diff --git a/.github/workflows/terragrunt-apply-production.yml b/.github/workflows/terragrunt-apply-production.yml index 9b56b860f..36371310a 100644 --- a/.github/workflows/terragrunt-apply-production.yml +++ b/.github/workflows/terragrunt-apply-production.yml @@ -22,7 +22,6 @@ env: TERRAGRUNT_VERSION: 0.63.2 TF_INPUT: false # API - FF_API: true TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }} @@ -42,7 +41,6 @@ env: TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }} TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }} # IdP - FF_IDP: true TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }} diff --git a/.github/workflows/terragrunt-apply-staging.yml b/.github/workflows/terragrunt-apply-staging.yml index b4688a41d..d13cc841c 100644 --- a/.github/workflows/terragrunt-apply-staging.yml +++ b/.github/workflows/terragrunt-apply-staging.yml @@ -27,7 +27,6 @@ env: TERRAGRUNT_VERSION: 0.63.2 TF_INPUT: false # API - FF_API: true TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} @@ -49,7 +48,6 @@ env: TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }} TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }} # IdP - FF_IDP: true TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }} diff --git a/.github/workflows/terragrunt-plan-all-staging.yml b/.github/workflows/terragrunt-plan-all-staging.yml index 35f744581..30f8164b8 100644 --- a/.github/workflows/terragrunt-plan-all-staging.yml +++ b/.github/workflows/terragrunt-plan-all-staging.yml @@ -19,7 +19,6 @@ env: TERRAGRUNT_VERSION: 0.63.2 TF_INPUT: false # API - FF_API: true TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} @@ -41,7 +40,6 @@ env: TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }} TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }} # IdP - FF_IDP: true TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }} diff --git a/.github/workflows/terragrunt-plan-production.yml b/.github/workflows/terragrunt-plan-production.yml index 894d22ad7..8c0b834d6 100644 --- a/.github/workflows/terragrunt-plan-production.yml +++ b/.github/workflows/terragrunt-plan-production.yml @@ -24,7 +24,6 @@ env: TERRAGRUNT_VERSION: 0.63.2 TF_INPUT: false # API - FF_API: true TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }} @@ -44,7 +43,6 @@ env: TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }} TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }} # IdP - FF_IDP: true TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }} diff --git a/.github/workflows/terragrunt-plan-staging.yml b/.github/workflows/terragrunt-plan-staging.yml index 4e58f94d7..c1674619c 100644 --- a/.github/workflows/terragrunt-plan-staging.yml +++ b/.github/workflows/terragrunt-plan-staging.yml @@ -29,7 +29,6 @@ env: TERRAGRUNT_VERSION: 0.63.2 TF_INPUT: false # API - FF_API: true TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} @@ -51,7 +50,6 @@ env: TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }} TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }} # IdP - FF_IDP: true TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }} diff --git a/aws/alarms/cloudwatch_api.tf b/aws/alarms/cloudwatch_api.tf index 4e1a5f0bc..47ca56a9b 100644 --- a/aws/alarms/cloudwatch_api.tf +++ b/aws/alarms/cloudwatch_api.tf @@ -2,8 +2,6 @@ # ECS resource usage alarms # resource "aws_cloudwatch_metric_alarm" "api_cpu_utilization_high_warn" { - count = var.feature_flag_api ? 1 : 0 - alarm_name = "API-CpuUtilizationWarn" alarm_description = "API ECS Warning - High CPU usage has been detected." comparison_operator = "GreaterThanThreshold" @@ -25,8 +23,6 @@ resource "aws_cloudwatch_metric_alarm" "api_cpu_utilization_high_warn" { } resource "aws_cloudwatch_metric_alarm" "api_memory_utilization_high_warn" { - count = var.feature_flag_api ? 1 : 0 - alarm_name = "API-MemoryUtilizationWarn" alarm_description = "API ECS Warning - High memory usage has been detected." comparison_operator = "GreaterThanThreshold" @@ -48,8 +44,6 @@ resource "aws_cloudwatch_metric_alarm" "api_memory_utilization_high_warn" { } resource "aws_cloudwatch_log_subscription_filter" "api_error_detection" { - count = var.feature_flag_api ? 1 : 0 - name = "error_detection_in_api_logs" log_group_name = var.ecs_api_cloudwatch_log_group_name filter_pattern = "level=error" @@ -60,8 +54,6 @@ resource "aws_cloudwatch_log_subscription_filter" "api_error_detection" { # Load balancer # resource "aws_cloudwatch_metric_alarm" "api_lb_unhealthy_host_count" { - count = var.feature_flag_api ? 1 : 0 - alarm_name = "API-UnhealthyHostCount" alarm_description = "API LB Warning - unhealthy host count >= 1 in a 1 minute period" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -83,8 +75,6 @@ resource "aws_cloudwatch_metric_alarm" "api_lb_unhealthy_host_count" { } resource "aws_cloudwatch_metric_alarm" "api_lb_healthy_host_count" { - count = var.feature_flag_api ? 