.stackname)}/infra-monitoring.tfstate" - region = "${var.aws_region}" + bucket = var.remote_state_bucket + key = "govuk/infra-monitoring.tfstate" + region = var.aws_region } } resource "aws_s3_bucket" "datagovuk-organogram" { bucket = "datagovuk-${var.aws_environment}-ckan-organogram" + tags = { Name = "datagovuk-${var.aws_environment}-ckan-organogram" } +} - dynamic "cors_rule" { - for_each = [for s in ["${var.domain}", "https://staging.data.gov.uk", "https://find.eks.${var.aws_environment}.govuk.digital"] : { - allowed_origin = s - }] - allowed_methods = ["GET"] - allowed_origins = [cors_rule.value.allowed_origin] - } - - tags = { - Name = "datagovuk-${var.aws_environment}-ckan-organogram" - aws_environment = "${var.aws_environment}" - } +resource "aws_s3_bucket_versioning" "datagovuk_organogram" { + bucket = aws_s3_bucket.datagovuk-organogram.id + versioning_configuration { status = "Enabled" } +} - logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" - target_prefix = "s3/datagovuk-${var.aws_environment}-ckan-organogram/" - } +resource "aws_s3_bucket_logging" "datagovuk_organogram" { + bucket = aws_s3_bucket.datagovuk-organogram.id + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id + target_prefix = "s3/datagovuk-${var.aws_environment}-ckan-organogram/" +} - versioning { - enabled = true +resource "aws_s3_bucket_cors_configuration" "datagovuk_organogram" { + bucket = aws_s3_bucket.datagovuk-organogram.id + cors_rule { + allowed_methods = ["GET"] + allowed_origins = [ + var.domain, + "https://staging.data.gov.uk", + "https://find.eks.${var.aws_environment}.govuk.digital" + ] } } resource "aws_s3_bucket_policy" "govuk_datagovuk_organogram_read_policy" { - bucket = "${aws_s3_bucket.datagovuk-organogram.id}" - policy = "${data.aws_iam_policy_document.s3_fastly_read_policy_doc.json}" + bucket = aws_s3_bucket.datagovuk-organogram.id + policy = data.aws_iam_policy_document.s3_fastly_read_policy_doc.json } diff --git a/terraform/projects/infra-datagovuk-static-bucket/README.md b/terraform/projects/infra-datagovuk-static-bucket/README.md index fd5517fc0..a5aa14bc2 100644 --- a/terraform/projects/infra-datagovuk-static-bucket/README.md +++ b/terraform/projects/infra-datagovuk-static-bucket/README.md @@ -46,7 +46,7 @@ No modules. | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | -| [s3\_bucket\_read\_ips](#input\_s3\_bucket\_read\_ips) | Additional IPs to allow read access from | `list` | n/a | yes | +| [s3\_bucket\_read\_ips](#input\_s3\_bucket\_read\_ips) | Additional IPs to allow read access from | `list(string)` | n/a | yes | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | ## Outputs diff --git a/terraform/projects/infra-datagovuk-static-bucket/datagovuk-write-policy.tf b/terraform/projects/infra-datagovuk-static-bucket/datagovuk-write-policy.tf index 49817d7b5..f9114560f 100644 --- a/terraform/projects/infra-datagovuk-static-bucket/datagovuk-write-policy.tf +++ b/terraform/projects/infra-datagovuk-static-bucket/datagovuk-write-policy.tf @@ -25,7 +25,7 @@ data "aws_iam_policy_document" "s3_datagovuk_writer_policy_doc" { resource "aws_iam_policy" "s3_datagovuk_writer_policy" { name = "s3_datagovuk_writer_policy_for_${aws_s3_bucket.datagovuk-static.id}" - policy = "${data.aws_iam_policy_document.s3_datagovuk_writer_policy_doc.json}" + policy = data.aws_iam_policy_document.s3_datagovuk_writer_policy_doc.json } resource "aws_iam_user" "s3_datagovuk_writer_user" { @@ -35,5 +35,5 @@ resource "aws_iam_user" "s3_datagovuk_writer_user" { resource "aws_iam_policy_attachment" "s3_datagovuk_writer_user_policy" { name = "s3_datagovuk_writers_user_policy_attachment" users = ["${aws_iam_user.s3_datagovuk_writer_user.name}"] - policy_arn = "${aws_iam_policy.s3_datagovuk_writer_policy.arn}" + policy_arn = aws_iam_policy.s3_datagovuk_writer_policy.arn } diff --git a/terraform/projects/infra-datagovuk-static-bucket/main.tf b/terraform/projects/infra-datagovuk-static-bucket/main.tf index 289f66c91..1ef54babb 100644 --- a/terraform/projects/infra-datagovuk-static-bucket/main.tf +++ b/terraform/projects/infra-datagovuk-static-bucket/main.tf @@ -8,34 +8,34 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } variable "s3_bucket_read_ips" { - type = "list" + type = list(string) description = "Additional IPs to allow read access from" } @@ -46,7 +46,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -66,10 +66,14 @@ resource "aws_s3_bucket" "datagovuk-static" { tags = { Name = "datagovuk-${var.aws_environment}-ckan-static-data" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "DATA.GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "DATA.GOVUK" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/datagovuk-${var.aws_environment}-ckan-static-data/" } @@ -79,6 +83,6 @@ resource "aws_s3_bucket" "datagovuk-static" { } resource "aws_s3_bucket_policy" "govuk_datagovuk_static_read_policy" { - bucket = "${aws_s3_bucket.datagovuk-static.id}" - policy = "${data.aws_iam_policy_document.s3_fastly_read_policy_doc.json}" + bucket = aws_s3_bucket.datagovuk-static.id + policy = data.aws_iam_policy_document.s3_fastly_read_policy_doc.json } diff --git a/terraform/projects/infra-env-sync-and-backup/content_publisher.tf b/terraform/projects/infra-env-sync-and-backup/content_publisher.tf index dd60bce14..44c537b60 100644 --- a/terraform/projects/infra-env-sync-and-backup/content_publisher.tf +++ b/terraform/projects/infra-env-sync-and-backup/content_publisher.tf @@ -1,16 +1,16 @@ resource "aws_iam_policy" "content_publisher_env_sync_s3_writer" { name = "govuk-${var.aws_environment}-content-publisher-env-sync-s3-writer-policy" - policy = "${data.template_file.content_publisher_env_sync_s3_writer_policy_template.rendered}" + policy = data.template_file.content_publisher_env_sync_s3_writer_policy_template.rendered } resource "aws_iam_policy_attachment" "content_publisher_env_sync_s3_writer" { name = "govuk-${var.aws_environment}-content-publisher-env-sync-s3-writer-policy-attachment" users = ["${aws_iam_user.env_sync_and_backup.name}"] - policy_arn = "${aws_iam_policy.content_publisher_env_sync_s3_writer.arn}" + policy_arn = aws_iam_policy.content_publisher_env_sync_s3_writer.arn } data "template_file" "content_publisher_env_sync_s3_writer_policy_template" { - template = "${file("s3_sync_policy.tpl")}" + template = file("s3_sync_policy.tpl") vars = { bucket_suffix = "content-publisher-activestorage" diff --git a/terraform/projects/infra-env-sync-and-backup/main.tf b/terraform/projects/infra-env-sync-and-backup/main.tf index cfb445927..b7331e6a3 100644 --- a/terraform/projects/infra-env-sync-and-backup/main.tf +++ b/terraform/projects/infra-env-sync-and-backup/main.tf @@ -5,18 +5,18 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -28,7 +28,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } diff --git a/terraform/projects/infra-env-sync-and-backup/remote_state.tf b/terraform/projects/infra-env-sync-and-backup/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-env-sync-and-backup/remote_state.tf +++ b/terraform/projects/infra-env-sync-and-backup/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-fastly-logs/main.tf b/terraform/projects/infra-fastly-logs/main.tf index e2f4eba99..51159b2d9 100644 --- a/terraform/projects/infra-fastly-logs/main.tf +++ b/terraform/projects/infra-fastly-logs/main.tf @@ -4,18 +4,18 @@ * Manages the Fastly logging data which is sent from Fastly to S3. */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -27,7 +27,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "5.21.0" } @@ -42,10 +42,14 @@ resource "aws_s3_bucket" "fastly_logs" { tags = { Name = "govuk-${var.aws_environment}-fastly-logs" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Fastly" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-fastly-logs/" } @@ -65,18 +69,18 @@ resource "aws_iam_user" "logs_writer" { resource "aws_iam_policy" "logs_writer" { name = "fastly-logs-${var.aws_environment}-logs-writer-policy" - policy = "${data.template_file.logs_writer_policy_template.rendered}" + policy = data.template_file.logs_writer_policy_template.rendered description = "Allows writing to to the fastly-logs bucket" } resource "aws_iam_policy_attachment" "logs_writer" { name = "logs-writer-policy-attachment" users = ["${aws_iam_user.logs_writer.name}"] - policy_arn = "${aws_iam_policy.logs_writer.arn}" + policy_arn = aws_iam_policy.logs_writer.arn } data "template_file" "logs_writer_policy_template" { - template = "${file("${path.module}/../../policies/fastly_logs_writer_policy.tpl")}" + template = file("${path.module}/../../policies/fastly_logs_writer_policy.tpl") vars = { aws_environment = "${var.aws_environment}" @@ -91,7 +95,7 @@ resource "aws_glue_catalog_database" "fastly_logs" { resource "aws_iam_role_policy_attachment" "aws-glue-service-role-service-attachment" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole" - role = "${aws_iam_role.glue.name}" + role = aws_iam_role.glue.name } resource "aws_iam_role" "glue" { @@ -118,7 +122,7 @@ EOF resource "aws_iam_role_policy" "fastly_logs_policy" { name = "govuk-${var.aws_environment}-fastly-logs-glue-policy" - role = "${aws_iam_role.glue.id}" + role = aws_iam_role.glue.id policy = < [eks\_egress\_ips](#input\_eks\_egress\_ips) | Egress addresses for the corresponding EKS environment, in CIDR notation. | `list(string)` | n/a | yes | | [enable\_replica\_lifecycle\_rules](#input\_enable\_replica\_lifecycle\_rules) | Enable lifecycle rules for the mirror bucket's replica | `bool` | `true` | no | | [enable\_replication](#input\_enable\_replication) | Enable replication from the mirror bucket to its replica | `bool` | `true` | no | -| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list` | n/a | yes | +| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list(any)` | n/a | yes | | [lifecycle\_government\_uploads](#input\_lifecycle\_government\_uploads) | Number of days for the lifecycle rule for the mirror in the case where the prefix path is www.gov.uk/government/uploads/ | `string` | `"8"` | no | | [lifecycle\_main](#input\_lifecycle\_main) | Number of days for the lifecycle rule for the mirror | `string` | `"5"` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | diff --git a/terraform/projects/infra-mirror-bucket/main.tf b/terraform/projects/infra-mirror-bucket/main.tf index b6b9bca8e..84f7f82ef 100644 --- a/terraform/projects/infra-mirror-bucket/main.tf +++ b/terraform/projects/infra-mirror-bucket/main.tf @@ -48,7 +48,7 @@ variable "remote_state_infra_networking_key_stack" { } variable "gds_egress_ips" { - type = list + type = list(any) description = "An array of CIDR blocks that will be allowed offsite access." } @@ -161,6 +161,10 @@ resource "aws_s3_bucket" "govuk-mirror" { tags = { Name = "govuk-${var.aws_environment}-mirror" aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "GOVUK Mirror" } logging { @@ -229,6 +233,10 @@ resource "aws_s3_bucket" "govuk-mirror-replica" { Name = "govuk-${var.aws_environment}-mirror-replica" Status = var.enable_replication ? null : "Not in use in ${var.aws_environment} environment" aws_environment = var.aws_environment + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "GOVUK Mirror" } logging { diff --git a/terraform/projects/infra-monitoring/main.tf b/terraform/projects/infra-monitoring/main.tf index 30b911b06..d81ca433d 100644 --- a/terraform/projects/infra-monitoring/main.tf +++ b/terraform/projects/infra-monitoring/main.tf @@ -11,36 +11,36 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "cyber_slunk_s3_bucket_name" { - type = "string" + type = string description = "Name of the Cyber S3 bucket where aws logging will be replicated" default = "na" } variable "cyber_slunk_aws_account_id" { - type = "string" + type = string description = "AWS account ID of the Cyber S3 bucket where aws logging will be replicated" default = "na" } variable "rds_enhanced_monitoring_role_name" { description = "Name of the IAM role to create for RDS Enhanced Monitoring." - type = "string" + type = string default = "rds-monitoring-role" } variable "stackname" { - type = "string" + type = string description = "Stackname" default = "" } @@ -53,7 +53,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -62,7 +62,7 @@ data "aws_elb_service_account" "main" {} data "aws_caller_identity" "current" {} data "template_file" "s3_aws_logging_policy_template" { - template = "${file("${path.module}/../../policies/s3_aws_logging_write_policy.tpl")}" + template = file("${path.module}/../../policies/s3_aws_logging_write_policy.tpl") vars = { aws_environment = "${var.aws_environment}" @@ -71,7 +71,7 @@ data "template_file" "s3_aws_logging_policy_template" { } data "template_file" "s3_govuk_aws_logging_replication_policy_template" { - template = "${file("${path.module}/../../policies/s3_govuk_aws_logging_replication_policy.tpl")}" + template = file("${path.module}/../../policies/s3_govuk_aws_logging_replication_policy.tpl") vars = { govuk_aws_logging_arn = "${aws_s3_bucket.aws-logging.arn}" @@ -80,27 +80,27 @@ data "template_file" "s3_govuk_aws_logging_replication_policy_template" { } data "template_file" "s3_govuk_aws_logging_replication_role_template" { - template = "${file("${path.module}/../../policies/s3_govuk_aws_logging_replication_role.tpl")}" + template = file("${path.module}/../../policies/s3_govuk_aws_logging_replication_role.tpl") } resource "aws_iam_policy" "govuk_aws_logging_replication_policy" { #count = "${var.aws_environment == "production"? 1 : 0}" name = "govuk-${var.aws_environment}-aws-logging-bucket-replication-policy" - policy = "${data.template_file.s3_govuk_aws_logging_replication_policy_template.rendered}" + policy = data.template_file.s3_govuk_aws_logging_replication_policy_template.rendered description = "Allows replication of the aws-logging bucket" } resource "aws_iam_role" "govuk_aws_logging_replication_role" { #count = "${var.aws_environment == "production"? 1 : 0}" name = "${var.stackname}-aws-logging-replication-role" - assume_role_policy = "${data.template_file.s3_govuk_aws_logging_replication_role_template.rendered}" + assume_role_policy = data.template_file.s3_govuk_aws_logging_replication_role_template.rendered } resource "aws_iam_policy_attachment" "govuk_aws_logging_replication_policy_attachment" { #count = "${var.aws_environment == "production"? 1 : 0}" name = "s3-govuk-aws-logging-replication-policy-attachment" roles = ["${aws_iam_role.govuk_aws_logging_replication_role.name}"] - policy_arn = "${aws_iam_policy.govuk_aws_logging_replication_policy.arn}" + policy_arn = aws_iam_policy.govuk_aws_logging_replication_policy.arn } # Create a bucket that allows AWS services to write to it @@ -111,6 +111,9 @@ resource "aws_s3_bucket" "aws-logging" { tags = { Name = "govuk-${var.aws_environment}-aws-logging" Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Monitoring" } lifecycle_rule { @@ -133,17 +136,17 @@ resource "aws_s3_bucket" "aws-logging" { } replication_configuration { - role = "${aws_iam_role.govuk_aws_logging_replication_role.arn}" + role = aws_iam_role.govuk_aws_logging_replication_role.arn rules { id = "govuk-aws-logging-elb-govuk-public-ckan-rule" prefix = "elb/govuk-ckan-public-elb" - status = "${var.aws_environment == "production" ? "Enabled" : "Disabled"}" + status = var.aws_environment == "production" ? "Enabled" : "Disabled" destination { bucket = "arn:aws:s3:::${var.cyber_slunk_s3_bucket_name}" storage_class = "STANDARD" - account_id = "${var.cyber_slunk_aws_account_id}" + account_id = var.cyber_slunk_aws_account_id access_control_translation { owner = "Destination" @@ -152,11 +155,11 @@ resource "aws_s3_bucket" "aws-logging" { } } - policy = "${data.template_file.s3_aws_logging_policy_template.rendered}" + policy = data.template_file.s3_aws_logging_policy_template.rendered } data "template_file" "iam_aws_logging_logit_read_policy_template" { - template = "${file("${path.module}/../../policies/iam_s3_aws_logging_read_policy.tpl")}" + template = file("${path.module}/../../policies/iam_s3_aws_logging_read_policy.tpl") vars = { aws_environment = "${var.aws_environment}" @@ -168,7 +171,7 @@ resource "aws_iam_policy" "aws-logging_logit-read_iam_policy" { name = "${var.aws_environment}-aws-logging_logit-read_iam_policy" path = "/" description = "Allow read access to S3 aws-logging bucket" - policy = "${data.template_file.iam_aws_logging_logit_read_policy_template.rendered}" + policy = data.template_file.iam_aws_logging_logit_read_policy_template.rendered } resource "aws_iam_user" "aws-logging_logit-read_iam_user" { @@ -178,7 +181,7 @@ resource "aws_iam_user" "aws-logging_logit-read_iam_user" { resource "aws_iam_policy_attachment" "aws-logging_logit-read_iam_policy_attachment" { name = "aws-logging_logit-read_iam_policy_attachment" users = ["${aws_iam_user.aws-logging_logit-read_iam_user.name}"] - policy_arn = "${aws_iam_policy.aws-logging_logit-read_iam_policy.arn}" + policy_arn = aws_iam_policy.aws-logging_logit-read_iam_policy.arn } # @@ -187,7 +190,7 @@ resource "aws_iam_policy_attachment" "aws-logging_logit-read_iam_policy_attachme # Kinesis Firehose role configuration data "template_file" "firehose_assume_policy_template" { - template = "${file("${path.module}/../../policies/firehose_assume_policy.tpl")}" + template = file("${path.module}/../../policies/firehose_assume_policy.tpl") vars = { aws_account_id = "${data.aws_caller_identity.current.account_id}" @@ -197,11 +200,11 @@ data "template_file" "firehose_assume_policy_template" { resource "aws_iam_role" "firehose_logs_role" { name = "${var.stackname}-firehose-logs" path = "/" - assume_role_policy = "${data.template_file.firehose_assume_policy_template.rendered}" + assume_role_policy = data.template_file.firehose_assume_policy_template.rendered } data "template_file" "firehose_logs_policy_template" { - template = "${file("${path.module}/../../policies/firehose_logs_policy.tpl")}" + template = file("${path.module}/../../policies/firehose_logs_policy.tpl") vars = { bucket_name = "${aws_s3_bucket.aws-logging.id}" @@ -211,23 +214,23 @@ data "template_file" "firehose_logs_policy_template" { resource "aws_iam_policy" "firehose_logs_policy" { name = "${var.stackname}-firehose-logs-policy" path = "/" - policy = "${data.template_file.firehose_logs_policy_template.rendered}" + policy = data.template_file.firehose_logs_policy_template.rendered } resource "aws_iam_role_policy_attachment" "firehose_logs_policy_attachment" { - role = "${aws_iam_role.firehose_logs_role.name}" - policy_arn = "${aws_iam_policy.firehose_logs_policy.arn}" + role = aws_iam_role.firehose_logs_role.name + policy_arn = aws_iam_policy.firehose_logs_policy.arn } # Lambda role configuration resource "aws_iam_role" "lambda_logs_to_firehose_role" { name = "${var.stackname}-lambda-logs-to-firehose" path = "/" - assume_role_policy = "${file("${path.module}/../../policies/lambda_assume_policy.json")}" + assume_role_policy = file("${path.module}/../../policies/lambda_assume_policy.json") } data "template_file" "lambda_logs_to_firehose_policy_template" { - template = "${file("${path.module}/../../policies/lambda_logs_to_firehose_policy.tpl")}" + template = file("${path.module}/../../policies/lambda_logs_to_firehose_policy.tpl") vars = { aws_region = "${var.aws_region}" @@ -238,23 +241,23 @@ data "template_file" "lambda_logs_to_firehose_policy_template" { resource "aws_iam_policy" "lambda_logs_to_firehose_policy" { name = "${var.stackname}-lambda-logs-to-firehose" path = "/" - policy = "${data.template_file.lambda_logs_to_firehose_policy_template.rendered}" + policy = data.template_file.lambda_logs_to_firehose_policy_template.rendered } resource "aws_iam_role_policy_attachment" "lambda_logs_to_firehose_policy_attachment" { - role = "${aws_iam_role.lambda_logs_to_firehose_role.name}" - policy_arn = "${aws_iam_policy.lambda_logs_to_firehose_policy.arn}" + role = aws_iam_role.lambda_logs_to_firehose_role.name + policy_arn = aws_iam_policy.lambda_logs_to_firehose_policy.arn } # Lambda RDS logs to S3 role resource "aws_iam_role" "lambda_rds_logs_to_s3_role" { name = "${var.stackname}-rds-logs-to-s3" path = "/" - assume_role_policy = "${file("${path.module}/../../policies/lambda_assume_policy.json")}" + assume_role_policy = file("${path.module}/../../policies/lambda_assume_policy.json") } data "template_file" "lambda_rds_logs_to_s3_policy_template" { - template = "${file("${path.module}/../../policies/lambda_rds_logs_to_s3_policy.tpl")}" + template = file("${path.module}/../../policies/lambda_rds_logs_to_s3_policy.tpl") vars = { bucket_name = "${aws_s3_bucket.aws-logging.id}" @@ -264,12 +267,12 @@ data "template_file" "lambda_rds_logs_to_s3_policy_template" { resource "aws_iam_policy" "lambda_rds_logs_to_s3_policy" { name = "${var.stackname}-rds-logs-to-s3-policy" path = "/" - policy = "${data.template_file.lambda_rds_logs_to_s3_policy_template.rendered}" + policy = data.template_file.lambda_rds_logs_to_s3_policy_template.rendered } resource "aws_iam_role_policy_attachment" "lambda_rds_logs_to_s3_policy_attachment" { - role = "${aws_iam_role.lambda_rds_logs_to_s3_role.name}" - policy_arn = "${aws_iam_policy.lambda_rds_logs_to_s3_policy.arn}" + role = aws_iam_role.lambda_rds_logs_to_s3_role.name + policy_arn = aws_iam_policy.lambda_rds_logs_to_s3_policy.arn } # @@ -286,13 +289,13 @@ resource "aws_sqs_queue" "notifications" { } resource "aws_sns_topic_subscription" "notifications_sqs_target" { - topic_arn = "${aws_sns_topic.notifications.arn}" + topic_arn = aws_sns_topic.notifications.arn protocol = "sqs" - endpoint = "${aws_sqs_queue.notifications.arn}" + endpoint = aws_sqs_queue.notifications.arn } data "template_file" "notifications_sqs_queue_policy_template" { - template = "${file("${path.module}/../../policies/sqs_allow_sns_policy.tpl")}" + template = file("${path.module}/../../policies/sqs_allow_sns_policy.tpl") vars = { sns_topic_arn = "${aws_sns_topic.notifications.arn}" @@ -301,8 +304,8 @@ data "template_file" "notifications_sqs_queue_policy_template" { } resource "aws_sqs_queue_policy" "notifications_sqs_queue_policy" { - queue_url = "${aws_sqs_queue.notifications.id}" - policy = "${data.template_file.notifications_sqs_queue_policy_template.rendered}" + queue_url = aws_sqs_queue.notifications.id + policy = data.template_file.notifications_sqs_queue_policy_template.rendered } # IAM role and policy for RDS Enhanced Monitoring @@ -321,17 +324,20 @@ data "aws_iam_policy_document" "rds_enhanced_monitoring" { } resource "aws_iam_role" "rds_enhanced_monitoring" { - name = "${var.rds_enhanced_monitoring_role_name}" - assume_role_policy = "${data.aws_iam_policy_document.rds_enhanced_monitoring.json}" + name = var.rds_enhanced_monitoring_role_name + assume_role_policy = data.aws_iam_policy_document.rds_enhanced_monitoring.json tags = { "Name" = "${var.rds_enhanced_monitoring_role_name}" "Environment" = "${var.aws_environment}" + "Product" = "GOVUK" + "Owner" = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + "System" = "Monitoring" } } resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" { - role = "${aws_iam_role.rds_enhanced_monitoring.name}" + role = aws_iam_role.rds_enhanced_monitoring.