aws-ia · MariosRadis · Apr 7, 2022 · Apr 7, 2022 · Apr 7, 2022 · Apr 7, 2022
@@ -0,0 +1,18 @@
+name: Fork Synchronization
+on:
+  schedule:
+    - cron: '*/15 * * * *'
+  workflow_dispatch:
+permissions:
+  pull-requests: write
+jobs:
+  sync:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: tgymnich/[email protected]
+        with:
+          owner: aws-ia
+          base: main
+          head: main
+          retry_after: 10
+          auto_merge: false
@@ -0,0 +1,32 @@
+# Mondelez Modifications to AFT
+## Application/Network Request Table
+### AFT Enhancement Request
+IAM permissions for the ct-aft-codebuild-account-request-role should be able to be supplemented by user input.
+### Purpose
+To restrict a grouping of accounts to a specific application name that cannot be reused.
+### Modifications
+- [main.tf](main.tf) passing of value between modules
+- [modules/aft-account-request-framework/ddb_custom.tf](modules/aft-account-request-framework/ddb_custom.tf) addition of the DynamoDB table
+- [modules/aft-account-request-framework/outputs_custom.tf](modules/aft-account-request-framework/outputs_custom.tf) addition of an output to pass the table name
+- [modules/aft-code-repositories/variables.tf](modules/aft-code-repositories/variables.tf) adding a variable to pass the table name to iam
+- [modules/aft-code-repositories/iam.tf](modules/aft-code-repositories/iam.tf) passing the table name to an iam template
+- [modules/aft-code-repositories/iam/role-policies/ct_aft_codebuild_policy.tpl](modules/aft-code-repositories/iam/role-policies/ct_aft_codebuild_policy.tpl) adding the table to the iam template
+## Terraformrc for Private Modules
+### AFT Enhancement Request
+Commands should be able to be added at the beginning/end of each AFT CodeBuild project build phase.
+### Purpose
+To allow private module use within the AFT Terraform CodeBuild projects.
+### Modifications
+- [modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml](modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml) retrieve .terraformrc from SSM and save to ~/.terraformrc
+- [modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml](modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml) retrieve .terraformrc from SSM and save to ~/.terraformrc
+- [modules/aft-customizations/buildspecs/aft-global-customizations-terraform.yml](modules/aft-customizations/buildspecs/aft-global-customizations-terraform.yml) retrieve .terraformrc from SSM and save to ~/.terraformrc
+- [modules/aft-ssm-parameters/secrets/039570753310/spacelift_terraformrc.enc](modules/aft-ssm-parameters/secrets/039570753310/spacelift_terraformrc.enc) added encrypted .terraformrc to repo
+- [modules/aft-ssm-parameters/data_custom.tf](modules/aft-ssm-parameters/data.tf) added decryption for the .terraformrc
+- [modules/aft-ssm-parameters/ssm_secrets_custom.tf](modules/aft-ssm-parameters/ssm_secrets.tf) added the SSM secret
+
+## Secrets
+### Purpose
+To enable AFT to leverage custom secrets.
+### Modifications
+- [data_custom.tf](data.tf) decryption of the secrets
+- [ssm_custom.tf](ssm_custom.tf) added the SSM secrets
@@ -0,0 +1,22 @@
+data "aws_caller_identity" "aft_management" {
+  provider = aws.aft_management
+}
+
+data "aws_kms_secrets" "mondelez" {
+  provider = aws.aft_management
+  secret {
+    name    = "github_app_private_key"
+    payload = file("${path.module}/secrets/${data.aws_caller_identity.aft_management.account_id}/github-app-private-key.pem.enc")
+    context = {
+      AccountID = data.aws_caller_identity.aft_management.account_id
+    }
+  }
+
+  secret {
+    name    = "spacelift_api_key"
+    payload = file("${path.module}/secrets/${data.aws_caller_identity.aft_management.account_id}/spacelift-api-key.enc")
+    context = {
+      AccountID = data.aws_caller_identity.aft_management.account_id
+    }
+  }
+}
@@ -0,0 +1,6 @@
+locals {
+  ssm_paths_custom = {
+    spacelift_api_credentials = "/aft/config/spacelift/api-credentials"
+    github_app_credentials    = "/aft/config/github/app-credentials"
+  }
+}
@@ -80,6 +80,9 @@ module "aft_code_repositories" {
   aft_config_backend_table_id                     = module.aft_backend.table_id
   aft_config_backend_kms_key_id                   = module.aft_backend.kms_key_id
   account_request_table_name                      = module.aft_account_request_framework.request_table_name
+  application_request_table_arn                   = module.aft_account_request_framework.application_request_table_arn           # MDLZ CUSTOMIZATION
+  network_request_configuration_table_arn         = module.aft_account_request_framework.network_request_configuration_table_arn # MDLZ CUSTOMIZATION
+  network_request_grant_table_arn                 = module.aft_account_request_framework.network_request_grant_table_arn         # MDLZ CUSTOMIZATION
   codepipeline_s3_bucket_arn                      = module.aft_customizations.aft_codepipeline_customizations_bucket_arn
   codepipeline_s3_bucket_name                     = module.aft_customizations.aft_codepipeline_customizations_bucket_name
   security_group_ids                              = module.aft_account_request_framework.aft_vpc_default_sg
@@ -135,6 +138,7 @@ module "aft_customizations" {
   global_codebuild_timeout                          = var.global_codebuild_timeout
   lambda_runtime_python_version                     = local.lambda_runtime_python_version
   aft_enable_vpc                                    = var.aft_enable_vpc
+  spacelift_api_credentials_ssm_path                = local.ssm_paths_custom.spacelift_api_credentials
 }
 