1 : 0 - alarm_name = "API-HealthyHostCount" # TODO: bump to SEV1 once this is in production alarm_description = "API LB Critical - no healthy hosts in a 1 minute period" comparison_operator = "LessThanThreshold" @@ -104,8 +94,6 @@ resource "aws_cloudwatch_metric_alarm" "api_lb_healthy_host_count" { } resource "aws_cloudwatch_metric_alarm" "api_response_time_warn" { - count = var.feature_flag_api ? 1 : 0 - alarm_name = "API-ResponseTimeWarn" alarm_description = "API LB Warning - The latency of response times from the API are abnormally high." comparison_operator = "GreaterThanThreshold" diff --git a/aws/alarms/cloudwatch_idp.tf b/aws/alarms/cloudwatch_idp.tf index 37366c402..9b8045aa4 100644 --- a/aws/alarms/cloudwatch_idp.tf +++ b/aws/alarms/cloudwatch_idp.tf @@ -2,8 +2,6 @@ # ECS resource usage alarms # resource "aws_cloudwatch_metric_alarm" "idp_cpu_utilization_high_warn" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-CpuUtilizationWarn" alarm_description = "IdP ECS Warning - High CPU usage has been detected." comparison_operator = "GreaterThanThreshold" @@ -25,8 +23,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_cpu_utilization_high_warn" { } resource "aws_cloudwatch_metric_alarm" "idp_memory_utilization_high_warn" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-MemoryUtilizationWarn" alarm_description = "IdP ECS Warning - High memory usage has been detected." comparison_operator = "GreaterThanThreshold" @@ -48,8 +44,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_memory_utilization_high_warn" { } resource "aws_cloudwatch_log_subscription_filter" "idp_error_detection" { - count = var.feature_flag_idp ? 1 : 0 - name = "error_detection_in_idp_logs" log_group_name = var.ecs_idp_cloudwatch_log_group_name filter_pattern = local.idp_error_pattern @@ -60,7 +54,7 @@ resource "aws_cloudwatch_log_subscription_filter" "idp_error_detection" { # Load balancer # resource "aws_cloudwatch_metric_alarm" "idb_lb_unhealthy_host_count" { - for_each = var.feature_flag_idp ? var.lb_idp_target_groups_arn_suffix : {} + for_each = var.lb_idp_target_groups_arn_suffix alarm_name = "IdP-UnhealthyHostCount-${each.key}" alarm_description = "IdP LB Warning - unhealthy ${each.key} host count >= 1 in a 1 minute period" @@ -83,7 +77,7 @@ resource "aws_cloudwatch_metric_alarm" "idb_lb_unhealthy_host_count" { } resource "aws_cloudwatch_metric_alarm" "idb_lb_healthy_host_count" { - for_each = var.feature_flag_idp ? var.lb_idp_target_groups_arn_suffix : {} + for_each = var.lb_idp_target_groups_arn_suffix alarm_name = "IdP-HealthyHostCount-${each.key}" # TODO: bump to SEV1 once in production alarm_description = "IdP LB Critical - no healthy ${each.key} hosts in a 1 minute period" @@ -104,8 +98,6 @@ resource "aws_cloudwatch_metric_alarm" "idb_lb_healthy_host_count" { } resource "aws_cloudwatch_metric_alarm" "idp_response_time_warn" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-ResponseTimeWarn" alarm_description = "IdP LB Warning - The latency of response times from the IdP are abnormally high." comparison_operator = "GreaterThanThreshold" @@ -135,8 +127,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_response_time_warn" { # RDS # resource "aws_cloudwatch_metric_alarm" "idp_rds_cpu_utilization" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-RDSCpuUtilization" alarm_description = "IdP RDS Warning - high CPU use for RDS cluster in a 5 minute period" comparison_operator = "GreaterThanThreshold" @@ -160,8 +150,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_rds_cpu_utilization" { # SES bounces and complaints # resource "aws_cloudwatch_metric_alarm" "idp_bounce_rate_high" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-SESBounceRate" alarm_description = "IdP SES Warning - bounce rate >=7% over the last 12 hours" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -178,8 +166,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_bounce_rate_high" { } resource "aws_cloudwatch_metric_alarm" "idp_complaint_rate_high" { - count = var.feature_flag_idp ? 