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" } @@ -339,46 +345,46 @@ resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" { # -------------------------------------------------------------- output "aws_logging_bucket_id" { - value = "${aws_s3_bucket.aws-logging.id}" + value = aws_s3_bucket.aws-logging.id description = "Name of the AWS logging bucket" } output "aws_logging_bucket_arn" { - value = "${aws_s3_bucket.aws-logging.arn}" + value = aws_s3_bucket.aws-logging.arn description = "ARN of the AWS logging bucket" } output "firehose_logs_role_arn" { - value = "${aws_iam_role.firehose_logs_role.arn}" + value = aws_iam_role.firehose_logs_role.arn description = "ARN of the Kinesis Firehose stream AWS credentials" } output "lambda_logs_role_arn" { - value = "${aws_iam_role.lambda_logs_to_firehose_role.arn}" + value = aws_iam_role.lambda_logs_to_firehose_role.arn description = "ARN of the IAM role attached to the Lambda logs Function" } output "lambda_rds_logs_to_s3_role_arn" { - value = "${aws_iam_role.lambda_rds_logs_to_s3_role.arn}" + value = aws_iam_role.lambda_rds_logs_to_s3_role.arn description = "ARN of the IAM role attached to the Lambda RDS logs to S3 Function" } output "sns_topic_cloudwatch_alarms_arn" { - value = "${aws_sns_topic.notifications.arn}" + value = aws_sns_topic.notifications.arn description = "ARN of the SNS topic for CloudWatch alarms" } output "sns_topic_autoscaling_group_events_arn" { - value = "${aws_sns_topic.notifications.arn}" + value = aws_sns_topic.notifications.arn description = "ARN of the SNS topic for ASG events" } output "sns_topic_rds_events_arn" { - value = "${aws_sns_topic.notifications.arn}" + value = aws_sns_topic.notifications.arn description = "ARN of the SNS topic for RDS events" } output "rds_enhanced_monitoring_role_arn" { description = "The ARN of the IAM role for RDS Enhanced Monitoring" - value = "${aws_iam_role.rds_enhanced_monitoring.arn}" + value = aws_iam_role.rds_enhanced_monitoring.arn } diff --git a/terraform/projects/infra-monitoring/secondary.tf b/terraform/projects/infra-monitoring/secondary.tf index 4134a2dec..3c766b4f5 100644 --- a/terraform/projects/infra-monitoring/secondary.tf +++ b/terraform/projects/infra-monitoring/secondary.tf @@ -5,7 +5,7 @@ */ variable "aws_secondary_region" { - type = "string" + type = string description = "Secondary AWS region" default = "eu-west-2" } @@ -15,12 +15,12 @@ variable "aws_secondary_region" { provider "aws" { alias = "aws_secondary" - region = "${var.aws_secondary_region}" + region = var.aws_secondary_region version = "2.46.0" } data "template_file" "s3_aws_secondary_logging_policy_template" { - template = "${file("${path.module}/../../policies/s3_aws_secondary_logging_write_policy.tpl")}" + template = file("${path.module}/../../policies/s3_aws_secondary_logging_write_policy.tpl") vars = { aws_environment = "${var.aws_environment}" @@ -37,6 +37,9 @@ resource "aws_s3_bucket" "aws-secondary-logging" { tags = { Name = "govuk-${var.aws_environment}-aws-secondary-logging" Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Monitoring" } # Expire everything after 30 days @@ -48,13 +51,13 @@ resource "aws_s3_bucket" "aws-secondary-logging" { } } - policy = "${data.template_file.s3_aws_secondary_logging_policy_template.rendered}" + policy = data.template_file.s3_aws_secondary_logging_policy_template.rendered } # Outputs # -------------------------------------------------------------- output "aws_secondary_logging_bucket_id" { - value = "${aws_s3_bucket.aws-secondary-logging.id}" + value = aws_s3_bucket.aws-secondary-logging.id description = "Name of the AWS logging bucket" } diff --git a/terraform/projects/infra-networking/README.md b/terraform/projects/infra-networking/README.md index 91e6d6790..4207d4bb7 100644 --- a/terraform/projects/infra-networking/README.md +++ b/terraform/projects/infra-networking/README.md @@ -43,20 +43,20 @@ This module governs the creation of full network stacks. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | -| [private\_subnet\_availability\_zones](#input\_private\_subnet\_availability\_zones) | Map containing private subnet names and availability zones associated | `map` | n/a | yes | -| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | Map containing private subnet names and CIDR associated | `map` | n/a | yes | -| [private\_subnet\_elasticache\_availability\_zones](#input\_private\_subnet\_elasticache\_availability\_zones) | Map containing private elasticache subnet names and availability zones associated | `map` | `{}` | no | -| [private\_subnet\_elasticache\_cidrs](#input\_private\_subnet\_elasticache\_cidrs) | Map containing private elasticache subnet names and CIDR associated | `map` | `{}` | no | -| [private\_subnet\_elasticsearch\_availability\_zones](#input\_private\_subnet\_elasticsearch\_availability\_zones) | Map containing private elasticsearch subnet names and availability zones associated | `map` | `{}` | no | -| [private\_subnet\_elasticsearch\_cidrs](#input\_private\_subnet\_elasticsearch\_cidrs) | Map containing private elasticsearch subnet names and CIDR associated | `map` | `{}` | no | -| [private\_subnet\_nat\_gateway\_association](#input\_private\_subnet\_nat\_gateway\_association) | Map of private subnet names and public subnet used to route external traffic (the public subnet must be listed in public\_subnet\_nat\_gateway\_enable to ensure it has a NAT gateway attached) | `map` | n/a | yes | -| [private\_subnet\_rds\_availability\_zones](#input\_private\_subnet\_rds\_availability\_zones) | Map containing private rds subnet names and availability zones associated | `map` | `{}` | no | -| [private\_subnet\_rds\_cidrs](#input\_private\_subnet\_rds\_cidrs) | Map containing private rds subnet names and CIDR associated | `map` | `{}` | no | -| [private\_subnet\_reserved\_ips\_availability\_zones](#input\_private\_subnet\_reserved\_ips\_availability\_zones) | Map containing private ENI subnet names and availability zones associated | `map` | `{}` | no | -| [private\_subnet\_reserved\_ips\_cidrs](#input\_private\_subnet\_reserved\_ips\_cidrs) | Map containing private ENI subnet names and CIDR associated | `map` | `{}` | no | -| [public\_subnet\_availability\_zones](#input\_public\_subnet\_availability\_zones) | Map containing public subnet names and availability zones associated | `map` | n/a | yes | -| [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | Map containing public subnet names and CIDR associated | `map` | n/a | yes | -| [public\_subnet\_nat\_gateway\_enable](#input\_public\_subnet\_nat\_gateway\_enable) | List of public subnet names where we want to create a NAT Gateway | `list` | n/a | yes | +| [private\_subnet\_availability\_zones](#input\_private\_subnet\_availability\_zones) | Map containing private subnet names and availability zones associated | `map(string)` | n/a | yes | +| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | Map containing private subnet names and CIDR associated | `map(string)` | n/a | yes | +| [private\_subnet\_elasticache\_availability\_zones](#input\_private\_subnet\_elasticache\_availability\_zones) | Map containing private elasticache subnet names and availability zones associated | `map(string)` | `{}` | no | +| [private\_subnet\_elasticache\_cidrs](#input\_private\_subnet\_elasticache\_cidrs) | Map containing private elasticache subnet names and CIDR associated | `map(string)` | `{}` | no | +| [private\_subnet\_elasticsearch\_availability\_zones](#input\_private\_subnet\_elasticsearch\_availability\_zones) | Map containing private elasticsearch subnet names and availability zones associated | `map(string)` | `{}` | no | +| [private\_subnet\_elasticsearch\_cidrs](#input\_private\_subnet\_elasticsearch\_cidrs) | Map containing private elasticsearch subnet names and CIDR associated | `map(string)` | `{}` | no | +| [private\_subnet\_nat\_gateway\_association](#input\_private\_subnet\_nat\_gateway\_association) | Map of private subnet names and public subnet used to route external traffic (the public subnet must be listed in public\_subnet\_nat\_gateway\_enable to ensure it has a NAT gateway attached) | `map(string)` | n/a | yes | +| [private\_subnet\_rds\_availability\_zones](#input\_private\_subnet\_rds\_availability\_zones) | Map containing private rds subnet names and availability zones associated | `map(string)` | `{}` | no | +| [private\_subnet\_rds\_cidrs](#input\_private\_subnet\_rds\_cidrs) | Map containing private rds subnet names and CIDR associated | `map(string)` | `{}` | no | +| [private\_subnet\_reserved\_ips\_availability\_zones](#input\_private\_subnet\_reserved\_ips\_availability\_zones) | Map containing private ENI subnet names and availability zones associated | `map(string)` | `{}` | no | +| [private\_subnet\_reserved\_ips\_cidrs](#input\_private\_subnet\_reserved\_ips\_cidrs) | Map containing private ENI subnet names and CIDR associated | `map(string)` | `{}` | no | +| [public\_subnet\_availability\_zones](#input\_public\_subnet\_availability\_zones) | Map containing public subnet names and availability zones associated | `map(string)` | n/a | yes | +| [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | Map containing public subnet names and CIDR associated | `map(string)` | n/a | yes | +| [public\_subnet\_nat\_gateway\_enable](#input\_public\_subnet\_nat\_gateway\_enable) | List of public subnet names where we want to create a NAT Gateway | `list(string)` | n/a | yes | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | diff --git a/terraform/projects/infra-networking/main.tf b/terraform/projects/infra-networking/main.tf index c2b81644c..3b915873b 100644 --- a/terraform/projects/infra-networking/main.tf +++ b/terraform/projects/infra-networking/main.tf @@ -4,113 +4,113 @@ * This module governs the creation of full network stacks. */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } variable "shield_protection_enabled" { - type = "string" + type = string description = "Whether or not to enable AWS Shield. Terraform 0.11 doesn't have booleans, so representing as string." default = "true" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "public_subnet_cidrs" { - type = "map" + type = map(string) description = "Map containing public subnet names and CIDR associated" } variable "public_subnet_availability_zones" { - type = "map" + type = map(string) description = "Map containing public subnet names and availability zones associated" } variable "public_subnet_nat_gateway_enable" { - type = "list" + type = list(string) description = "List of public subnet names where we want to create a NAT Gateway" } variable "private_subnet_cidrs" { - type = "map" + type = map(string) description = "Map containing private subnet names and CIDR associated" } variable "private_subnet_availability_zones" { - type = "map" + type = map(string) description = "Map containing private subnet names and availability zones associated" } variable "private_subnet_nat_gateway_association" { - type = "map" + type = map(string) description = "Map of private subnet names and public subnet used to route external traffic (the public subnet must be listed in public_subnet_nat_gateway_enable to ensure it has a NAT gateway attached)" } variable "private_subnet_elasticache_cidrs" { - type = "map" + type = map(string) description = "Map containing private elasticache subnet names and CIDR associated" default = {} } variable "private_subnet_elasticache_availability_zones" { - type = "map" + type = map(string) description = "Map containing private elasticache subnet names and availability zones associated" default = {} } variable "private_subnet_rds_cidrs" { - type = "map" + type = map(string) description = "Map containing private rds subnet names and CIDR associated" default = {} } variable "private_subnet_rds_availability_zones" { - type = "map" + type = map(string) description = "Map containing private rds subnet names and availability zones associated" default = {} } variable "private_subnet_reserved_ips_cidrs" { - type = "map" + type = map(string) description = "Map containing private ENI subnet names and CIDR associated" default = {} } variable "private_subnet_reserved_ips_availability_zones" { - type = "map" + type = map(string) description = "Map containing private ENI subnet names and availability zones associated" default = {} } variable "private_subnet_elasticsearch_cidrs" { - type = "map" + type = map(string) description = "Map containing private elasticsearch subnet names and CIDR associated" default = {} } variable "private_subnet_elasticsearch_availability_zones" { - type = "map" + type = map(string) description = "Map containing private elasticsearch subnet names and availability zones associated" default = {} } @@ -123,7 +123,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -149,18 +149,18 @@ data "terraform_remote_state" "infra_monitoring" { module "infra_public_subnet" { source = "../../modules/aws/network/public_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname)}" - route_table_public_id = "${data.terraform_remote_state.infra_vpc.outputs.route_table_public_id}" - subnet_cidrs = "${var.public_subnet_cidrs}" - subnet_availability_zones = "${var.public_subnet_availability_zones}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Networking") + route_table_public_id = data.terraform_remote_state.infra_vpc.outputs.route_table_public_id + subnet_cidrs = var.public_subnet_cidrs + subnet_availability_zones = var.public_subnet_availability_zones } module "infra_nat" { - shield_protection_enabled = "${var.shield_protection_enabled}" + shield_protection_enabled = var.shield_protection_enabled source = "../../modules/aws/network/nat" - subnet_ids = "${matchkeys(values(module.infra_public_subnet.subnet_names_ids_map), keys(module.infra_public_subnet.subnet_names_ids_map), var.public_subnet_nat_gateway_enable)}" - subnet_ids_length = "${length(var.public_subnet_nat_gateway_enable)}" + subnet_ids = matchkeys(values(module.infra_public_subnet.subnet_names_ids_map), keys(module.infra_public_subnet.subnet_names_ids_map), var.public_subnet_nat_gateway_enable) + subnet_ids_length = length(var.public_subnet_nat_gateway_enable) } # Intermediate variables in Terraform are not supported. @@ -170,7 +170,7 @@ module "infra_nat" { # variable to select which NAT gateway, if any, each private # subnet must use to route public traffic. data "template_file" "nat_gateway_association_subnet_id" { - count = "${length(keys(var.private_subnet_nat_gateway_association))}" + count = length(keys(var.private_subnet_nat_gateway_association)) template = "$${subnet_id}" vars = { @@ -179,7 +179,7 @@ data "template_file" "nat_gateway_association_subnet_id" { } data "template_file" "nat_gateway_association_nat_id" { - count = "${length(keys(var.private_subnet_nat_gateway_association))}" + count = length(keys(var.private_subnet_nat_gateway_association)) template = "$${nat_gateway_id}" depends_on = ["data.template_file.nat_gateway_association_subnet_id"] @@ -190,180 +190,180 @@ data "template_file" "nat_gateway_association_nat_id" { module "infra_private_subnet" { source = "../../modules/aws/network/private_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname)}" - subnet_cidrs = "${var.private_subnet_cidrs}" - subnet_availability_zones = "${var.private_subnet_availability_zones}" - subnet_nat_gateways = "${zipmap(keys(var.private_subnet_nat_gateway_association), data.template_file.nat_gateway_association_nat_id.*.rendered)}" - subnet_nat_gateways_length = "${length(keys(var.private_subnet_nat_gateway_association))}" - s3_gateway_id = "${data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Networking") + subnet_cidrs = var.private_subnet_cidrs + subnet_availability_zones = var.private_subnet_availability_zones + subnet_nat_gateways = zipmap(keys(var.private_subnet_nat_gateway_association), data.template_file.nat_gateway_association_nat_id.*.rendered) + subnet_nat_gateways_length = length(keys(var.private_subnet_nat_gateway_association)) + s3_gateway_id = data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id } module "infra_private_subnet_elasticache" { source = "../../modules/aws/network/private_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname, "aws_migration", "elasticache")}" - subnet_cidrs = "${var.private_subnet_elasticache_cidrs}" - subnet_availability_zones = "${var.private_subnet_elasticache_availability_zones}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "aws_migration", "elasticache", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Elasticache Networking") + subnet_cidrs = var.private_subnet_elasticache_cidrs + subnet_availability_zones = var.private_subnet_elasticache_availability_zones subnet_nat_gateways_length = "0" - s3_gateway_id = "${data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id}" + s3_gateway_id = data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id } module "infra_private_subnet_rds" { source = "../../modules/aws/network/private_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname, "aws_migration", "rds")}" - subnet_cidrs = "${var.private_subnet_rds_cidrs}" - subnet_availability_zones = "${var.private_subnet_rds_availability_zones}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "aws_migration", "rds", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Database Networking") + subnet_cidrs = var.private_subnet_rds_cidrs + subnet_availability_zones = var.private_subnet_rds_availability_zones subnet_nat_gateways_length = "0" - s3_gateway_id = "${data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id}" + s3_gateway_id = data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id } module "infra_private_subnet_reserved_ips" { source = "../../modules/aws/network/private_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname, "aws_migration", "eni")}" - subnet_cidrs = "${var.private_subnet_reserved_ips_cidrs}" - subnet_availability_zones = "${var.private_subnet_reserved_ips_availability_zones}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "aws_migration", "eni", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Networking") + subnet_cidrs = var.private_subnet_reserved_ips_cidrs + subnet_availability_zones = var.private_subnet_reserved_ips_availability_zones subnet_nat_gateways_length = "0" - s3_gateway_id = "${data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id}" + s3_gateway_id = data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id } module "infra_private_subnet_elasticsearch" { source = "../../modules/aws/network/private_subnet" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - default_tags = "${map("Project", var.stackname, "aws_migration", "elasticsearch")}" - subnet_cidrs = "${var.private_subnet_elasticsearch_cidrs}" - subnet_availability_zones = "${var.private_subnet_elasticsearch_availability_zones}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + default_tags = map("Project", var.stackname, "aws_migration", "elasticsearch", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Elasticsearch Networking") + subnet_cidrs = var.private_subnet_elasticsearch_cidrs + subnet_availability_zones = var.private_subnet_elasticsearch_availability_zones subnet_nat_gateways_length = "0" - s3_gateway_id = "${data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id}" + s3_gateway_id = data.terraform_remote_state.infra_vpc.outputs.s3_gateway_id } module "infra_alarms_natgateway" { source = "../../modules/aws/alarms/natgateway" name_prefix = "${var.stackname}-natgateway" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - nat_gateway_ids = "${module.infra_nat.nat_gateway_ids}" - nat_gateway_ids_length = "${length(var.public_subnet_nat_gateway_enable)}" + nat_gateway_ids = module.infra_nat.nat_gateway_ids + nat_gateway_ids_length = length(var.public_subnet_nat_gateway_enable) } # Outputs # -------------------------------------------------------------- output "vpc_id" { - value = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + value = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "VPC ID where the stack resources are created" } output "nat_gateway_elastic_ips_list" { - value = "${module.infra_nat.nat_gateway_elastic_ips_list}" + value = module.infra_nat.nat_gateway_elastic_ips_list description = "List containing the public IPs associated with the NAT gateways" } output "public_subnet_ids" { - value = "${module.infra_public_subnet.subnet_ids}" + value = module.infra_public_subnet.subnet_ids description = "List of public subnet IDs" } output "public_subnet_names_ids_map" { - value = "${module.infra_public_subnet.subnet_names_ids_map}" + value = module.infra_public_subnet.subnet_names_ids_map description = "Map containing the pair name-id for each public subnet created" } output "public_subnet_names_azs_map" { - value = "${var.public_subnet_availability_zones}" + value = var.public_subnet_availability_zones } output "private_subnet_ids" { - value = "${module.infra_private_subnet.subnet_ids}" + value = module.infra_private_subnet.subnet_ids description = "List of private subnet IDs" } output "private_subnet_names_ids_map" { - value = "${module.infra_private_subnet.subnet_names_ids_map}" + value = module.infra_private_subnet.subnet_names_ids_map description = "Map containing the pair name-id for each private subnet created" } output "private_subnet_names_azs_map" { - value = "${var.private_subnet_availability_zones}" + value = var.private_subnet_availability_zones } output "private_subnet_names_route_tables_map" { - value = "${module.infra_private_subnet.subnet_names_route_tables_map}" + value = module.infra_private_subnet.subnet_names_route_tables_map description = "Map containing the name of each private subnet and route_table ID associated" } output "private_subnet_elasticache_ids" { - value = "${module.infra_private_subnet_elasticache.subnet_ids}" + value = module.infra_private_subnet_elasticache.subnet_ids description = "List of private subnet IDs" } output "private_subnet_elasticache_names_ids_map" { - value = "${module.infra_private_subnet_elasticache.subnet_names_ids_map}" + value = module.infra_private_subnet_elasticache.subnet_names_ids_map description = "Map containing the pair name-id for each private subnet created" } output "private_subnet_elasticache_names_azs_map" { - value = "${var.private_subnet_elasticache_availability_zones}" + value = var.private_subnet_elasticache_availability_zones } output "private_subnet_elasticache_names_route_tables_map" { - value = "${module.infra_private_subnet_elasticache.subnet_names_route_tables_map}" + value = module.infra_private_subnet_elasticache.subnet_names_route_tables_map description = "Map containing the name of each private subnet and route_table ID associated" } output "private_subnet_rds_ids" { - value = "${module.infra_private_subnet_rds.subnet_ids}" + value = module.infra_private_subnet_rds.subnet_ids description = "List of private subnet IDs" } output "private_subnet_rds_names_ids_map" { - value = "${module.infra_private_subnet_rds.subnet_names_ids_map}" + value = module.infra_private_subnet_rds.subnet_names_ids_map description = "Map containing the pair name-id for each private subnet created" } output "private_subnet_rds_names_azs_map" { - value = "${var.private_subnet_rds_availability_zones}" + value = var.private_subnet_rds_availability_zones } output "private_subnet_rds_names_route_tables_map" { - value = "${module.infra_private_subnet_rds.subnet_names_route_tables_map}" + value = module.infra_private_subnet_rds.subnet_names_route_tables_map description = "Map containing the name of each private subnet and route_table ID associated" } output "private_subnet_reserved_ips_ids" { - value = "${module.infra_private_subnet_reserved_ips.subnet_ids}" + value = module.infra_private_subnet_reserved_ips.subnet_ids description = "List of private subnet IDs" } output "private_subnet_reserved_ips_names_ids_map" { - value = "${module.infra_private_subnet_reserved_ips.subnet_names_ids_map}" + value = module.infra_private_subnet_reserved_ips.subnet_names_ids_map description = "Map containing the pair name-id for each private subnet created" } output "private_subnet_reserved_ips_names_azs_map" { - value = "${var.private_subnet_reserved_ips_availability_zones}" + value = var.private_subnet_reserved_ips_availability_zones } output "private_subnet_reserved_ips_names_route_tables_map" { - value = "${module.infra_private_subnet_reserved_ips.subnet_names_route_tables_map}" + value = module.infra_private_subnet_reserved_ips.subnet_names_route_tables_map description = "Map containing the name of each private subnet and route_table ID associated" } output "private_subnet_elasticsearch_ids" { - value = "${module.infra_private_subnet_elasticsearch.subnet_ids}" + value = module.infra_private_subnet_elasticsearch.subnet_ids description = "List of private subnet IDs" } output "private_subnet_elasticsearch_names_ids_map" { - value = "${module.infra_private_subnet_elasticsearch.subnet_names_ids_map}" + value = module.infra_private_subnet_elasticsearch.subnet_names_ids_map description = "Map containing the pair name-id for each private subnet created" } output "private_subnet_elasticsearch_names_azs_map" { - value = "${var.private_subnet_elasticsearch_availability_zones}" + value = var.private_subnet_elasticsearch_availability_zones } output "private_subnet_elasticsearch_names_route_tables_map" { - value = "${module.infra_private_subnet_elasticsearch.subnet_names_route_tables_map}" + value = module.infra_private_subnet_elasticsearch.subnet_names_route_tables_map description = "Map containing the name of each private subnet and route_table ID associated" } diff --git a/terraform/projects/infra-public-services/README.md b/terraform/projects/infra-public-services/README.md index 324ff3566..4da3e8b56 100644 --- a/terraform/projects/infra-public-services/README.md +++ b/terraform/projects/infra-public-services/README.md @@ -110,45 +110,45 @@ This project adds global resources for app components: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [app\_stackname](#input\_app\_stackname) | Stackname of the app projects in this environment | `string` | `"blue"` | no | -| [apt\_internal\_service\_names](#input\_apt\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [apt\_public\_service\_cnames](#input\_apt\_public\_service\_cnames) | n/a | `list` | `[]` | no | -| [apt\_public\_service\_names](#input\_apt\_public\_service\_names) | n/a | `list` | `[]` | no | +| [apt\_internal\_service\_names](#input\_apt\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [apt\_public\_service\_cnames](#input\_apt\_public\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [apt\_public\_service\_names](#input\_apt\_public\_service\_names) | n/a | `list(string)` | `[]` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | -| [backend\_redis\_internal\_service\_names](#input\_backend\_redis\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [ckan\_internal\_service\_cnames](#input\_ckan\_internal\_service\_cnames) | n/a | `list` | `[]` | no | -| [ckan\_internal\_service\_names](#input\_ckan\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [ckan\_public\_service\_cnames](#input\_ckan\_public\_service\_cnames) | n/a | `list` | `[]` | no | -| [ckan\_public\_service\_names](#input\_ckan\_public\_service\_names) | n/a | `list` | `[]` | no | -| [content\_data\_api\_db\_admin\_internal\_service\_names](#input\_content\_data\_api\_db\_admin\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [content\_data\_api\_postgresql\_internal\_service\_names](#input\_content\_data\_api\_postgresql\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [db\_admin\_internal\_service\_names](#input\_db\_admin\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [deploy\_internal\_service\_names](#input\_deploy\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [deploy\_public\_service\_names](#input\_deploy\_public\_service\_names) | n/a | `list` | `[]` | no | -| [docker\_management\_internal\_service\_names](#input\_docker\_management\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [elasticsearch6\_internal\_service\_names](#input\_elasticsearch6\_internal\_service\_names) | n/a | `list` | `[]` | no | +| [backend\_redis\_internal\_service\_names](#input\_backend\_redis\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [ckan\_internal\_service\_cnames](#input\_ckan\_internal\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [ckan\_internal\_service\_names](#input\_ckan\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [ckan\_public\_service\_cnames](#input\_ckan\_public\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [ckan\_public\_service\_names](#input\_ckan\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [content\_data\_api\_db\_admin\_internal\_service\_names](#input\_content\_data\_api\_db\_admin\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [content\_data\_api\_postgresql\_internal\_service\_names](#input\_content\_data\_api\_postgresql\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [db\_admin\_internal\_service\_names](#input\_db\_admin\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [deploy\_internal\_service\_names](#input\_deploy\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [deploy\_public\_service\_names](#input\_deploy\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [docker\_management\_internal\_service\_names](#input\_docker\_management\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [elasticsearch6\_internal\_service\_names](#input\_elasticsearch6\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | | [elb\_public\_certname](#input\_elb\_public\_certname) | The ACM cert domain name to find the ARN of | `string` | n/a | yes | | [elb\_public\_internal\_certname](#input\_elb\_public\_internal\_certname) | The ACM secondary cert domain name to find the ARN of | `string` | n/a | yes | | [elb\_public\_secondary\_certname](#input\_elb\_public\_secondary\_certname) | The ACM secondary cert domain name to find the ARN of | `string` | `""` | no | | [enable\_lb\_app\_healthchecks](#input\_enable\_lb\_app\_healthchecks) | Use application specific target groups and healthchecks based on the list of services in the cname variable. | `string` | `false` | no | -| [graphite\_internal\_service\_names](#input\_graphite\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [graphite\_public\_service\_names](#input\_graphite\_public\_service\_names) | n/a | `list` | `[]` | no | -| [jumpbox\_public\_service\_names](#input\_jumpbox\_public\_service\_names) | n/a | `list` | `[]` | no | +| [graphite\_internal\_service\_names](#input\_graphite\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [graphite\_public\_service\_names](#input\_graphite\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [jumpbox\_public\_service\_names](#input\_jumpbox\_public\_service\_names) | n/a | `list(string)` | `[]` | no | | [licensify\_backend\_elb\_public\_certname](#input\_licensify\_backend\_elb\_public\_certname) | Domain name (CN) of the ACM cert to use for licensify\_backend. | `string` | n/a | yes | -| [licensify\_backend\_public\_service\_names](#input\_licensify\_backend\_public\_service\_names) | n/a | `list` | `[]` | no | -| [licensify\_frontend\_internal\_service\_cnames](#input\_licensify\_frontend\_internal\_service\_cnames) | n/a | `list` | `[]` | no | -| [licensify\_frontend\_internal\_service\_names](#input\_licensify\_frontend\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [licensify\_frontend\_public\_service\_cnames](#input\_licensify\_frontend\_public\_service\_cnames) | n/a | `list` | `[]` | no | -| [licensify\_frontend\_public\_service\_names](#input\_licensify\_frontend\_public\_service\_names) | n/a | `list` | `[]` | no | -| [mongo\_internal\_service\_names](#input\_mongo\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [monitoring\_internal\_service\_names](#input\_monitoring\_internal\_service\_names) | n/a | `list` | `[]` | no | +| [licensify\_backend\_public\_service\_names](#input\_licensify\_backend\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [licensify\_frontend\_internal\_service\_cnames](#input\_licensify\_frontend\_internal\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [licensify\_frontend\_internal\_service\_names](#input\_licensify\_frontend\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [licensify\_frontend\_public\_service\_cnames](#input\_licensify\_frontend\_public\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [licensify\_frontend\_public\_service\_names](#input\_licensify\_frontend\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [mongo\_internal\_service\_names](#input\_mongo\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [monitoring\_internal\_service\_names](#input\_monitoring\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | | [monitoring\_internal\_service\_names\_cname\_dest](#input\_monitoring\_internal\_service\_names\_cname\_dest) | This variable specifies the CNAME record destination to be associated with the service names defined in monitoring\_internal\_service\_names | `string` | `"alert"` | no | -| [monitoring\_public\_service\_names](#input\_monitoring\_public\_service\_names) | n/a | `list` | `[]` | no | -| [prometheus\_internal\_service\_names](#input\_prometheus\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [prometheus\_public\_service\_names](#input\_prometheus\_public\_service\_names) | n/a | `list` | `[]` | no | -| [puppetmaster\_internal\_service\_names](#input\_puppetmaster\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [rabbitmq\_internal\_service\_names](#input\_rabbitmq\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [rate\_limit\_redis\_internal\_service\_names](#input\_rate\_limit\_redis\_internal\_service\_names) | n/a | `list` | `[]` | no | +| [monitoring\_public\_service\_names](#input\_monitoring\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [prometheus\_internal\_service\_names](#input\_prometheus\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [prometheus\_public\_service\_names](#input\_prometheus\_public\_service\_names) | n/a | `list(string)` | `[]` | no | +| [puppetmaster\_internal\_service\_names](#input\_puppetmaster\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [rabbitmq\_internal\_service\_names](#input\_rabbitmq\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [rate\_limit\_redis\_internal\_service\_names](#input\_rate\_limit\_redis\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_monitoring\_key\_stack](#input\_remote\_state\_infra\_monitoring\_key\_stack) | Override stackname path to infra\_monitoring remote state | `string` | `""` | no | | [remote\_state\_infra\_networking\_key\_stack](#input\_remote\_state\_infra\_networking\_key\_stack) | Override infra\_networking remote state path | `string` | `""` | no | @@ -156,12 +156,12 @@ This project adds global resources for app components: | [remote\_state\_infra\_security\_groups\_key\_stack](#input\_remote\_state\_infra\_security\_groups\_key\_stack) | Override infra\_security\_groups stackname path to infra\_vpc remote state | `string` | `""` | no | | [remote\_state\_infra\_stack\_dns\_zones\_key\_stack](#input\_remote\_state\_infra\_stack\_dns\_zones\_key\_stack) | Override stackname path to infra\_stack\_dns\_zones remote state | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | -| [router\_backend\_internal\_service\_names](#input\_router\_backend\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [search\_internal\_service\_cnames](#input\_search\_internal\_service\_cnames) | n/a | `list` | `[]` | no | -| [search\_internal\_service\_names](#input\_search\_internal\_service\_names) | n/a | `list` | `[]` | no | +| [router\_backend\_internal\_service\_names](#input\_router\_backend\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [search\_internal\_service\_cnames](#input\_search\_internal\_service\_cnames) | n/a | `list(string)` | `[]` | no | +| [search\_internal\_service\_names](#input\_search\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | | [stackname](#input\_stackname) | Stackname | `string` | n/a | yes | -| [transition\_db\_admin\_internal\_service\_names](#input\_transition\_db\_admin\_internal\_service\_names) | n/a | `list` | `[]` | no | -| [transition\_postgresql\_internal\_service\_names](#input\_transition\_postgresql\_internal\_service\_names) | n/a | `list` | `[]` | no | +| [transition\_db\_admin\_internal\_service\_names](#input\_transition\_db\_admin\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | +| [transition\_postgresql\_internal\_service\_names](#input\_transition\_postgresql\_internal\_service\_names) | n/a | `list(string)` | `[]` | no | | [waf\_logs\_hec\_endpoint](#input\_waf\_logs\_hec\_endpoint) | Splunk endpoint for shipping application firewall logs | `string` | n/a | yes | | [waf\_logs\_hec\_token](#input\_waf\_logs\_hec\_token) | Splunk token for shipping application firewall logs | `string` | n/a | yes | diff --git a/terraform/projects/infra-public-services/main.tf b/terraform/projects/infra-public-services/main.tf index 390b512ee..8e0b26116 100644 --- a/terraform/projects/infra-public-services/main.tf +++ b/terraform/projects/infra-public-services/main.tf @@ -7,248 +7,248 @@ * */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "Stackname" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "elb_public_certname" { - type = "string" + type = string description = "The ACM cert domain name to find the ARN of" } variable "elb_public_secondary_certname" { - type = "string" + type = string description = "The ACM secondary cert domain name to find the ARN of" default = "" } variable "elb_public_internal_certname" { - type = "string" + type = string description = "The ACM secondary cert domain name to find the ARN of" } variable "app_stackname" { - type = "string" + type = string description = "Stackname of the app projects in this environment" default = "blue" } variable "enable_lb_app_healthchecks" { - type = "string" + type = string description = "Use application specific target groups and healthchecks based on the list of services in the cname variable." default = false } variable "apt_public_service_names" { - type = "list" + type = list(string) default = [] } variable "apt_public_service_cnames" { - type = "list" + type = list(string) default = [] } variable "ckan_public_service_names" { - type = "list" + type = list(string) default = [] } variable "ckan_public_service_cnames" { - type = "list" + type = list(string) default = [] } variable "content_data_api_db_admin_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "content_data_api_postgresql_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "deploy_public_service_names" { - type = "list" + type = list(string) default = [] } variable "graphite_public_service_names" { - type = "list" + type = list(string) default = [] } variable "prometheus_public_service_names" { - type = "list" + type = list(string) default = [] } variable "jumpbox_public_service_names" { - type = "list" + type = list(string) default = [] } variable "licensify_frontend_internal_service_cnames" { - type = "list" + type = list(string) default = [] } variable "licensify_frontend_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "licensify_frontend_public_service_names" { - type = "list" + type = list(string) default = [] } variable "licensify_frontend_public_service_cnames" { - type = "list" + type = list(string) default = [] } variable "licensify_backend_public_service_names" { - type = "list" + type = list(string) default = [] } variable "licensify_backend_elb_public_certname" { - type = "string" + type = string description = "Domain name (CN) of the ACM cert to use for licensify_backend." } variable "monitoring_public_service_names" { - type = "list" + type = list(string) default = [] } variable "apt_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "backend_redis_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "ckan_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "ckan_internal_service_cnames" { - type = "list" + type = list(string) default = [] } variable "db_admin_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "deploy_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "docker_management_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "elasticsearch6_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "graphite_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "prometheus_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "mongo_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "monitoring_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "monitoring_internal_service_names_cname_dest" { description = "This variable specifies the CNAME record destination to be associated with the service names defined in monitoring_internal_service_names" - type = "string" + type = string default = "alert" } variable "puppetmaster_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "rabbitmq_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "rate_limit_redis_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "router_backend_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "search_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "search_internal_service_cnames" { - type = "list" + type = list(string) default = [] } variable "transition_db_admin_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "transition_postgresql_internal_service_names" { - type = "list" + type = list(string) default = [] } variable "waf_logs_hec_endpoint" { description = "Splunk endpoint for shipping application firewall logs" - type = "string" + type = string } variable "waf_logs_hec_token" { description = "Splunk token for shipping application firewall logs" - type = "string" + type = string } # Resources @@ -266,7 +266,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region } provider "archive" { @@ -279,8 +279,8 @@ provider "archive" { # resource "aws_route53_record" "apt_internal_service_names" { - count = "${length(var.apt_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.apt_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.apt_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.apt_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -292,8 +292,8 @@ resource "aws_route53_record" "apt_internal_service_names" { # resource "aws_route53_record" "backend_redis_internal_service_names" { - count = "${length(var.backend_redis_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.backend_redis_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.backend_redis_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.backend_redis_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -308,34 +308,34 @@ module "ckan_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-ckan-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-ckan-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = data.terraform_remote_state.infra_networking.outputs.public_subnet_ids security_groups = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_ckan_elb_external_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "ckan", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "ckan", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Public Networking") } resource "aws_route53_record" "ckan_public_service_names" { - count = "${length(var.ckan_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.ckan_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.ckan_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.ckan_public_lb.lb_dns_name}" - zone_id = "${module.ckan_public_lb.lb_zone_id}" + name = module.ckan_public_lb.lb_dns_name + zone_id = module.ckan_public_lb.lb_zone_id evaluate_target_health = true } } resource "aws_route53_record" "ckan_public_service_cnames" { - count = "${length(var.ckan_public_service_cnames)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.ckan_public_service_cnames) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.ckan_public_service_cnames, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "CNAME" records = ["${element(var.ckan_public_service_names, 0)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}"] @@ -355,14 +355,14 @@ data "aws_autoscaling_groups" "ckan" { } resource "aws_autoscaling_attachment" "ckan_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.ckan.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.ckan.names, 0)}" - alb_target_group_arn = "${element(module.ckan_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.ckan.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.ckan.names, 0) + alb_target_group_arn = element(module.ckan_public_lb.target_group_arns, 0) } resource "aws_route53_record" "ckan_internal_service_names" { - count = "${length(var.ckan_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.ckan_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.ckan_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.ckan_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -370,8 +370,8 @@ resource "aws_route53_record" "ckan_internal_service_names" { } resource "aws_route53_record" "ckan_internal_service_cnames" { - count = "${length(var.ckan_internal_service_cnames)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.ckan_internal_service_cnames) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.ckan_internal_service_cnames, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.ckan_internal_service_names, 0)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -383,8 +383,8 @@ resource "aws_route53_record" "ckan_internal_service_cnames" { # resource "aws_route53_record" "content_data_api_db_admin_internal_service_names" { - count = "${length(var.content_data_api_db_admin_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.content_data_api_db_admin_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.content_data_api_db_admin_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.content_data_api_db_admin_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -396,8 +396,8 @@ resource "aws_route53_record" "content_data_api_db_admin_internal_service_names" # resource "aws_route53_record" "content_data_api_postgresql_internal_service_names" { - count = "${length(var.content_data_api_postgresql_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.content_data_api_postgresql_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.content_data_api_postgresql_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.content_data_api_postgresql_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -407,8 +407,8 @@ resource "aws_route53_record" "content_data_api_postgresql_internal_service_name # Db-admin resource "aws_route53_record" "db_admin_internal_service_names" { - count = "${length(var.db_admin_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.db_admin_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.db_admin_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.db_admin_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -421,27 +421,27 @@ module "deploy_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-deploy-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-deploy-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = data.terraform_remote_state.infra_networking.outputs.public_subnet_ids security_groups = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_deploy_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "deploy", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "deploy", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Public Networking") } resource "aws_route53_record" "deploy_public_service_names" { - count = "${length(var.deploy_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.deploy_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.deploy_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.deploy_public_lb.lb_dns_name}" - zone_id = "${module.deploy_public_lb.lb_zone_id}" + name = module.deploy_public_lb.lb_dns_name + zone_id = module.deploy_public_lb.lb_zone_id evaluate_target_health = true } } @@ -459,14 +459,14 @@ data "aws_autoscaling_groups" "deploy" { } resource "aws_autoscaling_attachment" "deploy_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.deploy.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.deploy.names, 0)}" - alb_target_group_arn = "${element(module.deploy_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.deploy.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.deploy.names, 0) + alb_target_group_arn = element(module.deploy_public_lb.target_group_arns, 0) } resource "aws_route53_record" "deploy_internal_service_names" { - count = "${length(var.deploy_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.deploy_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.deploy_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.deploy_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -478,8 +478,8 @@ resource "aws_route53_record" "deploy_internal_service_names" { # resource "aws_route53_record" "docker_management_internal_service_names" { - count = "${length(var.docker_management_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.docker_management_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.docker_management_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.docker_management_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -491,8 +491,8 @@ resource "aws_route53_record" "docker_management_internal_service_names" { # resource "aws_route53_record" "elasticsearch6_internal_service_names" { - count = "${length(var.elasticsearch6_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.elasticsearch6_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.elasticsearch6_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.elasticsearch6_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -507,16 +507,16 @@ module "graphite_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-graphite-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-graphite-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = data.terraform_remote_state.infra_networking.outputs.public_subnet_ids security_groups = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_graphite_external_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "graphite", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "graphite", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Graphite") } # @@ -539,41 +539,41 @@ module "prometheus_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-prometheus-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-prometheus-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = data.terraform_remote_state.infra_networking.outputs.public_subnet_ids security_groups = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_prometheus_external_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "prometheus", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "prometheus", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Graphite") target_group_health_check_path = "/-/ready" } resource "aws_route53_record" "prometheus_public_service_names" { - count = "${length(var.prometheus_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.prometheus_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.prometheus_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.prometheus_public_lb.lb_dns_name}" - zone_id = "${module.prometheus_public_lb.lb_zone_id}" + name = module.prometheus_public_lb.lb_dns_name + zone_id = module.prometheus_public_lb.lb_zone_id evaluate_target_health = true } } resource "aws_autoscaling_attachment" "prometheus_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.prometheus.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.prometheus.names, 0)}" - alb_target_group_arn = "${element(module.prometheus_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.prometheus.