 module "aft_feature_options" {

@@ -3,10 +3,9 @@
 #
 # Table that stores account-meta data
 resource "aws_dynamodb_table" "aft_request_metadata" {
-  name           = "aft-request-metadata"
-  read_capacity  = 1
-  write_capacity = 1
-  hash_key       = "id"
+  name         = "aft-request-metadata"
+  hash_key     = "id"
+  billing_mode = "PAY_PER_REQUEST"
 
   attribute {
     name = "id"
@@ -53,8 +52,7 @@ resource "aws_dynamodb_table" "aft_request_metadata" {
 # Table that stores the configuration details for the account vending machine
 resource "aws_dynamodb_table" "aft_request" {
   name             = "aft-request"
-  read_capacity    = 1
-  write_capacity   = 1
+  billing_mode     = "PAY_PER_REQUEST"
   hash_key         = "id"
   stream_enabled   = true
   stream_view_type = "NEW_AND_OLD_IMAGES"
@@ -77,8 +75,7 @@ resource "aws_dynamodb_table" "aft_request" {
 # Table that stores the audit history for the account
 resource "aws_dynamodb_table" "aft_request_audit" {
   name             = "aft-request-audit"
-  read_capacity    = 1
-  write_capacity   = 1
+  billing_mode     = "PAY_PER_REQUEST"
   hash_key         = "id"
   range_key        = "timestamp"
   stream_enabled   = true
@@ -107,8 +104,7 @@ resource "aws_dynamodb_table" "aft_request_audit" {
 # Table that stores the audit history for the account
 resource "aws_dynamodb_table" "aft_controltower_events" {
   name             = "aft-controltower-events"
-  read_capacity    = 5
-  write_capacity   = 5
+  billing_mode     = "PAY_PER_REQUEST"
   hash_key         = "id"
   range_key        = "time"
   stream_enabled   = true