1 : 0 - alarm_name = "IdP-SESComplaintRate" alarm_description = "IdP SES Warning - complaint rate >=0.4% over the last 12 hours" comparison_operator = "GreaterThanOrEqualToThreshold" diff --git a/aws/alarms/moved.tf b/aws/alarms/moved.tf new file mode 100644 index 000000000..996447c89 --- /dev/null +++ b/aws/alarms/moved.tf @@ -0,0 +1,64 @@ +moved { + from = aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn[0] + to = aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn +} + +moved { + from = aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn[0] + to = aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn +} + +moved { + from = aws_cloudwatch_log_subscription_filter.api_error_detection[0] + to = aws_cloudwatch_log_subscription_filter.api_error_detection +} + +moved { + from = aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count[0] + to = aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count +} + +moved { + from = aws_cloudwatch_metric_alarm.api_lb_healthy_host_count[0] + to = aws_cloudwatch_metric_alarm.api_lb_healthy_host_count +} + +moved { + from = aws_cloudwatch_metric_alarm.api_response_time_warn[0] + to = aws_cloudwatch_metric_alarm.api_response_time_warn +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_cpu_utilization_high_warn[0] + to = aws_cloudwatch_metric_alarm.idp_cpu_utilization_high_warn +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_memory_utilization_high_warn[0] + to = aws_cloudwatch_metric_alarm.idp_memory_utilization_high_warn +} + +moved { + from = aws_cloudwatch_log_subscription_filter.idp_error_detection[0] + to = aws_cloudwatch_log_subscription_filter.idp_error_detection +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_response_time_warn[0] + to = aws_cloudwatch_metric_alarm.idp_response_time_warn +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_rds_cpu_utilization[0] + to = aws_cloudwatch_metric_alarm.idp_rds_cpu_utilization +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_bounce_rate_high[0] + to = aws_cloudwatch_metric_alarm.idp_bounce_rate_high +} + +moved { + from = aws_cloudwatch_metric_alarm.idp_complaint_rate_high[0] + to = aws_cloudwatch_metric_alarm.idp_complaint_rate_high +} \ No newline at end of file diff --git a/aws/ecr/ecr.tf b/aws/ecr/ecr.tf index 46a81b93e..27299fe78 100644 --- a/aws/ecr/ecr.tf +++ b/aws/ecr/ecr.tf @@ -71,8 +71,6 @@ resource "aws_ecr_lifecycle_policy" "lambda" { } resource "aws_ecr_repository" "idp" { - count = var.feature_flag_idp ? 1 : 0 - name = "idp/zitadel" image_tag_mutability = "MUTABLE" @@ -82,15 +80,11 @@ resource "aws_ecr_repository" "idp" { } resource "aws_ecr_lifecycle_policy" "idp" { - count = var.feature_flag_idp ? 1 : 0 - - repository = aws_ecr_repository.idp[0].name + repository = aws_ecr_repository.idp.name policy = file("${path.module}/policy/lifecycle.json") } resource "aws_ecr_repository" "api" { - count = var.feature_flag_api ? 1 : 0 - name = "forms/api" image_tag_mutability = "MUTABLE" @@ -100,8 +94,6 @@ resource "aws_ecr_repository" "api" { } resource "aws_ecr_lifecycle_policy" "api" { - count = var.feature_flag_api ? 1 : 0 - - repository = aws_ecr_repository.api[0].name + repository = aws_ecr_repository.api.name policy = file("${path.module}/policy/lifecycle.json") } diff --git a/aws/ecr/moved.tf b/aws/ecr/moved.tf new file mode 100644 index 000000000..c4e34f909 --- /dev/null +++ b/aws/ecr/moved.tf @@ -0,0 +1,19 @@ +moved { + from = aws_ecr_repository.idp[0] + to = aws_ecr_repository.idp +} + +moved { + from = aws_ecr_lifecycle_policy.idp[0] + to = aws_ecr_lifecycle_policy.idp +} + +moved { + from = aws_ecr_repository.api[0] + to = aws_ecr_repository.api +} + +moved { + from = aws_ecr_lifecycle_policy.api[0] + to = aws_ecr_lifecycle_policy.api +} diff --git a/aws/ecr/outputs.tf b/aws/ecr/outputs.tf index e257e1c29..058d90038 100644 --- a/aws/ecr/outputs.tf +++ b/aws/ecr/outputs.tf @@ -70,10 +70,10 @@ output "ecr_repository_url_vault_integrity_lambda" { output "ecr_repository_url_idp" { description = "URL of the Zitadel IdP's ECR" - value = var.feature_flag_idp ? aws_ecr_repository.idp[0].repository_url : "" + value = aws_ecr_repository.idp.repository_url } output "ecr_repository_url_api" { description = "URL of the Forms API's ECR" - value = var.feature_flag_api ? aws_ecr_repository.api[0].repository_url : "" + value = aws_ecr_repository.api.repository_url } diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index 88baa1b6d..d15c1bdd8 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -27,8 +27,6 @@ resource "aws_acm_certificate" "form_viewer_maintenance_mode" { } resource "aws_acm_certificate" "forms_api" { - count = var.feature_flag_api ? 1 : 0 - domain_name = var.domain_api validation_method = "DNS" @@ -37,11 +35,6 @@ resource "aws_acm_certificate" "forms_api" { } } -moved { - from = aws_acm_certificate.form_api - to = aws_acm_certificate.forms_api -} - resource "aws_acm_certificate_validation" "form_viewer_maintenance_mode_cloudfront_certificate" { certificate_arn = aws_acm_certificate.form_viewer_maintenance_mode.arn validation_record_fqdns = [for record in aws_route53_record.form_viewer_maintenance_mode_certificate_validation : record.fqdn] @@ -50,9 +43,7 @@ resource "aws_acm_certificate_validation" "form_viewer_maintenance_mode_cloudfro } resource "aws_acm_certificate_validation" "forms_api" { - count = var.feature_flag_api ? 