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.prometheus.names, 0) + alb_target_group_arn = element(module.prometheus_public_lb.target_group_arns, 0) } resource "aws_route53_record" "prometheus_internal_service_names" { - count = "${length(var.prometheus_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.prometheus_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.prometheus_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.prometheus_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -585,14 +585,14 @@ resource "aws_route53_record" "prometheus_internal_service_names" { # resource "aws_route53_record" "graphite_public_service_names" { - count = "${length(var.graphite_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.graphite_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.graphite_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.graphite_public_lb.lb_dns_name}" - zone_id = "${module.graphite_public_lb.lb_zone_id}" + name = module.graphite_public_lb.lb_dns_name + zone_id = module.graphite_public_lb.lb_zone_id evaluate_target_health = true } } @@ -610,14 +610,14 @@ data "aws_autoscaling_groups" "graphite" { } resource "aws_autoscaling_attachment" "graphite_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.graphite.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.graphite.names, 0)}" - alb_target_group_arn = "${element(module.graphite_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.graphite.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.graphite.names, 0) + alb_target_group_arn = element(module.graphite_public_lb.target_group_arns, 0) } resource "aws_route53_record" "graphite_internal_service_names" { - count = "${length(var.graphite_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.graphite_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.graphite_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.graphite_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -635,7 +635,7 @@ resource "aws_elb" "jumpbox_public_elb" { internal = "false" access_logs { - bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id bucket_prefix = "elb/${var.stackname}-jumpbox-public-elb" interval = 60 } @@ -660,18 +660,18 @@ resource "aws_elb" "jumpbox_public_elb" { connection_draining = true connection_draining_timeout = 400 - tags = "${map("Name", "${var.stackname}-jumpbox", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox")}" + tags = map("Name", "${var.stackname}-jumpbox", "Project", var.stackname, "aws_environment", var.aws_environment, "aws_migration", "jumpbox", "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Jumpbox") } resource "aws_route53_record" "jumpbox_public_service_names" { - count = "${length(var.jumpbox_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.jumpbox_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.jumpbox_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${aws_elb.jumpbox_public_elb.dns_name}" - zone_id = "${aws_elb.jumpbox_public_elb.zone_id}" + name = aws_elb.jumpbox_public_elb.dns_name + zone_id = aws_elb.jumpbox_public_elb.zone_id evaluate_target_health = true } } @@ -689,16 +689,16 @@ data "aws_autoscaling_groups" "jumpbox" { } resource "aws_autoscaling_attachment" "jumpbox_asg_attachment_elb" { - count = "${length(data.aws_autoscaling_groups.jumpbox.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.jumpbox.names, 0)}" - elb = "${aws_elb.jumpbox_public_elb.id}" + count = length(data.aws_autoscaling_groups.jumpbox.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.jumpbox.names, 0) + elb = aws_elb.jumpbox_public_elb.id } module "alarms-elb-jumpbox-public" { source = "../../modules/aws/alarms/elb" name_prefix = "${var.stackname}-jumpbox" alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - elb_name = "${aws_elb.jumpbox_public_elb.name}" + elb_name = aws_elb.jumpbox_public_elb.name httpcode_backend_4xx_threshold = "0" httpcode_backend_5xx_threshold = "0" httpcode_elb_4xx_threshold = "0" @@ -717,11 +717,11 @@ module "licensify_frontend_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-licensify-frontend-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-licensify-frontend-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname target_group_health_check_path = "/api/licences" listener_action = { @@ -736,11 +736,15 @@ module "licensify_frontend_public_lb" { Project = "${var.stackname}" aws_migration = "licensify-frontend" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Licensify" } } resource "aws_lb_listener" "licensify_frontend_public_http_80" { - load_balancer_arn = "${module.licensify_frontend_public_lb.lb_id}" + load_balancer_arn = module.licensify_frontend_public_lb.lb_id port = "80" protocol = "HTTP" @@ -756,21 +760,21 @@ resource "aws_lb_listener" "licensify_frontend_public_http_80" { } resource "aws_route53_record" "licensify_frontend_public_service_names" { - count = "${length(var.licensify_frontend_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.licensify_frontend_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.licensify_frontend_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.licensify_frontend_public_lb.lb_dns_name}" - zone_id = "${module.licensify_frontend_public_lb.lb_zone_id}" + name = module.licensify_frontend_public_lb.lb_dns_name + zone_id = module.licensify_frontend_public_lb.lb_zone_id evaluate_target_health = true } } resource "aws_route53_record" "licensify_frontend_public_service_cnames" { - count = "${length(var.licensify_frontend_public_service_cnames)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.licensify_frontend_public_service_cnames) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.licensify_frontend_public_service_cnames, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "CNAME" records = ["${element(var.licensify_frontend_public_service_names, 0)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}"] @@ -790,14 +794,14 @@ data "aws_autoscaling_groups" "licensify_frontend" { } resource "aws_autoscaling_attachment" "licensify_frontend_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.licensify_frontend.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.licensify_frontend.names, 0)}" - alb_target_group_arn = "${element(module.licensify_frontend_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.licensify_frontend.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.licensify_frontend.names, 0) + alb_target_group_arn = element(module.licensify_frontend_public_lb.target_group_arns, 0) } resource "aws_route53_record" "licensify_frontend_internal_service_names" { - count = "${length(var.licensify_frontend_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.licensify_frontend_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.licensify_frontend_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.licensify_frontend_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -805,8 +809,8 @@ resource "aws_route53_record" "licensify_frontend_internal_service_names" { } resource "aws_route53_record" "licensify_frontend_internal_service_cnames" { - count = "${length(var.licensify_frontend_internal_service_cnames)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.licensify_frontend_internal_service_cnames) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.licensify_frontend_internal_service_cnames, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.licensify_frontend_internal_service_names, 0)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -821,10 +825,10 @@ module "licensify_backend_public_lb" { source = "../../modules/aws/lb" name = "licensify-backend-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/licensify-backend-public-elb" - listener_certificate_domain_name = "${var.licensify_backend_elb_public_certname}" + listener_certificate_domain_name = var.licensify_backend_elb_public_certname target_group_health_check_path = "/healthcheck" listener_action = { @@ -839,13 +843,17 @@ module "licensify_backend_public_lb" { Project = "${var.stackname}" aws_migration = "licensify_backend" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Licensify" } } # Listener for licensify-admin HTTP-to-HTTPS redirect. Does not forward any # traffic, only serves redirects directly from the ALB. resource "aws_lb_listener" "licensify_backend_http_80" { - load_balancer_arn = "${module.licensify_backend_public_lb.lb_id}" + load_balancer_arn = module.licensify_backend_public_lb.lb_id port = "80" protocol = "HTTP" @@ -861,14 +869,14 @@ resource "aws_lb_listener" "licensify_backend_http_80" { } resource "aws_route53_record" "licensify_backend_public_service_names" { - count = "${length(var.licensify_backend_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.licensify_backend_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.licensify_backend_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.licensify_backend_public_lb.lb_dns_name}" - zone_id = "${module.licensify_backend_public_lb.lb_zone_id}" + name = module.licensify_backend_public_lb.lb_dns_name + zone_id = module.licensify_backend_public_lb.lb_zone_id evaluate_target_health = true } } @@ -886,9 +894,9 @@ data "aws_autoscaling_groups" "licensify_backend" { } resource "aws_autoscaling_attachment" "licensify_backend_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.licensify_backend.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.licensify_backend.names, 0)}" - alb_target_group_arn = "${element(module.licensify_backend_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.licensify_backend.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.licensify_backend.names, 0) + alb_target_group_arn = element(module.licensify_backend_public_lb.target_group_arns, 0) } # @@ -896,8 +904,8 @@ resource "aws_autoscaling_attachment" "licensify_backend_asg_attachment_alb" { # resource "aws_route53_record" "mongo_internal_service_names" { - count = "${length(var.mongo_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.mongo_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.mongo_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.mongo_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -912,27 +920,27 @@ module "monitoring_public_lb" { source = "../../modules/aws/lb" name = "${var.stackname}-monitoring-public" internal = false - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" - access_logs_bucket_name = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id + access_logs_bucket_name = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id access_logs_bucket_prefix = "elb/${var.stackname}-monitoring-public-elb" - listener_certificate_domain_name = "${var.elb_public_certname}" - listener_secondary_certificate_domain_name = "${var.elb_public_secondary_certname}" - listener_action = "${map("HTTPS:443", "HTTP:80")}" + listener_certificate_domain_name = var.elb_public_certname + listener_secondary_certificate_domain_name = var.elb_public_secondary_certname + listener_action = map("HTTPS:443", "HTTP:80") subnets = data.terraform_remote_state.infra_networking.outputs.public_subnet_ids security_groups = ["${data.terraform_remote_state.infra_security_groups.outputs.sg_monitoring_external_elb_id}"] alarm_actions = ["${data.terraform_remote_state.infra_monitoring.outputs.sns_topic_cloudwatch_alarms_arn}"] - default_tags = "${map("Project", var.stackname, "aws_migration", "monitoring", "aws_environment", var.aws_environment)}" + default_tags = map("Project", var.stackname, "aws_migration", "monitoring", "aws_environment", var.aws_environment, "Environment", var.aws_environment, "Product", "GOVUK", "Owner", "govuk-replatforming-team@digital.cabinet-office.gov.uk", "System", "Monitoring") } resource "aws_route53_record" "monitoring_public_service_names" { - count = "${length(var.monitoring_public_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id}" + count = length(var.monitoring_public_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_zone_id name = "${element(var.monitoring_public_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.external_root_domain_name}" type = "A" alias { - name = "${module.monitoring_public_lb.lb_dns_name}" - zone_id = "${module.monitoring_public_lb.lb_zone_id}" + name = module.monitoring_public_lb.lb_dns_name + zone_id = module.monitoring_public_lb.lb_zone_id evaluate_target_health = true } } @@ -950,14 +958,14 @@ data "aws_autoscaling_groups" "monitoring" { } resource "aws_autoscaling_attachment" "monitoring_asg_attachment_alb" { - count = "${length(data.aws_autoscaling_groups.monitoring.names) > 0 ? 1 : 0}" - autoscaling_group_name = "${element(data.aws_autoscaling_groups.monitoring.names, 0)}" - alb_target_group_arn = "${element(module.monitoring_public_lb.target_group_arns, 0)}" + count = length(data.aws_autoscaling_groups.monitoring.names) > 0 ? 1 : 0 + autoscaling_group_name = element(data.aws_autoscaling_groups.monitoring.names, 0) + alb_target_group_arn = element(module.monitoring_public_lb.target_group_arns, 0) } resource "aws_route53_record" "monitoring_internal_service_names" { - count = "${length(var.monitoring_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.monitoring_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.monitoring_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${var.monitoring_internal_service_names_cname_dest}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -969,8 +977,8 @@ resource "aws_route53_record" "monitoring_internal_service_names" { # resource "aws_route53_record" "puppetmaster_internal_service_names" { - count = "${length(var.puppetmaster_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.puppetmaster_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.puppetmaster_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.puppetmaster_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -982,8 +990,8 @@ resource "aws_route53_record" "puppetmaster_internal_service_names" { # resource "aws_route53_record" "rabbitmq_internal_service_names" { - count = "${length(var.rabbitmq_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.rabbitmq_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.rabbitmq_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.rabbitmq_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -995,8 +1003,8 @@ resource "aws_route53_record" "rabbitmq_internal_service_names" { # resource "aws_route53_record" "rate_limit_redis_internal_service_names" { - count = "${length(var.rate_limit_redis_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.rate_limit_redis_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.rate_limit_redis_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.rate_limit_redis_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1008,8 +1016,8 @@ resource "aws_route53_record" "rate_limit_redis_internal_service_names" { # resource "aws_route53_record" "router_backend_internal_service_names" { - count = "${length(var.router_backend_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.router_backend_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.router_backend_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.router_backend_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1033,8 +1041,8 @@ data "aws_autoscaling_groups" "search" { } resource "aws_route53_record" "search_internal_service_names" { - count = "${length(var.search_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.search_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.search_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.search_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1042,8 +1050,8 @@ resource "aws_route53_record" "search_internal_service_names" { } resource "aws_route53_record" "search_internal_service_cnames" { - count = "${length(var.search_internal_service_cnames)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.search_internal_service_cnames) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.search_internal_service_cnames, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.search_internal_service_names, 0)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1055,8 +1063,8 @@ resource "aws_route53_record" "search_internal_service_cnames" { # resource "aws_route53_record" "transition_db_admin_internal_service_names" { - count = "${length(var.transition_db_admin_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.transition_db_admin_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.transition_db_admin_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.transition_db_admin_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1068,8 +1076,8 @@ resource "aws_route53_record" "transition_db_admin_internal_service_names" { # resource "aws_route53_record" "transition_postgresql_internal_service_names" { - count = "${length(var.transition_postgresql_internal_service_names)}" - zone_id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}" + count = length(var.transition_postgresql_internal_service_names) + zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id name = "${element(var.transition_postgresql_internal_service_names, count.index)}.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}" type = "CNAME" records = ["${element(var.transition_postgresql_internal_service_names, count.index)}.blue.${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_domain_name}"] @@ -1080,41 +1088,41 @@ resource "aws_route53_record" "transition_postgresql_internal_service_names" { # --------------------- output "kinesis_firehose_splunk_arn" { - value = "${aws_kinesis_firehose_delivery_stream.splunk.arn}" + value = aws_kinesis_firehose_delivery_stream.splunk.arn description = "The ARN of the splunk endpoint of the kinesis firehose stream" } output "ckan_public_lb_id" { - value = "${module.ckan_public_lb.lb_id}" + value = module.ckan_public_lb.lb_id description = "The ID of the ckan_public load balancer" } output "deploy_public_lb_id" { - value = "${module.deploy_public_lb.lb_id}" + value = module.deploy_public_lb.lb_id description = "The ID of the deploy_public load balancer" } output "graphite_public_lb_id" { - value = "${module.graphite_public_lb.lb_id}" + value = module.graphite_public_lb.lb_id description = "The ID of the graphite_public load balancer" } output "prometheus_public_lb_id" { - value = "${module.prometheus_public_lb.lb_id}" + value = module.prometheus_public_lb.lb_id description = "The ID of the prometheus_public load balancer" } output "licensify_frontend_public_lb_id" { - value = "${module.licensify_frontend_public_lb.lb_id}" + value = module.licensify_frontend_public_lb.lb_id description = "The ID of the licensify_frontend_public_lb load balancer" } output "licensify_backend_public_lb_id" { - value = "${module.licensify_backend_public_lb.lb_id}" + value = module.licensify_backend_public_lb.lb_id description = "The ID of the licensify_backend_public load balancer" } output "monitoring_public_lb_id" { - value = "${module.monitoring_public_lb.lb_id}" + value = module.monitoring_public_lb.lb_id description = "The ID of the monitoring_public load balancer" } diff --git a/terraform/projects/infra-public-services/remote_state.tf b/terraform/projects/infra-public-services/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-public-services/remote_state.tf +++ b/terraform/projects/infra-public-services/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-public-services/waf.tf b/terraform/projects/infra-public-services/waf.tf index 8766aa6fb..4fdbbc8ca 100644 --- a/terraform/projects/infra-public-services/waf.tf +++ b/terraform/projects/infra-public-services/waf.tf @@ -34,7 +34,7 @@ EOF resource "aws_iam_role_policy" "aws_waf_firehose" { name = "${var.aws_environment}-aws-waf-firehose" - role = "${aws_iam_role.aws_waf_firehose.id}" + role = aws_iam_role.aws_waf_firehose.id policy = < [aws\_environment](#input\_aws\_environment) | AWS Environment | `string` | n/a | yes | -| [aws\_integration\_external\_nat\_gateway\_ips](#input\_aws\_integration\_external\_nat\_gateway\_ips) | An array of public IPs of the AWS integration external NAT gateways. | `list` | `[]` | no | +| [aws\_integration\_external\_nat\_gateway\_ips](#input\_aws\_integration\_external\_nat\_gateway\_ips) | An array of public IPs of the AWS integration external NAT gateways. | `list(string)` | `[]` | no | | [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no | -| [aws\_staging\_external\_nat\_gateway\_ips](#input\_aws\_staging\_external\_nat\_gateway\_ips) | An array of public IPs of the AWS staging external NAT gateways. | `list` | `[]` | no | -| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list` | n/a | yes | -| [ithc\_access\_ips](#input\_ithc\_access\_ips) | An array of CIDR blocks that will be allowed temporary access for ITHC purposes. | `list` | `[]` | no | -| [paas\_ireland\_egress\_ips](#input\_paas\_ireland\_egress\_ips) | An array of CIDR blocks that are used for egress from the GOV.UK PaaS Ireland region | `list` | `[]` | no | -| [paas\_london\_egress\_ips](#input\_paas\_london\_egress\_ips) | An array of CIDR blocks that are used for egress from the GOV.UK PaaS London region | `list` | `[]` | no | +| [aws\_staging\_external\_nat\_gateway\_ips](#input\_aws\_staging\_external\_nat\_gateway\_ips) | An array of public IPs of the AWS staging external NAT gateways. | `list(string)` | `[]` | no | +| [gds\_egress\_ips](#input\_gds\_egress\_ips) | An array of CIDR blocks that will be allowed offsite access. | `list(string)` | n/a | yes | +| [ithc\_access\_ips](#input\_ithc\_access\_ips) | An array of CIDR blocks that will be allowed temporary access for ITHC purposes. | `list(string)` | `[]` | no | +| [paas\_ireland\_egress\_ips](#input\_paas\_ireland\_egress\_ips) | An array of CIDR blocks that are used for egress from the GOV.UK PaaS Ireland region | `list(string)` | `[]` | no | +| [paas\_london\_egress\_ips](#input\_paas\_london\_egress\_ips) | An array of CIDR blocks that are used for egress from the GOV.UK PaaS London region | `list(string)` | `[]` | no | | [remote\_state\_bucket](#input\_remote\_state\_bucket) | S3 bucket we store our terraform state in | `string` | n/a | yes | | [remote\_state\_infra\_networking\_key\_stack](#input\_remote\_state\_infra\_networking\_key\_stack) | Override infra\_networking remote state path | `string` | `""` | no | | [remote\_state\_infra\_vpc\_key\_stack](#input\_remote\_state\_infra\_vpc\_key\_stack) | Override infra\_vpc remote state path | `string` | `""` | no | | [stackname](#input\_stackname) | The name of the stack being built. Must be unique within the environment as it's used for disambiguation. | `string` | n/a | yes | -| [traffic\_replay\_ips](#input\_traffic\_replay\_ips) | An array of CIDR blocks that will replay traffic against an environment | `list` | n/a | yes | +| [traffic\_replay\_ips](#input\_traffic\_replay\_ips) | An array of CIDR blocks that will replay traffic against an environment | `list(string)` | n/a | yes | ## Outputs diff --git a/terraform/projects/infra-security-groups/apt.tf b/terraform/projects/infra-security-groups/apt.tf index b46b31c50..af3a14825 100644 --- a/terraform/projects/infra-security-groups/apt.tf +++ b/terraform/projects/infra-security-groups/apt.tf @@ -15,11 +15,15 @@ resource "aws_security_group" "apt" { name = "${var.stackname}_apt_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the apt host from its ELB" tags = { - Name = "${var.stackname}_apt_access" + Name = "${var.stackname}_apt_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Apt" } } @@ -30,10 +34,10 @@ resource "aws_security_group_rule" "apt_ingress_apt-external-elb_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.apt.id}" + security_group_id = aws_security_group.apt.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.apt_external_elb.id}" + source_security_group_id = aws_security_group.apt_external_elb.id } resource "aws_security_group_rule" "apt_ingress_apt-internal-elb_http" { @@ -43,15 +47,15 @@ resource "aws_security_group_rule" "apt_ingress_apt-internal-elb_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.apt.id}" + security_group_id = aws_security_group.apt.