@@ -0,0 +1,70 @@
+# MDLZ CUSTOMIZATION
+resource "aws_dynamodb_table" "aft_application_request" {
+  name           = "aft-application-request"
+  read_capacity  = 1
+  write_capacity = 1
+  hash_key       = "ApplicationName"
+
+  attribute {
+    name = "ApplicationName"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.aft.arn
+  }
+}
+
+# MDLZ CUSTOMIZATION
+resource "aws_dynamodb_table" "aft_network_request_configuration" {
+  name           = "aft-network-request-configuration"
+  read_capacity  = 1
+  write_capacity = 1
+  hash_key       = "NetworkName"
+
+  attribute {
+    name = "NetworkName"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.aft.arn
+  }
+}
+
+resource "aws_dynamodb_table" "aft_network_request_grant" {
+  name           = "aft-network-request-grant"
+  read_capacity  = 1
+  write_capacity = 1
+  hash_key       = "NetworkName"
+  range_key      = "AccountSlug"
+
+  attribute {
+    name = "NetworkName"
+    type = "S"
+  }
+
+  attribute {
+    name = "AccountSlug"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.aft.arn
+  }
+}
@@ -0,0 +1,14 @@
+# MDLZ CUSTOMIZTAION
+output "application_request_table_arn" {
+  value = aws_dynamodb_table.aft_application_request.arn
+}
+
+# MDLZ CUSTOMIZTAION
+output "network_request_configuration_table_arn" {
+  value = aws_dynamodb_table.aft_network_request_configuration.arn
+}
+
+# MDLZ CUSTOMIZTAION
+output "network_request_grant_table_arn" {
+  value = aws_dynamodb_table.aft_network_request_grant.arn
+}
@@ -18,6 +18,7 @@ phases:
       - AFT_ADMIN_ROLE_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-administrator-role-name | jq --raw-output ".Parameter.Value")
       - AFT_ADMIN_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
+      - aws ssm get-parameter --name /aft/config/terraform/spacelift-terraformrc --with-decryption | jq --raw-output ".Parameter.Value" > ~/.terraformrc
       - |
         ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then

@@ -18,6 +18,7 @@ phases:
       - AFT_ADMIN_ROLE_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-administrator-role-name | jq --raw-output ".Parameter.Value")
       - AFT_ADMIN_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
+      - aws ssm get-parameter --name /aft/config/terraform/spacelift-terraformrc --with-decryption | jq --raw-output ".Parameter.Value" > ~/.terraformrc
       - |
         ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then

@@ -9,61 +9,6 @@ data "local_file" "account_provisioning_customizations_buildspec" {
   filename = "${path.module}/buildspecs/ct-aft-account-provisioning-customizations.yml"
 }
 
-resource "aws_codebuild_project" "account_request" {
-  depends_on     = [aws_cloudwatch_log_group.account_request, time_sleep.iam_eventual_consistency]
-  name           = "ct-aft-account-request"
-  description    = "Job to apply Terraform for Account Requests"
-  build_timeout  = tostring(var.global_codebuild_timeout)
-  service_role   = aws_iam_role.account_request_codebuild_role.arn
-  encryption_key = var.aft_key_arn
-
-  artifacts {
-    type = "CODEPIPELINE"
-  }
-
-  environment {
-    compute_type                = "BUILD_GENERAL1_MEDIUM"
-    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
-    type                        = "LINUX_CONTAINER"
-    image_pull_credentials_type = "CODEBUILD"
-    environment_variable {
-      name  = "AWS_PARTITION"
-      value = data.aws_partition.current.partition
-      type  = "PLAINTEXT"
-    }
-  }
-
-  logs_config {
-    cloudwatch_logs {
-      group_name = aws_cloudwatch_log_group.account_request.name
-    }
-
-    s3_logs {
-      status   = "ENABLED"
-      location = "${var.codepipeline_s3_bucket_name}/ct-aft-account-request-logs"
-    }
-  }
-
-  source {
-    type      = "CODEPIPELINE"
-    buildspec = data.local_file.account_request_buildspec.content
-  }
-
-  dynamic "vpc_config" {
-    for_each = var.aft_enable_vpc ? [1] : []
-    content {
-      vpc_id             = var.vpc_id
-      subnets            = var.subnet_ids
-      security_group_ids = var.security_group_ids
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [project_visibility]
-  }
-
-}
-
 resource "aws_codebuild_project" "account_provisioning_customizations_pipeline" {
   depends_on     = [aws_cloudwatch_log_group.account_request, time_sleep.iam_eventual_consistency]
   name           = "ct-aft-account-provisioning-customizations"