1 : 0 - - certificate_arn = aws_acm_certificate.forms_api[0].arn + certificate_arn = aws_acm_certificate.forms_api.arn validation_record_fqdns = [for record in aws_route53_record.forms_api_certificate_validation : record.fqdn] } diff --git a/aws/load_balancer/lb.tf b/aws/load_balancer/lb.tf index 9fe0e1635..67768de63 100644 --- a/aws/load_balancer/lb.tf +++ b/aws/load_balancer/lb.tf @@ -72,8 +72,6 @@ resource "aws_lb_target_group" "form_viewer_2" { } resource "aws_lb_target_group" "forms_api" { - count = var.feature_flag_api ? 1 : 0 - name = "forms-api" port = 3001 protocol = "HTTP" @@ -126,10 +124,8 @@ resource "aws_lb_listener" "form_viewer_https" { } resource "aws_lb_listener_certificate" "forms_api_https" { - count = var.feature_flag_api ? 1 : 0 - listener_arn = aws_lb_listener.form_viewer_https.arn - certificate_arn = aws_acm_certificate_validation.forms_api[0].certificate_arn + certificate_arn = aws_acm_certificate_validation.forms_api.certificate_arn } moved { @@ -160,14 +156,12 @@ resource "aws_lb_listener" "form_viewer_http" { } resource "aws_alb_listener_rule" "forms_api" { - count = var.feature_flag_api ? 1 : 0 - listener_arn = aws_lb_listener.form_viewer_https.arn priority = 100 action { type = "forward" - target_group_arn = aws_lb_target_group.forms_api[0].arn + target_group_arn = aws_lb_target_group.forms_api.arn } condition { diff --git a/aws/load_balancer/locals.tf b/aws/load_balancer/locals.tf index 2874bd090..295daceea 100644 --- a/aws/load_balancer/locals.tf +++ b/aws/load_balancer/locals.tf @@ -1,4 +1,4 @@ locals { - all_domains = var.feature_flag_api ? concat(var.domains, [var.domain_api]) : var.domains + all_domains = concat(var.domains, [var.domain_api]) cbs_satellite_bucket_arn = "arn:aws:s3:::${var.cbs_satellite_bucket_name}" } diff --git a/aws/load_balancer/moved.tf b/aws/load_balancer/moved.tf new file mode 100644 index 000000000..de42a196f --- /dev/null +++ b/aws/load_balancer/moved.tf @@ -0,0 +1,29 @@ +moved { + from = aws_acm_certificate.forms_api[0] + to = aws_acm_certificate.forms_api +} + +moved { + from = aws_acm_certificate_validation.forms_api[0] + to = aws_acm_certificate_validation.forms_api +} + +moved { + from = aws_lb_target_group.forms_api[0] + to = aws_lb_target_group.forms_api +} + +moved { + from = aws_lb_listener_certificate.forms_api_https[0] + to = aws_lb_listener_certificate.forms_api_https +} + +moved { + from = aws_alb_listener_rule.forms_api[0] + to = aws_alb_listener_rule.forms_api +} + +moved { + from = aws_route53_record.forms_api[0] + to = aws_route53_record.forms_api +} diff --git a/aws/load_balancer/outputs.tf b/aws/load_balancer/outputs.tf index 04f67faf3..fa3f27e64 100644 --- a/aws/load_balancer/outputs.tf +++ b/aws/load_balancer/outputs.tf @@ -40,17 +40,17 @@ output "lb_target_group_2_name" { output "lb_target_group_api_arn" { description = "Load balancer target group ARN for the API" - value = var.feature_flag_api ? aws_lb_target_group.forms_api[0].arn : "" + value = aws_lb_target_group.forms_api.arn } output "lb_target_group_api_arn_suffix" { description = "Load balancer target group ARN suffix for the API" - value = var.feature_flag_api ? aws_lb_target_group.forms_api[0].arn_suffix : "" + value = aws_lb_target_group.forms_api.arn_suffix } output "kinesis_firehose_waf_logs_arn" { description = "Kinesis Firehose delivery stream ARN used to collect and write WAF ACL logs to an S3 bucket." - value = var.feature_flag_idp ? aws_kinesis_firehose_delivery_stream.firehose_waf_logs.arn : "" + value = aws_kinesis_firehose_delivery_stream.firehose_waf_logs.arn } output "waf_ipv4_blocklist_arn" { diff --git a/aws/load_balancer/route53.tf b/aws/load_balancer/route53.tf index 9f2310090..7681df8dd 100644 --- a/aws/load_balancer/route53.tf +++ b/aws/load_balancer/route53.tf @@ -42,8 +42,6 @@ resource "aws_route53_record" "form_viewer_maintenance" { } resource "aws_route53_record" "forms_api" { - count = var.feature_flag_api ? 