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.apt_internal_elb.id}" + source_security_group_id = aws_security_group.apt_internal_elb.id } resource "aws_security_group" "apt_external_elb" { name = "${var.stackname}_apt_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the apt External ELB" tags = { @@ -65,7 +69,7 @@ resource "aws_security_group_rule" "apt-external-elb_ingress_office_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.apt_external_elb.id}" + security_group_id = aws_security_group.apt_external_elb.id cidr_blocks = var.gds_egress_ips } @@ -75,7 +79,7 @@ resource "aws_security_group_rule" "apt-external-elb_ingress_fastly_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.apt_external_elb.id}" + security_group_id = aws_security_group.apt_external_elb.id cidr_blocks = data.fastly_ip_ranges.fastly.cidr_blocks } @@ -85,7 +89,7 @@ resource "aws_security_group_rule" "apt-external-elb_ingress_fastly_http" { to_port = 80 protocol = "tcp" - security_group_id = "${aws_security_group.apt_external_elb.id}" + security_group_id = aws_security_group.apt_external_elb.id cidr_blocks = data.fastly_ip_ranges.fastly.cidr_blocks } @@ -95,12 +99,12 @@ resource "aws_security_group_rule" "apt-external-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.apt_external_elb.id}" + security_group_id = aws_security_group.apt_external_elb.id } resource "aws_security_group" "apt_internal_elb" { name = "${var.stackname}_apt_internal_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the apt Internal ELB" tags = { @@ -114,8 +118,8 @@ resource "aws_security_group_rule" "apt-internal-elb_ingress_management_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.apt_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.apt_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "apt-internal-elb_ingress_management_http" { @@ -124,8 +128,8 @@ resource "aws_security_group_rule" "apt-internal-elb_ingress_management_http" { to_port = 80 protocol = "tcp" - security_group_id = "${aws_security_group.apt_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.apt_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "apt-internal-elb_egress_any_any" { @@ -134,13 +138,13 @@ resource "aws_security_group_rule" "apt-internal-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.apt_internal_elb.id}" + security_group_id = aws_security_group.apt_internal_elb.id } resource "aws_security_group" "apt_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_apt_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -149,11 +153,11 @@ resource "aws_security_group" "apt_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_apt_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.apt_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.apt_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/asset-master.tf b/terraform/projects/infra-security-groups/asset-master.tf index d76646e93..f7886c784 100644 --- a/terraform/projects/infra-security-groups/asset-master.tf +++ b/terraform/projects/infra-security-groups/asset-master.tf @@ -10,10 +10,14 @@ # resource "aws_security_group" "asset-master-efs" { name = "${var.stackname}_asset-master-efs_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Security group for asset-master EFS share" tags = { - Name = "${var.stackname}_asset-master-efs_access" + Name = "${var.stackname}_asset-master-efs_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Asset Master" } } diff --git a/terraform/projects/infra-security-groups/backend-redis.tf b/terraform/projects/infra-security-groups/backend-redis.tf index 4fddaf5a7..96b104d96 100644 --- a/terraform/projects/infra-security-groups/backend-redis.tf +++ b/terraform/projects/infra-security-groups/backend-redis.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "backend-redis" { name = "${var.stackname}_backend-redis_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to backend-redis from its clients" tags = { - Name = "${var.stackname}_backend-redis_access" + Name = "${var.stackname}_backend-redis_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Redis" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "backend-redis_ingress_ckan_redis" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.backend-redis.id}" + security_group_id = aws_security_group.backend-redis.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ckan.id}" + source_security_group_id = aws_security_group.ckan.id } resource "aws_security_group_rule" "backend-redis_ingress_deploy_redis" { @@ -41,10 +45,10 @@ resource "aws_security_group_rule" "backend-redis_ingress_deploy_redis" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.backend-redis.id}" + security_group_id = aws_security_group.backend-redis.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.deploy.id}" + source_security_group_id = aws_security_group.deploy.id } resource "aws_security_group_rule" "backend-redis_ingress_db-admin_redis" { @@ -54,8 +58,8 @@ resource "aws_security_group_rule" "backend-redis_ingress_db-admin_redis" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.backend-redis.id}" + security_group_id = aws_security_group.backend-redis.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.db-admin.id}" + source_security_group_id = aws_security_group.db-admin.id } diff --git a/terraform/projects/infra-security-groups/ci-agents.tf b/terraform/projects/infra-security-groups/ci-agents.tf index 7a72bcf97..4978cbf24 100644 --- a/terraform/projects/infra-security-groups/ci-agents.tf +++ b/terraform/projects/infra-security-groups/ci-agents.tf @@ -14,9 +14,9 @@ /////////////////////ci-agent-1///////////////////////////////////////////////// resource "aws_security_group" "ci-agent-1" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-1_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-agent-1 host from its ELB" tags = { @@ -25,37 +25,37 @@ resource "aws_security_group" "ci-agent-1" { } resource "aws_security_group_rule" "ci-agent-1_ingress_ci-agent-1-elb_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-1[0].id}" + security_group_id = aws_security_group.ci-agent-1[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-agent-1_elb[0].id}" + source_security_group_id = aws_security_group.ci-agent-1_elb[0].id } resource "aws_security_group_rule" "ci-agent-1_ingress_ci-agent-1-ci_master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-1[0].id}" + security_group_id = aws_security_group.ci-agent-1[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master[0].id}" + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group" "ci-agent-1_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-1_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the CI agent 1 ELB" tags = { @@ -64,43 +64,43 @@ resource "aws_security_group" "ci-agent-1_elb" { } resource "aws_security_group_rule" "ci-agent-1-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-1_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-agent-1_elb[0].id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "ci-agent-1-elb_ingress_ci-master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 0 to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-1_elb[0].id}" - source_security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-agent-1_elb[0].id + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group_rule" "ci-agent-1-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-agent-1_elb[0].id}" + security_group_id = aws_security_group.ci-agent-1_elb[0].id } /////////////////////ci-agent-2///////////////////////////////////////////////// resource "aws_security_group" "ci-agent-2" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-2_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-agent-2 host from its ELB" tags = { @@ -109,37 +109,37 @@ resource "aws_security_group" "ci-agent-2" { } resource "aws_security_group_rule" "ci-agent-2_ingress_ci-agent-2-elb_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-2[0].id}" + security_group_id = aws_security_group.ci-agent-2[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-agent-2_elb[0].id}" + source_security_group_id = aws_security_group.ci-agent-2_elb[0].id } resource "aws_security_group_rule" "ci-agent-2_ingress_ci-agent-2-ci_master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-2[0].id}" + security_group_id = aws_security_group.ci-agent-2[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master[0].id}" + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group" "ci-agent-2_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-2_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the CI agent 2 ELB" tags = { @@ -148,43 +148,43 @@ resource "aws_security_group" "ci-agent-2_elb" { } resource "aws_security_group_rule" "ci-agent-2-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-2_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-agent-2_elb[0].id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "ci-agent-2-elb_ingress_ci-master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 0 to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-2_elb[0].id}" - source_security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-agent-2_elb[0].id + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group_rule" "ci-agent-2-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-agent-2_elb[0].id}" + security_group_id = aws_security_group.ci-agent-2_elb[0].id } /////////////////////ci-agent-3///////////////////////////////////////////////// resource "aws_security_group" "ci-agent-3" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-3_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-agent-3 host from its ELB" tags = { @@ -193,37 +193,37 @@ resource "aws_security_group" "ci-agent-3" { } resource "aws_security_group_rule" "ci-agent-3_ingress_ci-agent-3-elb_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-3[0].id}" + security_group_id = aws_security_group.ci-agent-3[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-agent-3_elb[0].id}" + source_security_group_id = aws_security_group.ci-agent-3_elb[0].id } resource "aws_security_group_rule" "ci-agent-3_ingress_ci-agent-3-ci_master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-3[0].id}" + security_group_id = aws_security_group.ci-agent-3[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master[0].id}" + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group" "ci-agent-3_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-3_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the CI agent 3 ELB" tags = { @@ -232,43 +232,43 @@ resource "aws_security_group" "ci-agent-3_elb" { } resource "aws_security_group_rule" "ci-agent-3-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-3_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-agent-3_elb[0].id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "ci-agent-3-elb_ingress_ci-master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 0 to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-3_elb[0].id}" - source_security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-agent-3_elb[0].id + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group_rule" "ci-agent-3-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-agent-3_elb[0].id}" + security_group_id = aws_security_group.ci-agent-3_elb[0].id } /////////////////////ci-agent-4///////////////////////////////////////////////// resource "aws_security_group" "ci-agent-4" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-4_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-agent-4 host from its ELB" tags = { @@ -277,37 +277,37 @@ resource "aws_security_group" "ci-agent-4" { } resource "aws_security_group_rule" "ci-agent-4_ingress_ci-agent-4-elb_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-4[0].id}" + security_group_id = aws_security_group.ci-agent-4[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-agent-4_elb[0].id}" + source_security_group_id = aws_security_group.ci-agent-4_elb[0].id } resource "aws_security_group_rule" "ci-agent-4_ingress_ci-agent-4-ci_master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-4[0].id}" + security_group_id = aws_security_group.ci-agent-4[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master[0].id}" + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group" "ci-agent-4_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-4_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the CI agent 4 ELB" tags = { @@ -316,43 +316,43 @@ resource "aws_security_group" "ci-agent-4_elb" { } resource "aws_security_group_rule" "ci-agent-4-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-4_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-agent-4_elb[0].id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "ci-agent-4-elb_ingress_ci-master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 0 to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-4_elb[0].id}" - source_security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-agent-4_elb[0].id + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group_rule" "ci-agent-4-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-agent-4_elb[0].id}" + security_group_id = aws_security_group.ci-agent-4_elb[0].id } /////////////////////ci-agent-5///////////////////////////////////////////////// resource "aws_security_group" "ci-agent-5" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-5_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-agent-5 host from its ELB" tags = { @@ -361,37 +361,37 @@ resource "aws_security_group" "ci-agent-5" { } resource "aws_security_group_rule" "ci-agent-5_ingress_ci-agent-5-elb_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-5[0].id}" + security_group_id = aws_security_group.ci-agent-5[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-agent-5_elb[0].id}" + source_security_group_id = aws_security_group.ci-agent-5_elb[0].id } resource "aws_security_group_rule" "ci-agent-5_ingress_ci-agent-5-ci_master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-agent-5[0].id}" + security_group_id = aws_security_group.ci-agent-5[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master[0].id}" + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group" "ci-agent-5_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-agent-5_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the CI agent 5 ELB" tags = { @@ -400,33 +400,33 @@ resource "aws_security_group" "ci-agent-5_elb" { } resource "aws_security_group_rule" "ci-agent-5-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-5_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-agent-5_elb[0].id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "ci-agent-5-elb_ingress_ci-master_ssh_tcp" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 0 to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ci-agent-5_elb[0].id}" - source_security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-agent-5_elb[0].id + source_security_group_id = aws_security_group.ci-master[0].id } resource "aws_security_group_rule" "ci-agent-5-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-agent-5_elb[0].id}" + security_group_id = aws_security_group.ci-agent-5_elb[0].id } diff --git a/terraform/projects/infra-security-groups/ci-master.tf b/terraform/projects/infra-security-groups/ci-master.tf index e10a6bfff..6b27e964a 100644 --- a/terraform/projects/infra-security-groups/ci-master.tf +++ b/terraform/projects/infra-security-groups/ci-master.tf @@ -12,48 +12,52 @@ # sg_ci-master_elb_id resource "aws_security_group" "ci-master" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-master_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ci-master host from its ELB" tags = { - Name = "${var.stackname}_ci-master_access" + Name = "${var.stackname}_ci-master_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Continuous Integration Master" } } resource "aws_security_group_rule" "ci-master_ingress_ci-master-elb_http" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-master[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master_elb[0].id}" + source_security_group_id = aws_security_group.ci-master_elb[0].id } resource "aws_security_group_rule" "ci-master_ingress_ci-master-internal-elb_http" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ci-master[0].id}" + security_group_id = aws_security_group.ci-master[0].id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ci-master_internal_elb[0].id}" + source_security_group_id = aws_security_group.ci-master_internal_elb[0].id } resource "aws_security_group" "ci-master_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-master_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the ci-master ELB" tags = { @@ -62,52 +66,52 @@ resource "aws_security_group" "ci-master_elb" { } resource "aws_security_group_rule" "ci-master-elb_ingress_office_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-master_elb[0].id}" + security_group_id = aws_security_group.ci-master_elb[0].id cidr_blocks = var.gds_egress_ips } resource "aws_security_group_rule" "ci-master-elb_ingress_github_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-master_elb[0].id}" + security_group_id = aws_security_group.ci-master_elb[0].id cidr_blocks = data.github_ip_ranges.github.hooks_ipv4 ipv6_cidr_blocks = data.github_ip_ranges.github.hooks_ipv6 } resource "aws_security_group_rule" "ci-master-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-master_elb[0].id}" + security_group_id = aws_security_group.ci-master_elb[0].id } resource "aws_security_group_rule" "ci-master-internal-elb_egress_any_any" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ci-master_internal_elb[0].id}" + security_group_id = aws_security_group.ci-master_internal_elb[0].id } resource "aws_security_group" "ci-master_internal_elb" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 name = "${var.stackname}_ci-master_internal_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the ci-master Internal ELB" tags = { @@ -116,12 +120,12 @@ resource "aws_security_group" "ci-master_internal_elb" { } resource "aws_security_group_rule" "ci-master-internal-elb_ingress_management_https" { - count = "${var.aws_environment == "integration" ? 1 : 0}" + count = var.aws_environment == "integration" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ci-master_internal_elb[0].id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ci-master_internal_elb[0].id + source_security_group_id = aws_security_group.management.id } diff --git a/terraform/projects/infra-security-groups/ckan.tf b/terraform/projects/infra-security-groups/ckan.tf index 630718526..67b77206e 100644 --- a/terraform/projects/infra-security-groups/ckan.tf +++ b/terraform/projects/infra-security-groups/ckan.tf @@ -15,11 +15,15 @@ resource "aws_security_group" "ckan" { name = "${var.stackname}_ckan_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the ckan host from its ELB" tags = { - Name = "${var.stackname}_ckan_access" + Name = "${var.stackname}_ckan_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "CKAN" } } @@ -30,10 +34,10 @@ resource "aws_security_group_rule" "ckan_ingress_ckan-elb-internal_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ckan.id}" + security_group_id = aws_security_group.ckan.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ckan_elb_internal.id}" + source_security_group_id = aws_security_group.ckan_elb_internal.id } resource "aws_security_group_rule" "ckan_ingress_ckan-elb-external_http" { @@ -43,15 +47,15 @@ resource "aws_security_group_rule" "ckan_ingress_ckan-elb-external_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.ckan.id}" + security_group_id = aws_security_group.ckan.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.ckan_elb_external.id}" + source_security_group_id = aws_security_group.ckan_elb_external.id } resource "aws_security_group" "ckan_elb_internal" { name = "${var.stackname}_ckan_elb_internal_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the ckan ELB" tags = { @@ -66,13 +70,13 @@ resource "aws_security_group_rule" "ckan-elb-internal_ingress_management_https" to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ckan_elb_internal.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.ckan_elb_internal.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group" "ckan_elb_external" { name = "${var.stackname}_ckan_elb_external_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the ckan ELB" tags = { @@ -87,7 +91,7 @@ resource "aws_security_group_rule" "ckan-elb-external_ingress_public_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.ckan_elb_external.id}" + security_group_id = aws_security_group.ckan_elb_external.id cidr_blocks = ["0.0.0.0/0"] } @@ -97,7 +101,7 @@ resource "aws_security_group_rule" "ckan-elb-internal_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ckan_elb_internal.id}" + security_group_id = aws_security_group.ckan_elb_internal.id } resource "aws_security_group_rule" "ckan-elb-external_egress_any_any" { @@ -106,7 +110,7 @@ resource "aws_security_group_rule" "ckan-elb-external_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.ckan_elb_external.id}" + security_group_id = aws_security_group.ckan_elb_external.id } # Allow SSH access from db-admin for data sync @@ -116,14 +120,14 @@ resource "aws_security_group_rule" "ckan_ingress_db-admin_ssh" { to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.ckan.id}" - source_security_group_id = "${aws_security_group.db-admin.id}" + security_group_id = aws_security_group.ckan.id + source_security_group_id = aws_security_group.db-admin.id } resource "aws_security_group" "ckan_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_ckan_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -132,11 +136,11 @@ resource "aws_security_group" "ckan_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_ckan_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.ckan_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.ckan_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/content-data-api-db-admin.tf b/terraform/projects/infra-security-groups/content-data-api-db-admin.tf index 22a43aa57..a832b4202 100644 --- a/terraform/projects/infra-security-groups/content-data-api-db-admin.tf +++ b/terraform/projects/infra-security-groups/content-data-api-db-admin.tf @@ -12,7 +12,7 @@ resource "aws_security_group" "content-data-api-db-admin" { name = "${var.stackname}_content-data-api-db-admin_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Security group for the Content Data API DB admin machine" tags = { @@ -21,9 +21,9 @@ resource "aws_security_group" "content-data-api-db-admin" { } resource "aws_security_group" "content-data-api-db-admin_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_content-data-api-db-admin_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -32,11 +32,11 @@ resource "aws_security_group" "content-data-api-db-admin_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_content-data-api-db-admin_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.content-data-api-db-admin_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.content-data-api-db-admin_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/content-data-api-postgresql.tf b/terraform/projects/infra-security-groups/content-data-api-postgresql.tf index a26f38e4d..b85b35efa 100644 --- a/terraform/projects/infra-security-groups/content-data-api-postgresql.tf +++ b/terraform/projects/infra-security-groups/content-data-api-postgresql.tf @@ -10,11 +10,15 @@ resource "aws_security_group" "content-data-api-postgresql-primary" { name = "${var.stackname}_content-data-api-postgresql-primary_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to content-data-api-postgresql-primary from its clients" tags = { - Name = "${var.stackname}_content-data-api-postgresql-primary_access" + Name = "${var.stackname}_content-data-api-postgresql-primary_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Content Data API" } } @@ -25,16 +29,16 @@ resource "aws_security_group_rule" "content-data-api-postgresql-primary_ingress_ protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.content-data-api-postgresql-primary.id}" + security_group_id = aws_security_group.content-data-api-postgresql-primary.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.content-data-api-db-admin.id}" + source_security_group_id = aws_security_group.content-data-api-db-admin.id } resource "aws_security_group" "content-data-api-postgresql-primary_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_content-data-api-postgresql-primary_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -43,11 +47,11 @@ resource "aws_security_group" "content-data-api-postgresql-primary_ithc_access" } resource "aws_security_group_rule" "ithc_ingress_content-data-api-postgresql-primary_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.content-data-api-postgresql-primary_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.content-data-api-postgresql-primary_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/db-admin.tf b/terraform/projects/infra-security-groups/db-admin.tf index e3cbb1ed2..62206e29c 100644 --- a/terraform/projects/infra-security-groups/db-admin.tf +++ b/terraform/projects/infra-security-groups/db-admin.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "db-admin" { name = "${var.stackname}_db-admin_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the db-admin host from its ELB" tags = { - Name = "${var.stackname}_db-admin_access" + Name = "${var.stackname}_db-admin_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Database Admin" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "db-admin_ingress_db-admin-elb_ssh" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.db-admin.id}" + security_group_id = aws_security_group.db-admin.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.db-admin_elb.id}" + source_security_group_id = aws_security_group.db-admin_elb.id } resource "aws_security_group_rule" "db-admin_ingress_db-admin-elb_pgbouncer" { @@ -41,15 +45,15 @@ resource "aws_security_group_rule" "db-admin_ingress_db-admin-elb_pgbouncer" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.db-admin.id}" + security_group_id = aws_security_group.db-admin.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.db-admin_elb.id}" + source_security_group_id = aws_security_group.db-admin_elb.id } resource "aws_security_group" "db-admin_elb" { name = "${var.stackname}_db-admin_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the db-admin ELB" tags = { @@ -64,8 +68,8 @@ resource "aws_security_group_rule" "db-admin-elb_ingress_management_ssh" { to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.db-admin_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.db-admin_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "db-admin-elb_egress_any_any" { @@ -74,5 +78,5 @@ resource "aws_security_group_rule" "db-admin-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.db-admin_elb.id}" + security_group_id = aws_security_group.db-admin_elb.id } diff --git a/terraform/projects/infra-security-groups/deploy.tf b/terraform/projects/infra-security-groups/deploy.tf index d36daebdc..f9a56af47 100644 --- a/terraform/projects/infra-security-groups/deploy.tf +++ b/terraform/projects/infra-security-groups/deploy.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "deploy" { name = "${var.stackname}_deploy_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the deploy host from its ELB" tags = { - Name = "${var.stackname}_deploy_access" + Name = "${var.stackname}_deploy_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Deploy Access" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "deploy_ingress_deploy-elb_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.deploy.id}" + security_group_id = aws_security_group.deploy.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.deploy_elb.id}" + source_security_group_id = aws_security_group.deploy_elb.id } resource "aws_security_group_rule" "deploy_ingress_deploy-internal-elb_http" { @@ -41,15 +45,15 @@ resource "aws_security_group_rule" "deploy_ingress_deploy-internal-elb_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.deploy.id}" + security_group_id = aws_security_group.deploy.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.deploy_internal_elb.id}" + source_security_group_id = aws_security_group.deploy_internal_elb.id } resource "aws_security_group" "deploy_elb" { name = "${var.stackname}_deploy_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the deploy ELB" tags = { @@ -63,29 +67,29 @@ resource "aws_security_group_rule" "deploy-elb_ingress_office_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.deploy_elb.id}" + security_group_id = aws_security_group.deploy_elb.id cidr_blocks = var.gds_egress_ips } resource "aws_security_group_rule" "deploy-elb_ingress_aws_integration_access_https" { - count = "${(var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0}" + count = (var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.deploy_elb.id}" + security_group_id = aws_security_group.deploy_elb.id cidr_blocks = var.aws_integration_external_nat_gateway_ips } resource "aws_security_group_rule" "deploy-elb_ingress_aws_staging_access_https" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.deploy_elb.id}" + security_group_id = aws_security_group.deploy_elb.id cidr_blocks = var.aws_staging_external_nat_gateway_ips } @@ -95,7 +99,7 @@ resource "aws_security_group_rule" "deploy-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.deploy_elb.id}" + security_group_id = aws_security_group.deploy_elb.id } resource "aws_security_group_rule" "deploy-internal-elb_egress_any_any" { @@ -104,12 +108,12 @@ resource "aws_security_group_rule" "deploy-internal-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.deploy_internal_elb.id}" + security_group_id = aws_security_group.deploy_internal_elb.id } resource "aws_security_group" "deploy_internal_elb" { name = "${var.stackname}_deploy_internal_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the deploy Internal ELB" tags = { @@ -123,6 +127,6 @@ resource "aws_security_group_rule" "deploy-internal-elb_ingress_management_https to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.deploy_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.deploy_internal_elb.id + source_security_group_id = aws_security_group.management.id } diff --git a/terraform/projects/infra-security-groups/docker-management.tf b/terraform/projects/infra-security-groups/docker-management.tf index 6be1f9396..7840cef96 100644 --- a/terraform/projects/infra-security-groups/docker-management.tf +++ b/terraform/projects/infra-security-groups/docker-management.tf @@ -14,11 +14,15 @@ resource "aws_security_group" "docker_management" { name = "${var.stackname}_docker_management_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the docker_management host from its ELB" tags = { - Name = "${var.stackname}_docker_management_access" + Name = "${var.stackname}_docker_management_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Docker Management" } } @@ -29,10 +33,10 @@ resource "aws_security_group_rule" "docker-management_ingress_docker-management- protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.docker_management.id}" + security_group_id = aws_security_group.docker_management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.docker_management_etcd_elb.id}" + source_security_group_id = aws_security_group.docker_management_etcd_elb.id } resource "aws_security_group_rule" "docker-management_ingress_docker-management_etcd-transport" { @@ -41,13 +45,13 @@ resource "aws_security_group_rule" "docker-management_ingress_docker-management_ to_port = 2380 protocol = "tcp" - security_group_id = "${aws_security_group.docker_management.id}" - source_security_group_id = "${aws_security_group.docker_management.id}" + security_group_id = aws_security_group.docker_management.id + source_security_group_id = aws_security_group.docker_management.id } resource "aws_security_group" "docker_management_etcd_elb" { name = "${var.stackname}_docker_management_etcd_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the docker_management etcd ELB" tags = { @@ -61,8 +65,8 @@ resource "aws_security_group_rule" "docker-management-etcd-elb_ingress_managemen to_port = 2379 protocol = "tcp" - security_group_id = "${aws_security_group.docker_management_etcd_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.docker_management_etcd_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "docker-management-etcd-elb_egress_any_any" { @@ -71,5 +75,5 @@ resource "aws_security_group_rule" "docker-management-etcd-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.docker_management_etcd_elb.id}" + security_group_id = aws_security_group.docker_management_etcd_elb.id } diff --git a/terraform/projects/infra-security-groups/elasticsearch6.tf b/terraform/projects/infra-security-groups/elasticsearch6.tf index ee115e98c..fc73baf28 100644 --- a/terraform/projects/infra-security-groups/elasticsearch6.tf +++ b/terraform/projects/infra-security-groups/elasticsearch6.tf @@ -18,11 +18,15 @@ resource "aws_security_group" "elasticsearch6" { name = "${var.stackname}_elasticsearch6_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to elasticsearch6" tags = { - Name = "${var.stackname}_elasticsearch6_access" + Name = "${var.stackname}_elasticsearch6_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Elasticsearch" } } @@ -33,10 +37,10 @@ resource "aws_security_group_rule" "elasticsearch6_ingress_search_elasticsearch- protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.elasticsearch6.id}" + security_group_id = aws_security_group.elasticsearch6.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.search.id}" + source_security_group_id = aws_security_group.search.id } resource "aws_security_group_rule" "elasticsearch6_ingress_search_elasticsearch-api-https" { @@ -46,10 +50,10 @@ resource "aws_security_group_rule" "elasticsearch6_ingress_search_elasticsearch- protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.elasticsearch6.id}" + security_group_id = aws_security_group.elasticsearch6.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.search.id}" + source_security_group_id = aws_security_group.search.id } resource "aws_security_group_rule" "elasticsearch6_ingress_search-ltr-generation_elasticsearch-api" { @@ -59,10 +63,10 @@ resource "aws_security_group_rule" "elasticsearch6_ingress_search-ltr-generation protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.elasticsearch6.id}" + security_group_id = aws_security_group.elasticsearch6.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.search-ltr-generation.id}" + source_security_group_id = aws_security_group.search-ltr-generation.id } resource "aws_security_group_rule" "elasticsearch6_ingress_search-ltr-generation_elasticsearch-api-https" { @@ -72,8 +76,8 @@ resource "aws_security_group_rule" "elasticsearch6_ingress_search-ltr-generation protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.elasticsearch6.id}" + security_group_id = aws_security_group.elasticsearch6.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.search-ltr-generation.id}" + source_security_group_id = aws_security_group.search-ltr-generation.id } diff --git a/terraform/projects/infra-security-groups/gatling.tf b/terraform/projects/infra-security-groups/gatling.tf index fd18cd367..be4b398d8 100644 --- a/terraform/projects/infra-security-groups/gatling.tf +++ b/terraform/projects/infra-security-groups/gatling.tf @@ -11,11 +11,15 @@ resource "aws_security_group" "gatling" { name = "${var.stackname}_gatling_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the gatling host" tags = { - Name = "${var.stackname}_gatling_access" + Name = "${var.stackname}_gatling_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Gatling" } } @@ -26,10 +30,10 @@ resource "aws_security_group_rule" "gatling_ingress_gatling_ssh" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.gatling.id}" + security_group_id = aws_security_group.gatling.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.gatling.id}" + source_security_group_id = aws_security_group.gatling.id } resource "aws_security_group_rule" "gatling_egress_any_any" { @@ -38,7 +42,7 @@ resource "aws_security_group_rule" "gatling_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.gatling.id}" + security_group_id = aws_security_group.gatling.id } resource "aws_security_group_rule" "gatling_ingress_gatling_http" { @@ -48,15 +52,15 @@ resource "aws_security_group_rule" "gatling_ingress_gatling_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.gatling.id}" + security_group_id = aws_security_group.gatling.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.gatling_external_elb.id}" + source_security_group_id = aws_security_group.gatling_external_elb.id } resource "aws_security_group" "gatling_external_elb" { name = "${var.stackname}_gatling_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the gatling External ELB" tags = { @@ -70,7 +74,7 @@ resource "aws_security_group_rule" "gatling-external-elb_ingress_office_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.gatling_external_elb.id}" + security_group_id = aws_security_group.gatling_external_elb.id cidr_blocks = var.gds_egress_ips } @@ -80,5 +84,5 @@ resource "aws_security_group_rule" "gatling-external-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.gatling_external_elb.id}" + security_group_id = aws_security_group.gatling_external_elb.id } diff --git a/terraform/projects/infra-security-groups/graphite.tf b/terraform/projects/infra-security-groups/graphite.tf index ccc4ac60e..35e449886 100644 --- a/terraform/projects/infra-security-groups/graphite.tf +++ b/terraform/projects/infra-security-groups/graphite.tf @@ -15,11 +15,15 @@ resource "aws_security_group" "graphite" { name = "${var.stackname}_graphite_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the graphite host from its ELB" tags = { - Name = "${var.stackname}_graphite_access" + Name = "${var.stackname}_graphite_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Graphite" } } @@ -30,10 +34,10 @@ resource "aws_security_group_rule" "graphite_ingress_graphite-external-elb_http" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite.id}" + security_group_id = aws_security_group.graphite.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite_external_elb.id}" + source_security_group_id = aws_security_group.graphite_external_elb.id } resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_http" { @@ -43,10 +47,10 @@ resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_http" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite.id}" + security_group_id = aws_security_group.graphite.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite_internal_elb.id}" + source_security_group_id = aws_security_group.graphite_internal_elb.id } resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_carbon" { @@ -56,10 +60,10 @@ resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_carbo protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite.id}" + security_group_id = aws_security_group.graphite.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite_internal_elb.id}" + source_security_group_id = aws_security_group.graphite_internal_elb.id } resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_pickle" { @@ -69,10 +73,10 @@ resource "aws_security_group_rule" "graphite_ingress_graphite-internal-elb_pickl protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite.id}" + security_group_id = aws_security_group.graphite.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite_internal_elb.id}" + source_security_group_id = aws_security_group.graphite_internal_elb.id } resource "aws_security_group_rule" "graphite_ingress_graphite_internal_elb_https" { @@ -82,15 +86,15 @@ resource "aws_security_group_rule" "graphite_ingress_graphite_internal_elb_https protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite_internal_elb.id}" + security_group_id = aws_security_group.graphite_internal_elb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite.id}" + source_security_group_id = aws_security_group.graphite.id } resource "aws_security_group" "graphite_external_elb" { name = "${var.stackname}_graphite_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the Graphite External ELB" tags = { @@ -104,7 +108,7 @@ resource "aws_security_group_rule" "graphite-external-elb_ingress_office_https" to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.graphite_external_elb.id}" + security_group_id = aws_security_group.graphite_external_elb.id cidr_blocks = var.gds_egress_ips } @@ -115,8 +119,8 @@ resource "aws_security_group_rule" "graphite-external-elb_ingress_management_htt to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.graphite_external_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.graphite_external_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "graphite-external-elb_egress_any_any" { @@ -125,12 +129,12 @@ resource "aws_security_group_rule" "graphite-external-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.graphite_external_elb.id}" + security_group_id = aws_security_group.graphite_external_elb.id } resource "aws_security_group" "graphite_internal_elb" { name = "${var.stackname}_graphite_internal_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the Graphite Internal ELB" tags = { @@ -144,8 +148,8 @@ resource "aws_security_group_rule" "graphite-internal-elb_ingress_monitoring_htt to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.graphite_internal_elb.id}" - source_security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.graphite_internal_elb.id + source_security_group_id = aws_security_group.monitoring.id } resource "aws_security_group_rule" "graphite-internal-elb_ingress_deploy_https" { @@ -155,10 +159,10 @@ resource "aws_security_group_rule" "graphite-internal-elb_ingress_deploy_https" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.graphite_internal_elb.id}" + security_group_id = aws_security_group.graphite_internal_elb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.deploy.id}" + source_security_group_id = aws_security_group.deploy.id } resource "aws_security_group_rule" "graphite-internal-elb_ingress_management_carbon" { @@ -167,8 +171,8 @@ resource "aws_security_group_rule" "graphite-internal-elb_ingress_management_car to_port = 2003 protocol = "tcp" - security_group_id = "${aws_security_group.graphite_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.graphite_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "graphite-internal-elb_ingress_management_pickle" { @@ -177,8 +181,8 @@ resource "aws_security_group_rule" "graphite-internal-elb_ingress_management_pic to_port = 2004 protocol = "tcp" - security_group_id = "${aws_security_group.graphite_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.graphite_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "graphite-internal-elb_egress_any_any" { @@ -187,5 +191,5 @@ resource "aws_security_group_rule" "graphite-internal-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.graphite_internal_elb.id}" + security_group_id = aws_security_group.graphite_internal_elb.id } diff --git a/terraform/projects/infra-security-groups/jumpbox.tf b/terraform/projects/infra-security-groups/jumpbox.tf index f563c15e3..658e39a64 100644 --- a/terraform/projects/infra-security-groups/jumpbox.tf +++ b/terraform/projects/infra-security-groups/jumpbox.tf @@ -12,11 +12,15 @@ resource "aws_security_group" "jumpbox" { name = "${var.stackname}_jumpbox_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to the jumpbox" tags = { - Name = "${var.stackname}_jumpbox_access" + Name = "${var.stackname}_jumpbox_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Jumpbox" } } @@ -25,6 +29,6 @@ resource "aws_security_group_rule" "jumpbox_ingress_offsite-ssh_ssh" { to_port = 22 from_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.jumpbox.id}" - source_security_group_id = "${aws_security_group.offsite_ssh.id}" + security_group_id = aws_security_group.jumpbox.id + source_security_group_id = aws_security_group.offsite_ssh.id } diff --git a/terraform/projects/infra-security-groups/licensify-backend.tf b/terraform/projects/infra-security-groups/licensify-backend.tf index 64d086537..4384e5342 100644 --- a/terraform/projects/infra-security-groups/licensify-backend.tf +++ b/terraform/projects/infra-security-groups/licensify-backend.tf @@ -10,7 +10,7 @@ resource "aws_security_group" "licensify-backend" { name = "licensify-backend_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the licensify-backend host from its ELB" tags = { @@ -25,10 +25,10 @@ resource "aws_security_group_rule" "licensify-backend_ingress_licensify-backend- protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify-backend.id}" + security_group_id = aws_security_group.licensify-backend.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-backend_internal_elb.id}" + source_security_group_id = aws_security_group.licensify-backend_internal_elb.id } resource "aws_security_group_rule" "licensify-backend_ingress_licensify-backend-external-elb_http" { @@ -38,15 +38,15 @@ resource "aws_security_group_rule" "licensify-backend_ingress_licensify-backend- protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify-backend.id}" + security_group_id = aws_security_group.licensify-backend.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-backend_external_elb.id}" + source_security_group_id = aws_security_group.licensify-backend_external_elb.id } resource "aws_security_group" "licensify-backend_internal_elb" { name = "licensify-backend_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the licensify-backend ELB" tags = { @@ -60,8 +60,8 @@ resource "aws_security_group_rule" "licensify-backend-internal-elb_ingress_manag to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-backend_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.licensify-backend_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "licensify-backend-internal-elb_egress_any_any" { @@ -70,12 +70,12 @@ resource "aws_security_group_rule" "licensify-backend-internal-elb_egress_any_an to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.licensify-backend_internal_elb.id}" + security_group_id = aws_security_group.licensify-backend_internal_elb.id } resource "aws_security_group" "licensify-backend_external_elb" { name = "licensify-backend_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the licensify-backend external ELB" tags = { @@ -88,7 +88,7 @@ resource "aws_security_group_rule" "licensify-backend-external-elb_ingress_publi to_port = 443 from_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-backend_external_elb.id}" + security_group_id = aws_security_group.licensify-backend_external_elb.id cidr_blocks = ["0.0.0.0/0"] } @@ -99,7 +99,7 @@ resource "aws_security_group_rule" "licensify-backend-external-elb_ingress_publi to_port = 80 from_port = 80 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-backend_external_elb.id}" + security_group_id = aws_security_group.licensify-backend_external_elb.id cidr_blocks = ["0.0.0.0/0"] } @@ -109,13 +109,13 @@ resource "aws_security_group_rule" "licensify-backend-external-elb_egress_any_an to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.licensify-backend_external_elb.id}" + security_group_id = aws_security_group.licensify-backend_external_elb.id } resource "aws_security_group" "licensify_backend_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_licensify_backend_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -124,11 +124,11 @@ resource "aws_security_group" "licensify_backend_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_licensify_backend_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.licensify_backend_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.licensify_backend_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/licensify-documentdb.tf b/terraform/projects/infra-security-groups/licensify-documentdb.tf index 4e896ae55..6823a9d07 100644 --- a/terraform/projects/infra-security-groups/licensify-documentdb.tf +++ b/terraform/projects/infra-security-groups/licensify-documentdb.tf @@ -10,7 +10,7 @@ resource "aws_security_group" "licensify_documentdb" { name = "${var.stackname}_licensify-documentdb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to licensify documentdb from its clients" tags = { @@ -26,10 +26,10 @@ resource "aws_security_group_rule" "licensify-documentdb_ingress_db-admin_mongod description = "allow db_admin to access licensify document db" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify_documentdb.id}" + security_group_id = aws_security_group.licensify_documentdb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.db-admin.id}" + source_security_group_id = aws_security_group.db-admin.id } resource "aws_security_group_rule" "licensify-documentdb_ingress_db-licensify_frontend_mongodb" { @@ -40,10 +40,10 @@ resource "aws_security_group_rule" "licensify-documentdb_ingress_db-licensify_fr description = "allow licensify frontend nodes to access licensify document db" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify_documentdb.id}" + security_group_id = aws_security_group.licensify_documentdb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-frontend.id}" + source_security_group_id = aws_security_group.licensify-frontend.id } resource "aws_security_group_rule" "licensify-documentdb_ingress_db-licensify_backend_mongodb" { @@ -54,8 +54,8 @@ resource "aws_security_group_rule" "licensify-documentdb_ingress_db-licensify_ba description = "allow licensify backend nodes to access licensify document db" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify_documentdb.id}" + security_group_id = aws_security_group.licensify_documentdb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-backend.id}" + source_security_group_id = aws_security_group.licensify-backend.id } diff --git a/terraform/projects/infra-security-groups/licensify-frontend.tf b/terraform/projects/infra-security-groups/licensify-frontend.tf index 305aa0524..ee93c565d 100644 --- a/terraform/projects/infra-security-groups/licensify-frontend.tf +++ b/terraform/projects/infra-security-groups/licensify-frontend.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "licensify-frontend" { name = "${var.stackname}_licensify-frontend_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the licensify-frontend host from its public ELB and internal LB" tags = { - Name = "${var.stackname}_licensify-frontend_access" + Name = "${var.stackname}_licensify-frontend_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Mirrorer" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "licensify-frontend_ingress_licensify-fronten protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify-frontend.id}" + security_group_id = aws_security_group.licensify-frontend.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + source_security_group_id = aws_security_group.licensify-frontend_external_elb.id } resource "aws_security_group_rule" "licensify-frontend_ingress_licensify-frontend-internal-lb_http" { @@ -41,15 +45,15 @@ resource "aws_security_group_rule" "licensify-frontend_ingress_licensify-fronten protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.licensify-frontend.id}" + security_group_id = aws_security_group.licensify-frontend.