1 : 0 - zone_id = var.hosted_zone_ids[0] name = var.domain_api type = "A" @@ -111,14 +109,14 @@ resource "aws_route53_record" "form_viewer_maintenance_mode_certificate_validati } resource "aws_route53_record" "forms_api_certificate_validation" { - for_each = var.feature_flag_api ? { - for dvo in aws_acm_certificate.forms_api[0].domain_validation_options : dvo.domain_name => { + for_each = { + for dvo in aws_acm_certificate.forms_api.domain_validation_options : dvo.domain_name => { domain = dvo.domain_name name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } - } : {} + } allow_overwrite = true name = each.value.name diff --git a/aws/network/moved.tf b/aws/network/moved.tf new file mode 100644 index 000000000..83959bd33 --- /dev/null +++ b/aws/network/moved.tf @@ -0,0 +1,124 @@ +moved { + from = aws_security_group.api_ecs[0] + to = aws_security_group.api_ecs +} + +moved { + from = aws_security_group_rule.api_ecs_egress_internet[0] + to = aws_security_group_rule.api_ecs_egress_internet +} + +moved { + from = aws_security_group_rule.api_ecs_egress_privatelink[0] + to = aws_security_group_rule.api_ecs_egress_privatelink +} + +moved { + from = aws_security_group_rule.api_ecs_ingress_lb[0] + to = aws_security_group_rule.api_ecs_ingress_lb +} + +moved { + from = aws_security_group_rule.lb_egress_api_ecs[0] + to = aws_security_group_rule.lb_egress_api_ecs +} + +moved { + from = aws_security_group_rule.db_ingress_api_ecs[0] + to = aws_security_group_rule.db_ingress_api_ecs +} + +moved { + from = aws_security_group_rule.api_ecs_egress_db[0] + to = aws_security_group_rule.api_ecs_egress_db +} + +moved { + from = aws_security_group_rule.redis_ingress_api_ecs[0] + to = aws_security_group_rule.redis_ingress_api_ecs +} + +moved { + from = aws_security_group_rule.api_ecs_egress_redis[0] + to = aws_security_group_rule.api_ecs_egress_redis +} + +moved { + from = aws_security_group_rule.privatelink_idp_ecs_ingress[0] + to = aws_security_group_rule.privatelink_idp_ecs_ingress +} + +moved { + from = aws_security_group_rule.privatelink_idp_db_ingress[0] + to = aws_security_group_rule.privatelink_idp_db_ingress +} + +moved { + from = aws_security_group_rule.privatelink_api_ecs_ingress[0] + to = aws_security_group_rule.privatelink_api_ecs_ingress +} + +moved { + from = aws_security_group.idp_ecs[0] + to = aws_security_group.idp_ecs +} + +moved { + from = aws_security_group_rule.idp_ecs_egress_internet[0] + to = aws_security_group_rule.idp_ecs_egress_internet +} + +moved { + from = aws_security_group_rule.idp_ecs_egress_smtp_tls[0] + to = aws_security_group_rule.idp_ecs_egress_smtp_tls +} + +moved { + from = aws_security_group_rule.idp_ecs_egress_privatelink[0] + to = aws_security_group_rule.idp_ecs_egress_privatelink +} + +moved { + from = aws_security_group_rule.idp_ecs_ingress_lb[0] + to = aws_security_group_rule.idp_ecs_ingress_lb +} + +moved { + from = aws_security_group.idp_lb[0] + to = aws_security_group.idp_lb +} + +moved { + from = aws_security_group_rule.idp_lb_ingress_internet_http[0] + to = aws_security_group_rule.idp_lb_ingress_internet_http +} + +moved { + from = aws_security_group_rule.idp_lb_ingress_internet_https[0] + to = aws_security_group_rule.idp_lb_ingress_internet_https +} + +moved { + from = aws_security_group_rule.idp_lb_egress_ecs[0] + to = aws_security_group_rule.idp_lb_egress_ecs +} + +moved { + from = aws_security_group.idp_db[0] + to = aws_security_group.idp_db +} + +moved { + from = aws_security_group_rule.idp_db_ingress_ecs[0] + to = aws_security_group_rule.idp_db_ingress_ecs +} + +moved { + from = aws_security_group_rule.idp_ecs_egress_db[0] + to = aws_security_group_rule.idp_ecs_egress_db +} + +moved { + from = aws_security_group_rule.idp_db_egress_privatelink[0] + to = aws_security_group_rule.idp_db_egress_privatelink +} diff --git a/aws/network/outputs.tf b/aws/network/outputs.tf index 20a7d3dd0..3e10d19b8 100644 --- a/aws/network/outputs.tf +++ b/aws/network/outputs.tf @@ -5,7 +5,7 @@ output "alb_security_group_id" { output "api_ecs_security_group_id" { description = "API ECS task security group ID" - value = var.feature_flag_api ? aws_security_group.api_ecs[0].id : "" + value = aws_security_group.api_ecs.id } output "ecs_security_group_id" { @@ -20,17 +20,17 @@ output "egress_security_group_id" { output "idp_db_security_group_id" { description = "IdP database security group ID" - value = var.feature_flag_idp ? aws_security_group.idp_db[0].id : "" + value = aws_security_group.idp_db.id } output "idp_ecs_security_group_id" { description = "IdP ECS task security group ID" - value = var.feature_flag_idp ? aws_security_group.idp_ecs[0].id : "" + value = aws_security_group.idp_ecs.id } output "idp_lb_security_group_id" { description = "IdP load balancer security group ID" - value = var.feature_flag_idp ? aws_security_group.idp_lb[0].id : "" + value = aws_security_group.idp_lb.id } output "lambda_nagware_security_group_id" { diff --git a/aws/network/security_groups_api.tf b/aws/network/security_groups_api.tf index 927a9a1c0..197aca94d 100644 --- a/aws/network/security_groups_api.tf +++ b/aws/network/security_groups_api.tf @@ -1,107 +1,89 @@ # ECS resource "aws_security_group" "api_ecs" { - count = var.feature_flag_api ? 