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.licensify-frontend_internal_lb.id}" + source_security_group_id = aws_security_group.licensify-frontend_internal_lb.id } resource "aws_security_group" "licensify-frontend_external_elb" { name = "${var.stackname}_licensify-frontend_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the public licensify-frontend ELB" tags = { @@ -58,46 +62,46 @@ resource "aws_security_group" "licensify-frontend_external_elb" { } resource "aws_security_group_rule" "licensify-frontend-elb_ingress_office_https" { - count = "${(var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0}" + count = (var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id cidr_blocks = var.gds_egress_ips } resource "aws_security_group_rule" "licensify-frontend-elb_ingress_public_https" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "licensify-frontend-elb_ingress_office_http" { - count = "${(var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0}" + count = (var.aws_environment == "integration") || (var.aws_environment == "staging") ? 1 : 0 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id cidr_blocks = var.gds_egress_ips } resource "aws_security_group_rule" "licensify-frontend-elb_ingress_public_http" { - count = "${var.aws_environment == "production" ? 1 : 0}" + count = var.aws_environment == "production" ? 1 : 0 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id cidr_blocks = ["0.0.0.0/0"] } @@ -107,13 +111,13 @@ resource "aws_security_group_rule" "licensify-frontend-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id } # Internal Loadbalancer resource "aws_security_group" "licensify-frontend_internal_lb" { name = "${var.stackname}_licensify-frontend_lb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the licensify-frontend LB" tags = { @@ -127,8 +131,8 @@ resource "aws_security_group_rule" "licensify-frontend-internal-lb_ingress_manag to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_internal_lb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.licensify-frontend_internal_lb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "licensify-frontend-internal-lb_egress_any_any" { @@ -137,24 +141,24 @@ resource "aws_security_group_rule" "licensify-frontend-internal-lb_egress_any_an to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.licensify-frontend_internal_lb.id}" + security_group_id = aws_security_group.licensify-frontend_internal_lb.id } resource "aws_security_group_rule" "licensify-frontend-elb_ingress_ithc_https" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.licensify-frontend_external_elb.id}" + security_group_id = aws_security_group.licensify-frontend_external_elb.id cidr_blocks = var.ithc_access_ips } resource "aws_security_group" "licensify_frontend_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_licensify_frontend_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -163,11 +167,11 @@ resource "aws_security_group" "licensify_frontend_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_licensify_frontend_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.licensify_frontend_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.licensify_frontend_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/main.tf b/terraform/projects/infra-security-groups/main.tf index ed64c47d6..93798c1a6 100644 --- a/terraform/projects/infra-security-groups/main.tf +++ b/terraform/projects/infra-security-groups/main.tf @@ -5,7 +5,7 @@ */ variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } @@ -18,7 +18,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } diff --git a/terraform/projects/infra-security-groups/management.tf b/terraform/projects/infra-security-groups/management.tf index e4204bb1a..1e5bfafa7 100644 --- a/terraform/projects/infra-security-groups/management.tf +++ b/terraform/projects/infra-security-groups/management.tf @@ -14,11 +14,15 @@ resource "aws_security_group" "management" { name = "${var.stackname}_management_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Group used to allow access by management systems" tags = { - Name = "${var.stackname}_management_access" + Name = "${var.stackname}_management_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "VM Management" } } @@ -29,10 +33,10 @@ resource "aws_security_group_rule" "management_ingress_jumpbox_ssh" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "management_ingress_deploy_ssh" { @@ -42,10 +46,10 @@ resource "aws_security_group_rule" "management_ingress_deploy_ssh" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.deploy.id}" + source_security_group_id = aws_security_group.deploy.id } resource "aws_security_group_rule" "management_ingress_monitoring_nrpe" { @@ -55,10 +59,10 @@ resource "aws_security_group_rule" "management_ingress_monitoring_nrpe" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring.id}" + source_security_group_id = aws_security_group.monitoring.id } resource "aws_security_group_rule" "management_ingress_monitoring_ping" { @@ -68,10 +72,10 @@ resource "aws_security_group_rule" "management_ingress_monitoring_ping" { protocol = "icmp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring.id}" + source_security_group_id = aws_security_group.monitoring.id } resource "aws_security_group_rule" "management_ingress_prometheus_node_exporter" { @@ -81,10 +85,10 @@ resource "aws_security_group_rule" "management_ingress_prometheus_node_exporter" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.prometheus.id}" + source_security_group_id = aws_security_group.prometheus.id } resource "aws_security_group_rule" "mangement_egress_any_any" { @@ -93,5 +97,5 @@ resource "aws_security_group_rule" "mangement_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.management.id } diff --git a/terraform/projects/infra-security-groups/mirrorer.tf b/terraform/projects/infra-security-groups/mirrorer.tf index 9d0970ecd..3bf7ce423 100644 --- a/terraform/projects/infra-security-groups/mirrorer.tf +++ b/terraform/projects/infra-security-groups/mirrorer.tf @@ -10,10 +10,14 @@ resource "aws_security_group" "mirrorer" { name = "${var.stackname}_mirrorer_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Security group for mirrorer" tags = { - Name = "${var.stackname}_mirrorer_access" + Name = "${var.stackname}_mirrorer_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Mirrorer" } } diff --git a/terraform/projects/infra-security-groups/mongo.tf b/terraform/projects/infra-security-groups/mongo.tf index f07768ed4..594b77101 100644 --- a/terraform/projects/infra-security-groups/mongo.tf +++ b/terraform/projects/infra-security-groups/mongo.tf @@ -13,11 +13,15 @@ # resource "aws_security_group" "mongo" { name = "${var.stackname}_mongo_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to mongo" tags = { - Name = "${var.stackname}_mongo_access" + Name = "${var.stackname}_mongo_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Mongo" } } @@ -29,8 +33,8 @@ resource "aws_security_group_rule" "mongo_ingress_mongo_mongo" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.mongo.id}" + security_group_id = aws_security_group.mongo.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.mongo.id}" + source_security_group_id = aws_security_group.mongo.id } diff --git a/terraform/projects/infra-security-groups/monitoring.tf b/terraform/projects/infra-security-groups/monitoring.tf index 97edb931b..8f6a398f6 100644 --- a/terraform/projects/infra-security-groups/monitoring.tf +++ b/terraform/projects/infra-security-groups/monitoring.tf @@ -14,11 +14,15 @@ resource "aws_security_group" "monitoring" { name = "${var.stackname}_monitoring_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the monitoring host from its ELB" tags = { - Name = "${var.stackname}_monitoring_access" + Name = "${var.stackname}_monitoring_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Monitoring" } } @@ -29,10 +33,10 @@ resource "aws_security_group_rule" "monitoring_ingress_monitoring-external-elb_h protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.monitoring.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring_external_elb.id}" + source_security_group_id = aws_security_group.monitoring_external_elb.id } resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_nsca" { @@ -42,10 +46,10 @@ resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_n protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.monitoring.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring_internal_elb.id}" + source_security_group_id = aws_security_group.monitoring_internal_elb.id } resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_ssh" { @@ -55,10 +59,10 @@ resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_s protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.monitoring.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring_internal_elb.id}" + source_security_group_id = aws_security_group.monitoring_internal_elb.id } resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_http" { @@ -68,15 +72,15 @@ resource "aws_security_group_rule" "monitoring_ingress_monitoring-internal-elb_h protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.monitoring.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring_internal_elb.id}" + source_security_group_id = aws_security_group.monitoring_internal_elb.id } resource "aws_security_group" "monitoring_external_elb" { name = "${var.stackname}_monitoring_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the monitoring ELB" tags = { @@ -90,7 +94,7 @@ resource "aws_security_group_rule" "monitoring-external-elb_ingress_office_https to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.monitoring_external_elb.id}" + security_group_id = aws_security_group.monitoring_external_elb.id cidr_blocks = var.gds_egress_ips } @@ -100,12 +104,12 @@ resource "aws_security_group_rule" "monitoring-external-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.monitoring_external_elb.id}" + security_group_id = aws_security_group.monitoring_external_elb.id } resource "aws_security_group" "monitoring_internal_elb" { name = "${var.stackname}_monitoring_internal_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the monitoring ELB" tags = { @@ -119,8 +123,8 @@ resource "aws_security_group_rule" "monitoring-internal-elb_ingress_management_n to_port = 5667 protocol = "tcp" - security_group_id = "${aws_security_group.monitoring_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.monitoring_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "monitoring-internal-elb_ingress_management_https" { @@ -129,8 +133,8 @@ resource "aws_security_group_rule" "monitoring-internal-elb_ingress_management_h to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.monitoring_internal_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.monitoring_internal_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "monitoring-internal-elb_ingress_jumpbox_ssh" { @@ -139,8 +143,8 @@ resource "aws_security_group_rule" "monitoring-internal-elb_ingress_jumpbox_ssh" to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.monitoring_internal_elb.id}" - source_security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.monitoring_internal_elb.id + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "monitoring-internal-elb_egress_any_any" { @@ -149,7 +153,7 @@ resource "aws_security_group_rule" "monitoring-internal-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.monitoring_internal_elb.id}" + security_group_id = aws_security_group.monitoring_internal_elb.id } # Allows access to the monitoring machine from its ELB on specified ports @@ -160,10 +164,10 @@ resource "aws_security_group_rule" "monitoring_ingress_monitoring-elb_syslog-tls protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.monitoring.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.monitoring_external_elb.id}" + source_security_group_id = aws_security_group.monitoring_external_elb.id } # Allows access to the monitoring ELB from fastly IPs on specified ports @@ -172,6 +176,6 @@ resource "aws_security_group_rule" "monitoring-elb_ingress_fastly_syslog-tls" { from_port = 6514 to_port = 6516 protocol = "tcp" - security_group_id = "${aws_security_group.monitoring_external_elb.id}" + security_group_id = aws_security_group.monitoring_external_elb.id cidr_blocks = data.fastly_ip_ranges.fastly.cidr_blocks } diff --git a/terraform/projects/infra-security-groups/offsite_ssh.tf b/terraform/projects/infra-security-groups/offsite_ssh.tf index 409ea94a2..7f3cde440 100644 --- a/terraform/projects/infra-security-groups/offsite_ssh.tf +++ b/terraform/projects/infra-security-groups/offsite_ssh.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "offsite_ssh" { name = "${var.stackname}_ssh_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to SSH and egress" tags = { - Name = "${var.stackname}_ssh_access" + Name = "${var.stackname}_ssh_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "SSH Access" } } @@ -28,7 +32,7 @@ resource "aws_security_group_rule" "offsite-ssh_ingress_office-and-carrenza_ssh" protocol = "tcp" cidr_blocks = flatten(["${concat(var.gds_egress_ips, var.ithc_access_ips)}"]) - security_group_id = "${aws_security_group.offsite_ssh.id}" + security_group_id = aws_security_group.offsite_ssh.id } resource "aws_security_group_rule" "offsite-ssh_egress_any_any" { @@ -37,5 +41,5 @@ resource "aws_security_group_rule" "offsite-ssh_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.offsite_ssh.id}" + security_group_id = aws_security_group.offsite_ssh.id } diff --git a/terraform/projects/infra-security-groups/outputs.tf b/terraform/projects/infra-security-groups/outputs.tf index 733f00f4c..b19940422 100644 --- a/terraform/projects/infra-security-groups/outputs.tf +++ b/terraform/projects/infra-security-groups/outputs.tf @@ -3,23 +3,23 @@ # output "sg_asset-master-efs_id" { - value = "${aws_security_group.asset-master-efs.id}" + value = aws_security_group.asset-master-efs.id } output "sg_apt_external_elb_id" { - value = "${aws_security_group.apt_external_elb.id}" + value = aws_security_group.apt_external_elb.id } output "sg_apt_id" { - value = "${aws_security_group.apt.id}" + value = aws_security_group.apt.id } output "sg_apt_internal_elb_id" { - value = "${aws_security_group.apt_internal_elb.id}" + value = aws_security_group.apt_internal_elb.id } output "sg_backend-redis_id" { - value = "${aws_security_group.backend-redis.id}" + value = aws_security_group.backend-redis.id } output "sg_ci-agent-1_elb_id" { @@ -75,205 +75,205 @@ output "sg_ci-master_id" { } output "sg_ckan_elb_internal_id" { - value = "${aws_security_group.ckan_elb_internal.id}" + value = aws_security_group.ckan_elb_internal.id } output "sg_ckan_elb_external_id" { - value = "${aws_security_group.ckan_elb_external.id}" + value = aws_security_group.ckan_elb_external.id } output "sg_ckan_id" { - value = "${aws_security_group.ckan.id}" + value = aws_security_group.ckan.id } output "sg_content-data-api-db-admin_id" { - value = "${aws_security_group.content-data-api-db-admin.id}" + value = aws_security_group.content-data-api-db-admin.id } output "sg_content-data-api-postgresql-primary_id" { - value = "${aws_security_group.content-data-api-postgresql-primary.id}" + value = aws_security_group.content-data-api-postgresql-primary.id } output "sg_db-admin_elb_id" { - value = "${aws_security_group.db-admin_elb.id}" + value = aws_security_group.db-admin_elb.id } output "sg_db-admin_id" { - value = "${aws_security_group.db-admin.id}" + value = aws_security_group.db-admin.id } output "sg_deploy_elb_id" { - value = "${aws_security_group.deploy_elb.id}" + value = aws_security_group.deploy_elb.id } output "sg_deploy_internal_elb_id" { - value = "${aws_security_group.deploy_internal_elb.id}" + value = aws_security_group.deploy_internal_elb.id } output "sg_deploy_id" { - value = "${aws_security_group.deploy.id}" + value = aws_security_group.deploy.id } output "sg_docker_management_etcd_elb_id" { - value = "${aws_security_group.docker_management_etcd_elb.id}" + value = aws_security_group.docker_management_etcd_elb.id } output "sg_docker_management_id" { - value = "${aws_security_group.docker_management.id}" + value = aws_security_group.docker_management.id } output "sg_shared_documentdb_id" { - value = "${aws_security_group.shared-documentdb.id}" + value = aws_security_group.shared-documentdb.id } output "sg_elasticsearch6_id" { - value = "${aws_security_group.elasticsearch6.id}" + value = aws_security_group.elasticsearch6.id } output "sg_gatling_id" { - value = "${aws_security_group.gatling.id}" + value = aws_security_group.gatling.id } output "sg_gatling_external_elb_id" { - value = "${aws_security_group.gatling_external_elb.id}" + value = aws_security_group.gatling_external_elb.id } output "sg_graphite_id" { - value = "${aws_security_group.graphite.id}" + value = aws_security_group.graphite.id } output "sg_prometheus_id" { - value = "${aws_security_group.prometheus.id}" + value = aws_security_group.prometheus.id } output "sg_graphite_external_elb_id" { - value = "${aws_security_group.graphite_external_elb.id}" + value = aws_security_group.graphite_external_elb.id } output "sg_prometheus_internal_elb_id" { - value = "${aws_security_group.prometheus_internal_elb.id}" + value = aws_security_group.prometheus_internal_elb.id } output "sg_prometheus_external_elb_id" { - value = "${aws_security_group.prometheus_external_elb.id}" + value = aws_security_group.prometheus_external_elb.id } output "sg_graphite_internal_elb_id" { - value = "${aws_security_group.graphite_internal_elb.id}" + value = aws_security_group.graphite_internal_elb.id } output "sg_jumpbox_id" { - value = "${aws_security_group.jumpbox.id}" + value = aws_security_group.jumpbox.id } output "sg_licensify_documentdb_id" { - value = "${aws_security_group.licensify_documentdb.id}" + value = aws_security_group.licensify_documentdb.id } output "sg_licensify-frontend_external_elb_id" { - value = "${aws_security_group.licensify-frontend_external_elb.id}" + value = aws_security_group.licensify-frontend_external_elb.id } output "sg_licensify-frontend_internal_lb_id" { - value = "${aws_security_group.licensify-frontend_internal_lb.id}" + value = aws_security_group.licensify-frontend_internal_lb.id } output "sg_licensify-frontend_id" { - value = "${aws_security_group.licensify-frontend.id}" + value = aws_security_group.licensify-frontend.id } output "sg_licensify-backend_external_elb_id" { - value = "${aws_security_group.licensify-backend_external_elb.id}" + value = aws_security_group.licensify-backend_external_elb.id } output "sg_licensify-backend_internal_elb_id" { - value = "${aws_security_group.licensify-backend_internal_elb.id}" + value = aws_security_group.licensify-backend_internal_elb.id } output "sg_licensify-backend_id" { - value = "${aws_security_group.licensify-backend.id}" + value = aws_security_group.licensify-backend.id } output "sg_management_id" { - value = "${aws_security_group.management.id}" + value = aws_security_group.management.id } output "sg_mirrorer_id" { - value = "${aws_security_group.mirrorer.id}" + value = aws_security_group.mirrorer.id } output "sg_mongo_id" { - value = "${aws_security_group.mongo.id}" + value = aws_security_group.mongo.id } output "sg_monitoring_id" { - value = "${aws_security_group.monitoring.id}" + value = aws_security_group.monitoring.id } output "sg_monitoring_external_elb_id" { - value = "${aws_security_group.monitoring_external_elb.id}" + value = aws_security_group.monitoring_external_elb.id } output "sg_monitoring_internal_elb_id" { - value = "${aws_security_group.monitoring_internal_elb.id}" + value = aws_security_group.monitoring_internal_elb.id } output "sg_puppetmaster_elb_id" { - value = "${aws_security_group.puppetmaster_elb.id}" + value = aws_security_group.puppetmaster_elb.id } output "sg_puppetmaster_id" { - value = "${aws_security_group.puppetmaster.id}" + value = aws_security_group.puppetmaster.id } output "sg_rabbitmq_elb_id" { - value = "${aws_security_group.rabbitmq_elb.id}" + value = aws_security_group.rabbitmq_elb.id } output "sg_rabbitmq_id" { - value = "${aws_security_group.rabbitmq.id}" + value = aws_security_group.rabbitmq.id } output "sg_rate-limit-redis_id" { - value = "${aws_security_group.rate-limit-redis.id}" + value = aws_security_group.rate-limit-redis.id } output "sg_router-backend_id" { - value = "${aws_security_group.router-backend.id}" + value = aws_security_group.router-backend.id } output "sg_search_id" { - value = "${aws_security_group.search.id}" + value = aws_security_group.search.id } output "sg_search-ltr-generation_id" { - value = "${aws_security_group.search-ltr-generation.id}" + value = aws_security_group.search-ltr-generation.id } output "sg_transition-db-admin_elb_id" { - value = "${aws_security_group.transition-db-admin_elb.id}" + value = aws_security_group.transition-db-admin_elb.id } output "sg_transition-db-admin_id" { - value = "${aws_security_group.transition-db-admin.id}" + value = aws_security_group.transition-db-admin.id } output "sg_transition-postgresql-primary_id" { - value = "${aws_security_group.transition-postgresql-primary.id}" + value = aws_security_group.transition-postgresql-primary.id } output "sg_transition-postgresql-standby_id" { - value = "${aws_security_group.transition-postgresql-standby.id}" + value = aws_security_group.transition-postgresql-standby.id } output "sg_offsite_ssh_id" { - value = "${aws_security_group.offsite_ssh.id}" + value = aws_security_group.offsite_ssh.id } output "sg_related-links_id" { - value = "${aws_security_group.related-links.id}" + value = aws_security_group.related-links.id } output "gds_egress_ips" { - value = "${var.gds_egress_ips}" + value = var.gds_egress_ips } diff --git a/terraform/projects/infra-security-groups/prometheus.tf b/terraform/projects/infra-security-groups/prometheus.tf index 49df4313b..ff587bf61 100644 --- a/terraform/projects/infra-security-groups/prometheus.tf +++ b/terraform/projects/infra-security-groups/prometheus.tf @@ -14,11 +14,15 @@ resource "aws_security_group" "prometheus" { name = "${var.stackname}_prometheus" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to prometheus instance from the prometheus LB" tags = { - Name = "${var.stackname}_prometheus" + Name = "${var.stackname}_prometheus" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Prometheus" } } @@ -29,15 +33,15 @@ resource "aws_security_group_rule" "prometheuselb_ingress_prometheus_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus.id}" + security_group_id = aws_security_group.prometheus.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.prometheus_external_elb.id}" + source_security_group_id = aws_security_group.prometheus_external_elb.id } resource "aws_security_group" "prometheus_internal_elb" { name = "${var.stackname}_prometheus_internal_elb" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Prometheus Internal LB" tags = { @@ -52,10 +56,10 @@ resource "aws_security_group_rule" "prometheus-internal-elb_ingress_prometheus_h protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus.id}" + security_group_id = aws_security_group.prometheus.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.prometheus_internal_elb.id}" + source_security_group_id = aws_security_group.prometheus_internal_elb.id } resource "aws_security_group_rule" "prometheus-internal-elb_egress_prometheus_http" { @@ -65,10 +69,10 @@ resource "aws_security_group_rule" "prometheus-internal-elb_egress_prometheus_ht protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus_internal_elb.id}" + security_group_id = aws_security_group.prometheus_internal_elb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.prometheus.id}" + source_security_group_id = aws_security_group.prometheus.id } resource "aws_security_group_rule" "prometheus-internal-elb_ingress_grafana_https" { @@ -78,15 +82,15 @@ resource "aws_security_group_rule" "prometheus-internal-elb_ingress_grafana_http protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus_internal_elb.id}" + security_group_id = aws_security_group.prometheus_internal_elb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.graphite.id}" # Note: Grafana runs on the graphite VM + source_security_group_id = aws_security_group.graphite.id # Note: Grafana runs on the graphite VM } resource "aws_security_group" "prometheus_external_elb" { name = "${var.stackname}_prometheus_external_elb" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to prometheus LB" tags = { @@ -101,7 +105,7 @@ resource "aws_security_group_rule" "prometheus-elb_ingress_officeips_https" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus_external_elb.id}" + security_group_id = aws_security_group.prometheus_external_elb.id # Which security group can use this rule cidr_blocks = var.gds_egress_ips @@ -114,8 +118,8 @@ resource "aws_security_group_rule" "prometheus-elb_egress_prometheus_http" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.prometheus_external_elb.id}" + security_group_id = aws_security_group.prometheus_external_elb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.prometheus.id}" + source_security_group_id = aws_security_group.prometheus.id } diff --git a/terraform/projects/infra-security-groups/puppetmaster.tf b/terraform/projects/infra-security-groups/puppetmaster.tf index 4f873cd56..3ad5c0419 100644 --- a/terraform/projects/infra-security-groups/puppetmaster.tf +++ b/terraform/projects/infra-security-groups/puppetmaster.