1 : 0 - description = "API ECS Tasks" name = "api_ecs" vpc_id = aws_vpc.forms.id } resource "aws_security_group_rule" "api_ecs_egress_internet" { - count = var.feature_flag_api ? 1 : 0 - description = "Egress from API ECS task to internet (HTTPS)" type = "egress" to_port = 443 from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.api_ecs[0].id + security_group_id = aws_security_group.api_ecs.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "api_ecs_egress_privatelink" { - count = var.feature_flag_api ? 1 : 0 - description = "Egress from API ECS task to PrivateLink endpoints" type = "egress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = aws_security_group.api_ecs[0].id + security_group_id = aws_security_group.api_ecs.id source_security_group_id = aws_security_group.privatelink.id } # Load balancer resource "aws_security_group_rule" "api_ecs_ingress_lb" { - count = var.feature_flag_api ? 1 : 0 - description = "Ingress from load balancer to API ECS task" type = "ingress" from_port = 3001 to_port = 3001 protocol = "tcp" - security_group_id = aws_security_group.api_ecs[0].id + security_group_id = aws_security_group.api_ecs.id source_security_group_id = aws_security_group.forms_load_balancer.id } resource "aws_security_group_rule" "lb_egress_api_ecs" { - count = var.feature_flag_api ? 1 : 0 - description = "Egress from load balancer to API ECS task" type = "egress" from_port = 3001 to_port = 3001 protocol = "tcp" security_group_id = aws_security_group.forms_load_balancer.id - source_security_group_id = aws_security_group.api_ecs[0].id + source_security_group_id = aws_security_group.api_ecs.id } # Database resource "aws_security_group_rule" "db_ingress_api_ecs" { - count = var.feature_flag_api ? 1 : 0 - description = "Ingress to database from API ECS task" type = "ingress" from_port = 5432 to_port = 5432 protocol = "tcp" security_group_id = aws_security_group.forms_database.id - source_security_group_id = aws_security_group.api_ecs[0].id + source_security_group_id = aws_security_group.api_ecs.id } resource "aws_security_group_rule" "api_ecs_egress_db" { - count = var.feature_flag_api ? 1 : 0 - description = "Egress from API ECS task to database" type = "egress" from_port = 5432 to_port = 5432 protocol = "tcp" - security_group_id = aws_security_group.api_ecs[0].id + security_group_id = aws_security_group.api_ecs.id source_security_group_id = aws_security_group.forms_database.id } # Redis resource "aws_security_group_rule" "redis_ingress_api_ecs" { - count = var.feature_flag_api ? 1 : 0 - description = "Ingress to Redis from API ECS task" type = "ingress" from_port = 6379 to_port = 6379 protocol = "tcp" security_group_id = aws_security_group.forms_redis.id - source_security_group_id = aws_security_group.api_ecs[0].id + source_security_group_id = aws_security_group.api_ecs.id } resource "aws_security_group_rule" "api_ecs_egress_redis" { - count = var.feature_flag_api ? 1 : 0 - description = "Egress from API ECS task to Redis" type = "egress" from_port = 6379 to_port = 6379 protocol = "tcp" - security_group_id = aws_security_group.api_ecs[0].id + security_group_id = aws_security_group.api_ecs.id source_security_group_id = aws_security_group.forms_redis.id } diff --git a/aws/network/security_groups_app.tf b/aws/network/security_groups_app.tf index 2fb351822..7b10f151e 100644 --- a/aws/network/security_groups_app.tf +++ b/aws/network/security_groups_app.tf @@ -124,39 +124,33 @@ resource "aws_security_group_rule" "privatelink_forms_ingress" { } resource "aws_security_group_rule" "privatelink_idp_ecs_ingress" { - count = var.feature_flag_idp ? 1 : 0 - description = "Security group rule for Zitadel IdP ECS task ingress" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" security_group_id = aws_security_group.privatelink.id - source_security_group_id = aws_security_group.idp_ecs[0].id + source_security_group_id = aws_security_group.idp_ecs.id } resource "aws_security_group_rule" "privatelink_idp_db_ingress" { - count = var.feature_flag_idp ? 1 : 0 - description = "Security group rule for Zitadel IdP database ingress" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" security_group_id = aws_security_group.privatelink.id - source_security_group_id = aws_security_group.idp_db[0].id + source_security_group_id = aws_security_group.idp_db.id } resource "aws_security_group_rule" "privatelink_api_ecs_ingress" { - count = var.feature_flag_api ? 1 : 0 - description = "Security group rule for API ECS task ingress" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" security_group_id = aws_security_group.privatelink.id - source_security_group_id = aws_security_group.api_ecs[0].id + source_security_group_id = aws_security_group.api_ecs.id } # Allow traffic from the app and from the lambdas diff --git a/aws/network/security_groups_idp.tf b/aws/network/security_groups_idp.tf index 06e87e647..c77dfa884 100644 --- a/aws/network/security_groups_idp.tf +++ b/aws/network/security_groups_idp.tf @@ -1,64 +1,52 @@ # ECS resource "aws_security_group" "idp_ecs" { - count = var.feature_flag_idp ? 1 : 0 - description = "Zitadel IdP ECS Tasks" name = "idp_ecs" vpc_id = aws_vpc.forms.id } resource "aws_security_group_rule" "idp_ecs_egress_internet" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from Zitadel IdP ECS task to internet (HTTPS)" type = "egress" to_port = 443 from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.idp_ecs[0].id + security_group_id = aws_security_group.idp_ecs.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "idp_ecs_egress_smtp_tls" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from Zitadel IdP ECS task to SMTP" type = "egress" to_port = 465 from_port = 465 protocol = "tcp" - security_group_id = aws_security_group.idp_ecs[0].id + security_group_id = aws_security_group.idp_ecs.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "idp_ecs_egress_privatelink" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from Zitadel IdP ECS task to PrivateLink endpoints" type = "egress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = aws_security_group.idp_ecs[0].id + security_group_id = aws_security_group.idp_ecs.id source_security_group_id = aws_security_group.privatelink.id } resource "aws_security_group_rule" "idp_ecs_ingress_lb" { - count = var.feature_flag_idp ? 1 : 0 - description = "Ingress from load balancer to Zitadel IdP ECS task" type = "ingress" from_port = 8080 to_port = 8080 protocol = "tcp" - security_group_id = aws_security_group.idp_ecs[0].id - source_security_group_id = aws_security_group.idp_lb[0].id + security_group_id = aws_security_group.idp_ecs.id + source_security_group_id = aws_security_group.idp_lb.id } # Load balancer resource "aws_security_group" "idp_lb" { - count = var.feature_flag_idp ? 1 : 0 - name = "idp_lb" description = "Zitadel IdP load balancer" vpc_id = aws_vpc.forms.id @@ -66,82 +54,68 @@ resource "aws_security_group" "idp_lb" { resource "aws_security_group_rule" "idp_lb_ingress_internet_http" { # checkov:skip=CKV_AWS_260: port 80 is required for the redirect to HTTPS (443) done by the load balancer - count = var.feature_flag_idp ? 1 : 0 - description = "Ingress from internet to the Zitadel IdP load balancer (HTTP)" type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" - security_group_id = aws_security_group.idp_lb[0].id + security_group_id = aws_security_group.idp_lb.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "idp_lb_ingress_internet_https" { - count = var.feature_flag_idp ? 1 : 0 - description = "Ingress from internet to the Zitadel IdP load balancer (HTTPS)" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = aws_security_group.idp_lb[0].id + security_group_id = aws_security_group.idp_lb.id cidr_blocks = ["0.0.0.0/0"] } resource "aws_security_group_rule" "idp_lb_egress_ecs" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from load balancer to Zitadel IdP ECS task" type = "egress" from_port = 8080 to_port = 8080 protocol = "tcp" - security_group_id = aws_security_group.idp_lb[0].id - source_security_group_id = aws_security_group.idp_ecs[0].id + security_group_id = aws_security_group.idp_lb.id + source_security_group_id = aws_security_group.idp_ecs.id } # Database resource "aws_security_group" "idp_db" { - count = var.feature_flag_idp ? 1 : 0 - name = "idp_db" description = "Zitadel IdP database" vpc_id = aws_vpc.forms.id } resource "aws_security_group_rule" "idp_db_ingress_ecs" { - count = var.feature_flag_idp ? 1 : 0 - description = "Ingress to database from Zitadel IdP ECS task" type = "ingress" from_port = 5432 to_port = 5432 protocol = "tcp" - security_group_id = aws_security_group.idp_db[0].id - source_security_group_id = aws_security_group.idp_ecs[0].id + security_group_id = aws_security_group.idp_db.id + source_security_group_id = aws_security_group.idp_ecs.id } resource "aws_security_group_rule" "idp_ecs_egress_db" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from Zitadel IdP ECS task to database" type = "egress" from_port = 5432 to_port = 5432 protocol = "tcp" - security_group_id = aws_security_group.idp_ecs[0].id - source_security_group_id = aws_security_group.idp_db[0].id + security_group_id = aws_security_group.idp_ecs.id + source_security_group_id = aws_security_group.idp_db.id } resource "aws_security_group_rule" "idp_db_egress_privatelink" { - count = var.feature_flag_idp ? 