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "puppetmaster" { name = "${var.stackname}_puppetmaster_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the puppetmaster from its ELB" tags = { - Name = "${var.stackname}_puppetmaster_access" + Name = "${var.stackname}_puppetmaster_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Puppetmaster" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "puppetmaster_ingress_puppetmaster-elb_puppet protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.puppetmaster.id}" + security_group_id = aws_security_group.puppetmaster.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.puppetmaster_elb.id}" + source_security_group_id = aws_security_group.puppetmaster_elb.id } # PuppetDB @@ -42,15 +46,15 @@ resource "aws_security_group_rule" "puppetmaster_ingress_puppetmaster-elb_http" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.puppetmaster.id}" + security_group_id = aws_security_group.puppetmaster.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.puppetmaster_elb.id}" + source_security_group_id = aws_security_group.puppetmaster_elb.id } resource "aws_security_group" "puppetmaster_elb" { name = "${var.stackname}_puppetmaster_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the puppetmaster ELB" tags = { @@ -64,8 +68,8 @@ resource "aws_security_group_rule" "puppetmaster-elb_ingress_management_puppet" to_port = 8140 protocol = "tcp" - security_group_id = "${aws_security_group.puppetmaster_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.puppetmaster_elb.id + source_security_group_id = aws_security_group.management.id } # This allows the unattended reboot monitoring script to work @@ -75,8 +79,8 @@ resource "aws_security_group_rule" "puppetmaster-elb_ingress_monitoring_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.puppetmaster_elb.id}" - source_security_group_id = "${aws_security_group.monitoring.id}" + security_group_id = aws_security_group.puppetmaster_elb.id + source_security_group_id = aws_security_group.monitoring.id } # This allows full use of our Fabric scripts @@ -86,8 +90,8 @@ resource "aws_security_group_rule" "puppetmaster-elb_ingress_jumpbox_https" { to_port = 443 protocol = "tcp" - security_group_id = "${aws_security_group.puppetmaster_elb.id}" - source_security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.puppetmaster_elb.id + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "puppetmaster-elb_egress_any_any" { @@ -96,5 +100,5 @@ resource "aws_security_group_rule" "puppetmaster-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.puppetmaster_elb.id}" + security_group_id = aws_security_group.puppetmaster_elb.id } diff --git a/terraform/projects/infra-security-groups/rabbitmq.tf b/terraform/projects/infra-security-groups/rabbitmq.tf index 71845bb28..81dbb5585 100644 --- a/terraform/projects/infra-security-groups/rabbitmq.tf +++ b/terraform/projects/infra-security-groups/rabbitmq.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "rabbitmq" { name = "${var.stackname}_rabbitmq_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the rabbitmq host from its ELB" tags = { - Name = "${var.stackname}_rabbitmq_access" + Name = "${var.stackname}_rabbitmq_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Rabbitmq" } } @@ -28,10 +32,10 @@ resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq-elb_amqp" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.rabbitmq.id}" + security_group_id = aws_security_group.rabbitmq.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.rabbitmq_elb.id}" + source_security_group_id = aws_security_group.rabbitmq_elb.id } resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq-elb_rabbitmq-stomp" { @@ -41,10 +45,10 @@ resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq-elb_rabbitmq-stomp protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.rabbitmq.id}" + security_group_id = aws_security_group.rabbitmq.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.rabbitmq_elb.id}" + source_security_group_id = aws_security_group.rabbitmq_elb.id } resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq_rabbitmq-transport" { @@ -54,10 +58,10 @@ resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq_rabbitmq-transport protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.rabbitmq.id}" + security_group_id = aws_security_group.rabbitmq.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.rabbitmq.id}" + source_security_group_id = aws_security_group.rabbitmq.id } resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq_rabbitmq-epmd" { @@ -67,15 +71,15 @@ resource "aws_security_group_rule" "rabbitmq_ingress_rabbitmq_rabbitmq-epmd" { protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.rabbitmq.id}" + security_group_id = aws_security_group.rabbitmq.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.rabbitmq.id}" + source_security_group_id = aws_security_group.rabbitmq.id } resource "aws_security_group" "rabbitmq_elb" { name = "${var.stackname}_rabbitmq_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the rabbitmq Internal ELB" tags = { @@ -90,8 +94,8 @@ resource "aws_security_group_rule" "rabbitmq-elb_ingress_management_amqp" { to_port = 5672 protocol = "tcp" - security_group_id = "${aws_security_group.rabbitmq_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.rabbitmq_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "rabbitmq-elb_ingress_management_rabbitmq-stomp" { @@ -100,8 +104,8 @@ resource "aws_security_group_rule" "rabbitmq-elb_ingress_management_rabbitmq-sto to_port = 6163 protocol = "tcp" - security_group_id = "${aws_security_group.rabbitmq_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.rabbitmq_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "rabbitmq-elb_egress_any_any" { @@ -110,5 +114,5 @@ resource "aws_security_group_rule" "rabbitmq-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.rabbitmq_elb.id}" + security_group_id = aws_security_group.rabbitmq_elb.id } diff --git a/terraform/projects/infra-security-groups/rate-limit-redis.tf b/terraform/projects/infra-security-groups/rate-limit-redis.tf index cb787a224..d60d0b531 100644 --- a/terraform/projects/infra-security-groups/rate-limit-redis.tf +++ b/terraform/projects/infra-security-groups/rate-limit-redis.tf @@ -13,10 +13,14 @@ resource "aws_security_group" "rate-limit-redis" { name = "${var.stackname}_rate-limit-redis_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to rate-limit-redis from its clients" tags = { - Name = "${var.stackname}_rate-limit-redis_access" + Name = "${var.stackname}_rate-limit-redis_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Redis Rate Limit" } } diff --git a/terraform/projects/infra-security-groups/related-links.tf b/terraform/projects/infra-security-groups/related-links.tf index 0ccd8a2fd..7066bf04e 100644 --- a/terraform/projects/infra-security-groups/related-links.tf +++ b/terraform/projects/infra-security-groups/related-links.tf @@ -1,10 +1,14 @@ resource "aws_security_group" "related-links" { name = "related-links_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id tags = { - Name = "related-links" + Name = "related-links" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Related Links" } } @@ -14,9 +18,9 @@ resource "aws_security_group_rule" "related-links_ingress_jenkins_ssh" { from_port = 22 to_port = 22 - source_security_group_id = "${aws_security_group.deploy.id}" + source_security_group_id = aws_security_group.deploy.id - security_group_id = "${aws_security_group.related-links.id}" + security_group_id = aws_security_group.related-links.id } resource "aws_security_group_rule" "related-links_egress_any_any" { @@ -26,5 +30,5 @@ resource "aws_security_group_rule" "related-links_egress_any_any" { to_port = 0 cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.related-links.id}" + security_group_id = aws_security_group.related-links.id } diff --git a/terraform/projects/infra-security-groups/remote_state.tf b/terraform/projects/infra-security-groups/remote_state.tf index 710cbc547..9f9bfe97c 100644 --- a/terraform/projects/infra-security-groups/remote_state.tf +++ b/terraform/projects/infra-security-groups/remote_state.tf @@ -1,5 +1,5 @@ variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } diff --git a/terraform/projects/infra-security-groups/router-backend.tf b/terraform/projects/infra-security-groups/router-backend.tf index 234df5541..45b17ee7c 100644 --- a/terraform/projects/infra-security-groups/router-backend.tf +++ b/terraform/projects/infra-security-groups/router-backend.tf @@ -14,7 +14,7 @@ # resource "aws_security_group" "router-backend" { name = "${var.stackname}_router-backend_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to router-backend" tags = { @@ -30,16 +30,16 @@ resource "aws_security_group_rule" "router-backend_ingress_router-backend_mongo" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.router-backend.id}" + security_group_id = aws_security_group.router-backend.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.router-backend.id}" + source_security_group_id = aws_security_group.router-backend.id } resource "aws_security_group" "router-backend_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_router-backend_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -48,11 +48,11 @@ resource "aws_security_group" "router-backend_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_router-backend_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.router-backend_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.router-backend_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/search-ltr-generation.tf b/terraform/projects/infra-security-groups/search-ltr-generation.tf index 84929e240..3cc46c80f 100644 --- a/terraform/projects/infra-security-groups/search-ltr-generation.tf +++ b/terraform/projects/infra-security-groups/search-ltr-generation.tf @@ -1,10 +1,14 @@ resource "aws_security_group" "search-ltr-generation" { name = "search-ltr-generation_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id tags = { - Name = "search-ltr-generation" + Name = "search-ltr-generation" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Search LTR Generation" } } @@ -13,9 +17,9 @@ resource "aws_security_group_rule" "search-ltr-generation_ingress_jenkins_ssh" { protocol = "tcp" from_port = 22 to_port = 22 - source_security_group_id = "${aws_security_group.deploy.id}" + source_security_group_id = aws_security_group.deploy.id - security_group_id = "${aws_security_group.search-ltr-generation.id}" + security_group_id = aws_security_group.search-ltr-generation.id } resource "aws_security_group_rule" "search-ltr-generation_egress_any_any" { @@ -25,5 +29,5 @@ resource "aws_security_group_rule" "search-ltr-generation_egress_any_any" { to_port = 0 cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.search-ltr-generation.id}" + security_group_id = aws_security_group.search-ltr-generation.id } diff --git a/terraform/projects/infra-security-groups/search.tf b/terraform/projects/infra-security-groups/search.tf index f1df99048..971083211 100644 --- a/terraform/projects/infra-security-groups/search.tf +++ b/terraform/projects/infra-security-groups/search.tf @@ -13,18 +13,22 @@ resource "aws_security_group" "search" { name = "${var.stackname}_search_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the search host from its ELB" tags = { - Name = "${var.stackname}_search_access" + Name = "${var.stackname}_search_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Search" } } resource "aws_security_group" "search_ithc_access" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 name = "${var.stackname}_search_ithc_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Control access to ITHC SSH" tags = { @@ -33,11 +37,11 @@ resource "aws_security_group" "search_ithc_access" { } resource "aws_security_group_rule" "ithc_ingress_search_ssh" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 22 from_port = 22 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.search_ithc_access[0].id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.search_ithc_access[0].id } diff --git a/terraform/projects/infra-security-groups/shared-documentdb.tf b/terraform/projects/infra-security-groups/shared-documentdb.tf index 835823067..f9ec6ba7e 100644 --- a/terraform/projects/infra-security-groups/shared-documentdb.tf +++ b/terraform/projects/infra-security-groups/shared-documentdb.tf @@ -10,11 +10,15 @@ resource "aws_security_group" "shared-documentdb" { name = "${var.stackname}_shared_documentdb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to Shared Documentdb from its clients" tags = { - Name = "${var.stackname}_shared_documentdb_access" + Name = "${var.stackname}_shared_documentdb_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Shared Document DB" } } @@ -25,8 +29,8 @@ resource "aws_security_group_rule" "shared-documentdb_ingress_db-admin_mongodb" protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.shared-documentdb.id}" + security_group_id = aws_security_group.shared-documentdb.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.db-admin.id}" + source_security_group_id = aws_security_group.db-admin.id } diff --git a/terraform/projects/infra-security-groups/support-api.tf b/terraform/projects/infra-security-groups/support-api.tf index 423cdeef8..cac6111f2 100644 --- a/terraform/projects/infra-security-groups/support-api.tf +++ b/terraform/projects/infra-security-groups/support-api.tf @@ -12,11 +12,15 @@ resource "aws_security_group" "support-api_external_elb" { name = "${var.stackname}_support-api_external_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the support-api external ELB" tags = { - Name = "${var.stackname}_support-api_external_elb_access" + Name = "${var.stackname}_support-api_external_elb_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Support API" } } @@ -26,15 +30,15 @@ resource "aws_security_group_rule" "support-api_egress_external_elb_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.support-api_external_elb.id}" + security_group_id = aws_security_group.support-api_external_elb.id } resource "aws_security_group_rule" "ithc_ingress_support-api_https" { - count = "${length(var.ithc_access_ips) > 0 ? 1 : 0}" + count = length(var.ithc_access_ips) > 0 ? 1 : 0 type = "ingress" to_port = 443 from_port = 443 protocol = "tcp" - cidr_blocks = "${var.ithc_access_ips}" - security_group_id = "${aws_security_group.support-api_external_elb.id}" + cidr_blocks = var.ithc_access_ips + security_group_id = aws_security_group.support-api_external_elb.id } diff --git a/terraform/projects/infra-security-groups/transition-db-admin.tf b/terraform/projects/infra-security-groups/transition-db-admin.tf index 27b6142bb..6268cb033 100644 --- a/terraform/projects/infra-security-groups/transition-db-admin.tf +++ b/terraform/projects/infra-security-groups/transition-db-admin.tf @@ -13,11 +13,15 @@ resource "aws_security_group" "transition-db-admin" { name = "${var.stackname}_transition-db-admin_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to the transition-db-admin host from its ELB" tags = { - Name = "${var.stackname}_transition-db-admin_access" + Name = "${var.stackname}_transition-db-admin_access" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Transition DB" } } @@ -28,15 +32,15 @@ resource "aws_security_group_rule" "transition-db-admin_ingress_transition-db-ad protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.transition-db-admin.id}" + security_group_id = aws_security_group.transition-db-admin.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.transition-db-admin_elb.id}" + source_security_group_id = aws_security_group.transition-db-admin_elb.id } resource "aws_security_group" "transition-db-admin_elb" { name = "${var.stackname}_transition-db-admin_elb_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access the transition-db-admin ELB" tags = { @@ -50,8 +54,8 @@ resource "aws_security_group_rule" "transition-db-admin-elb_ingress_management_s to_port = 22 protocol = "tcp" - security_group_id = "${aws_security_group.transition-db-admin_elb.id}" - source_security_group_id = "${aws_security_group.management.id}" + security_group_id = aws_security_group.transition-db-admin_elb.id + source_security_group_id = aws_security_group.management.id } resource "aws_security_group_rule" "transition-db-admin-elb_egress_any_any" { @@ -60,5 +64,5 @@ resource "aws_security_group_rule" "transition-db-admin-elb_egress_any_any" { to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.transition-db-admin_elb.id}" + security_group_id = aws_security_group.transition-db-admin_elb.id } diff --git a/terraform/projects/infra-security-groups/transition-postgresql.tf b/terraform/projects/infra-security-groups/transition-postgresql.tf index 506415385..9545df32f 100644 --- a/terraform/projects/infra-security-groups/transition-postgresql.tf +++ b/terraform/projects/infra-security-groups/transition-postgresql.tf @@ -10,7 +10,7 @@ resource "aws_security_group" "transition-postgresql-primary" { name = "${var.stackname}_transition-postgresql-primary_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to transition-postgresql-primary from its clients" tags = { @@ -20,7 +20,7 @@ resource "aws_security_group" "transition-postgresql-primary" { resource "aws_security_group" "transition-postgresql-standby" { name = "${var.stackname}_transition-postgresql-standby_access" - vpc_id = "${data.terraform_remote_state.infra_vpc.outputs.vpc_id}" + vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id description = "Access to transition-postgresql-standby from its clients" tags = { @@ -35,8 +35,8 @@ resource "aws_security_group_rule" "transition-postgresql-primary_ingress_db-adm protocol = "tcp" # Which security group is the rule assigned to - security_group_id = "${aws_security_group.transition-postgresql-primary.id}" + security_group_id = aws_security_group.transition-postgresql-primary.id # Which security group can use this rule - source_security_group_id = "${aws_security_group.transition-db-admin.id}" + source_security_group_id = aws_security_group.transition-db-admin.id } diff --git a/terraform/projects/infra-security-groups/variables.tf b/terraform/projects/infra-security-groups/variables.tf index c5876677e..c714f57a7 100644 --- a/terraform/projects/infra-security-groups/variables.tf +++ b/terraform/projects/infra-security-groups/variables.tf @@ -3,63 +3,63 @@ # variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "stackname" { - type = "string" + type = string description = "The name of the stack being built. Must be unique within the environment as it's used for disambiguation." } variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "gds_egress_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that will be allowed offsite access." } variable "traffic_replay_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that will replay traffic against an environment" } variable "paas_ireland_egress_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that are used for egress from the GOV.UK PaaS Ireland region" default = [] } variable "paas_london_egress_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that are used for egress from the GOV.UK PaaS London region" default = [] } variable "ithc_access_ips" { - type = "list" + type = list(string) description = "An array of CIDR blocks that will be allowed temporary access for ITHC purposes." default = [] } variable "aws_integration_external_nat_gateway_ips" { - type = "list" + type = list(string) description = "An array of public IPs of the AWS integration external NAT gateways." default = [] } variable "aws_staging_external_nat_gateway_ips" { - type = "list" + type = list(string) description = "An array of public IPs of the AWS staging external NAT gateways." default = [] } diff --git a/terraform/projects/infra-specialist-publisher/main.tf b/terraform/projects/infra-specialist-publisher/main.tf index be87b4d75..245b8f102 100644 --- a/terraform/projects/infra-specialist-publisher/main.tf +++ b/terraform/projects/infra-specialist-publisher/main.tf @@ -5,18 +5,18 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } variable "aws_environment" { - type = "string" + type = string description = "AWS Environment" } variable "stackname" { - type = "string" + type = string description = "Stackname" } @@ -28,7 +28,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -38,10 +38,14 @@ resource "aws_s3_bucket" "specialist_publisher_csvs" { tags = { name = "govuk-${var.aws_environment}-specialist-publisher-csvs" aws_environment = "${var.aws_environment}" + Environment = "${var.aws_environment}" + Product = "GOVUK" + Owner = "govuk-replatforming-team@digital.cabinet-office.gov.uk" + System = "Specialist Publisher" } logging { - target_bucket = "${data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id}" + target_bucket = data.terraform_remote_state.infra_monitoring.outputs.aws_logging_bucket_id target_prefix = "s3/govuk-${var.aws_environment}-specialist-publisher-csvs/" } } @@ -52,18 +56,18 @@ resource "aws_iam_user" "specialist_publisher_app" { resource "aws_iam_policy" "s3_writer" { name = "govuk-${var.aws_environment}-specialist-publisher-app-s3-writer-policy" - policy = "${data.template_file.s3_writer_policy_template.rendered}" + policy = data.template_file.s3_writer_policy_template.rendered description = "Allows writing to the govuk-${var.aws_environment}-specialist-publisher-csvs S3 bucket" } resource "aws_iam_policy_attachment" "s3_writer" { name = "archive-writer-policy-attachment" users = ["${aws_iam_user.specialist_publisher_app.name}"] - policy_arn = "${aws_iam_policy.s3_writer.arn}" + policy_arn = aws_iam_policy.s3_writer.arn } data "template_file" "s3_writer_policy_template" { - template = "${file("${path.module}/../../policies/specialist_publisher_s3_writer_policy.tpl")}" + template = file("${path.module}/../../policies/specialist_publisher_s3_writer_policy.tpl") vars = { aws_environment = "${var.aws_environment}" @@ -75,6 +79,6 @@ data "template_file" "s3_writer_policy_template" { # -------------------------------------------------------------- output "s3_writer_bucket_policy_arn" { - value = "${aws_iam_policy.s3_writer.arn}" + value = aws_iam_policy.s3_writer.arn description = "ARN of the S3 writer bucket policy" } diff --git a/terraform/projects/infra-specialist-publisher/remote_state.tf b/terraform/projects/infra-specialist-publisher/remote_state.tf index 224120830..9663ef63f 100644 --- a/terraform/projects/infra-specialist-publisher/remote_state.tf +++ b/terraform/projects/infra-specialist-publisher/remote_state.tf @@ -7,42 +7,42 @@ */ variable "remote_state_bucket" { - type = "string" + type = string description = "S3 bucket we store our terraform state in" } variable "remote_state_infra_vpc_key_stack" { - type = "string" + type = string description = "Override infra_vpc remote state path" default = "" } variable "remote_state_infra_networking_key_stack" { - type = "string" + type = string description = "Override infra_networking remote state path" default = "" } variable "remote_state_infra_security_groups_key_stack" { - type = "string" + type = string description = "Override infra_security_groups stackname path to infra_vpc remote state " default = "" } variable "remote_state_infra_root_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_root_dns_zones remote state " default = "" } variable "remote_state_infra_stack_dns_zones_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_stack_dns_zones remote state " default = "" } variable "remote_state_infra_monitoring_key_stack" { - type = "string" + type = string description = "Override stackname path to infra_monitoring remote state " default = "" } diff --git a/terraform/projects/infra-splunk/main.tf b/terraform/projects/infra-splunk/main.tf index 82b1a7290..7e15c6ed1 100644 --- a/terraform/projects/infra-splunk/main.tf +++ b/terraform/projects/infra-splunk/main.tf @@ -5,7 +5,7 @@ */ variable "aws_region" { - type = "string" + type = string description = "AWS region" default = "eu-west-1" } @@ -18,7 +18,7 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region version = "2.46.0" } @@ -44,7 +44,7 @@ EOF resource "aws_iam_role_policy" "splunk_aws_ro_policy" { name = "policy" - role = "${aws_iam_role.splunk_aws_ro_role.id}" + role = aws_iam_role.splunk_aws_ro_role.id policy = <