1 : 0 - description = "Egress from Zitadel IdP database to PrivateLink endpoints" type = "egress" from_port = 443 to_port = 443 protocol = "tcp" - security_group_id = aws_security_group.idp_db[0].id + security_group_id = aws_security_group.idp_db.id source_security_group_id = aws_security_group.privatelink.id } diff --git a/env/cloud/alarms/terragrunt.hcl b/env/cloud/alarms/terragrunt.hcl index 8f3069594..b04c04dc6 100644 --- a/env/cloud/alarms/terragrunt.hcl +++ b/env/cloud/alarms/terragrunt.hcl @@ -7,9 +7,7 @@ dependencies { } locals { - domain = jsondecode(get_env("APP_DOMAINS", "[\"localhost:3000\"]")) - feature_flag_api = get_env("FF_API", "false") - feature_flag_idp = get_env("FF_IDP", "false") + domain = jsondecode(get_env("APP_DOMAINS", "[\"localhost:3000\"]")) } dependency "hosted_zone" { @@ -129,7 +127,6 @@ dependency "ecr" { } dependency "api" { - enabled = local.feature_flag_api config_path = "../api" mock_outputs_merge_strategy_with_state = "shallow" mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] @@ -141,7 +138,6 @@ dependency "api" { } dependency "idp" { - enabled = local.feature_flag_idp config_path = "../idp" mock_outputs_merge_strategy_with_state = "shallow" mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] @@ -229,16 +225,16 @@ inputs = { ecr_repository_url_notify_slack_lambda = dependency.ecr.outputs.ecr_repository_url_notify_slack_lambda - ecs_api_cluster_name = local.feature_flag_api == "true" ? dependency.api.outputs.ecs_api_cluster_name : "" - ecs_api_cloudwatch_log_group_name = local.feature_flag_api == "true" ? dependency.api.outputs.ecs_api_cloudwatch_log_group_name : "" - ecs_api_service_name = local.feature_flag_api == "true" ? dependency.api.outputs.ecs_api_service_name : "" + ecs_api_cluster_name = dependency.api.outputs.ecs_api_cluster_name + ecs_api_cloudwatch_log_group_name = dependency.api.outputs.ecs_api_cloudwatch_log_group_name + ecs_api_service_name = dependency.api.outputs.ecs_api_service_name - ecs_idp_cluster_name = local.feature_flag_idp == "true" ? dependency.idp.outputs.ecs_idp_cluster_name : "" - ecs_idp_cloudwatch_log_group_name = local.feature_flag_idp == "true" ? dependency.idp.outputs.ecs_idp_cloudwatch_log_group_name : "" - ecs_idp_service_name = local.feature_flag_idp == "true" ? dependency.idp.outputs.ecs_idp_service_name : "" - lb_idp_arn_suffix = local.feature_flag_idp == "true" ? dependency.idp.outputs.lb_idp_arn_suffix : "" - lb_idp_target_groups_arn_suffix = local.feature_flag_idp == "true" ? dependency.idp.outputs.lb_idp_target_groups_arn_suffix : {} - rds_idp_cluster_identifier = local.feature_flag_idp == "true" ? dependency.idp.outputs.rds_idp_cluster_identifier : "" + ecs_idp_cluster_name = dependency.idp.outputs.ecs_idp_cluster_name + ecs_idp_cloudwatch_log_group_name = dependency.idp.outputs.ecs_idp_cloudwatch_log_group_name + ecs_idp_service_name = dependency.idp.outputs.ecs_idp_service_name + lb_idp_arn_suffix = dependency.idp.outputs.lb_idp_arn_suffix + lb_idp_target_groups_arn_suffix = dependency.idp.outputs.lb_idp_target_groups_arn_suffix + rds_idp_cluster_identifier = dependency.idp.outputs.rds_idp_cluster_identifier rds_idp_cpu_maxiumum = 80 dynamodb_app_audit_logs_arn = dependency.dynamodb.outputs.dynamodb_app_audit_logs_arn diff --git a/env/common/common_variables.tf b/env/common/common_variables.tf index 4b56dde1b..4f8646be7 100644 --- a/env/common/common_variables.tf +++ b/env/common/common_variables.tf @@ -38,18 +38,6 @@ variable "env" { type = string } -variable "feature_flag_api" { - description = "Feature flag that determines if the API infrastructure is deployed" - type = bool - default = false -} - -variable "feature_flag_idp" { - description = "Feature flag that determines if the IdP infrastructure is deployed" - type = bool - default = false -} - variable "region" { description = "The current AWS region" type = string diff --git a/env/terragrunt.hcl b/env/terragrunt.hcl index 490527499..3c6235633 100644 --- a/env/terragrunt.hcl +++ b/env/terragrunt.hcl @@ -1,8 +1,6 @@ locals { account_id = get_env("AWS_ACCOUNT_ID", "") env = get_env("APP_ENV", "local") - feature_flag_api = get_env("FF_API", "false") - feature_flag_idp = get_env("FF_IDP", "false") domain_api = get_env("API_DOMAIN", "localhost:3001") domain_idp = get_env("IDP_DOMAIN", "localhost:8080") domains = get_env("APP_DOMAINS", "[\"localhost:3000\"]") @@ -16,8 +14,6 @@ inputs = { domain_idp = local.domain_idp domains = local.domains env = "${local.env}" - feature_flag_api = local.feature_flag_api - feature_flag_idp = local.feature_flag_idp region = "ca-central-1" cbs_satellite_bucket_name = "cbs-satellite-${local.account_id}" }