diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..ffa8318a9 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,198 @@ +name: CI + +on: + pull_request: + branches: [main] + push: + branches: [main] + +jobs: + terraform-validation: + name: Terraform Validation + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + + - name: Terraform Format Check + id: fmt + run: terraform fmt -check -recursive operations/deployment/terraform/aws/ + continue-on-error: true + + - name: Terraform Format Check + id: modules + run: terraform fmt -check -recursive operations/deployment/terraform/modules/ + continue-on-error: true + + - name: Create mock provider.tf + run: | + cat > operations/deployment/terraform/aws/provider.tf << 'EOF' + terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + random = { + source = "hashicorp/random" + version = ">= 2.2" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.22" + } + } + } + + provider "aws" { + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "ec2" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "r53" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "elb" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "efs" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "vpc" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "rds" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "aurora" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "ecs" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "db_proxy" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "redis" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "eks" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "ecr" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "aws" { + alias = "waf" + region = "us-east-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } + + provider "kubernetes" { + alias = "eks" + host = null + cluster_ca_certificate = null + token = null + } + EOF + + - name: Create mock terraform.tfvars + run: | + cat > operations/deployment/terraform/aws/terraform.tfvars << 'EOF' + aws_resource_identifier = "test-repo-branch" + aws_resource_identifier_supershort = "test-repo-branch" + app_repo_name = "test-repo" + app_org_name = "test-org" + app_branch_name = "test-branch" + ops_repo_environment = "deployment" + app_install_root = "/home/ubuntu" + EOF + + - name: Terraform Init + id: init + run: terraform -chdir=operations/deployment/terraform/aws/ init -backend=false + + - name: Terraform Validate + id: validate + run: terraform -chdir=operations/deployment/terraform/aws/ validate + + - name: Comment Format Check Result + if: always() && steps.fmt.outcome == 'failure' && github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '⚠️ Terraform formatting issues detected. Run `terraform fmt -recursive operations/deployment/terraform/aws/` to fix.' + }) \ No newline at end of file diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 2071fbd43..21a0a0793 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -125,7 +125,7 @@ variable "aws_ec2_port_list" { default = "" } -variable "aws_ec2_user_data_replace_on_change" { +variable "aws_ec2_user_data_replace_on_change" { type = bool description = "Forces destruction of EC2 instance" default = true @@ -145,21 +145,21 @@ variable "aws_vpc_create" { } variable "aws_vpc_name" { - type = string + type = string description = "Name for the aws vpc" - default = "" + default = "" } variable "aws_vpc_id" { - type = string + type = string description = "aws vpc id" - default = "" + default = "" } variable "aws_vpc_subnet_id" { - type = string + type = string description = "aws vpc subnet id" - default = "" + default = "" } variable "aws_vpc_cidr_block" { @@ -1602,13 +1602,13 @@ variable "aws_ecs_additional_tags" { } # ECR -variable "aws_ecr_repo_create" { +variable "aws_ecr_repo_create" { description = "Determines whether a repository will be created" type = bool default = false } -variable "aws_ecr_repo_type" { +variable "aws_ecr_repo_type" { description = "The type of repository to create. Either `public` or `private`" type = string default = "private" @@ -1736,7 +1736,7 @@ variable "aws_ecr_public_repo_catalog" { default = {} } -variable "aws_ecr_registry_policy_input" { +variable "aws_ecr_registry_policy_input" { description = "The policy document. This is a JSON formatted string" type = string default = "" diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index cfaa57986..628705b05 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -1,6 +1,6 @@ module "ec2" { source = "../modules/aws/ec2" - count = var.aws_ec2_instance_create ? 1 : 0 + count = var.aws_ec2_instance_create ? 1 : 0 # EC2 aws_ec2_ami_filter = var.aws_ec2_ami_filter aws_ec2_ami_owner = var.aws_ec2_ami_owner @@ -11,20 +11,20 @@ module "ec2" { aws_ec2_user_data_replace_on_change = var.aws_ec2_user_data_replace_on_change aws_ec2_instance_root_vol_size = var.aws_ec2_instance_root_vol_size aws_ec2_instance_root_vol_preserve = var.aws_ec2_instance_root_vol_preserve - aws_ec2_create_keypair_sm = var.aws_ec2_create_keypair_sm + aws_ec2_create_keypair_sm = var.aws_ec2_create_keypair_sm aws_ec2_security_group_name = var.aws_ec2_security_group_name aws_ec2_iam_instance_profile = var.aws_ec2_iam_instance_profile aws_ec2_port_list = var.aws_ec2_port_list # Data inputs - aws_ec2_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_vpc_dns_enabled = module.vpc.aws_vpc_dns_enabled - aws_subnet_selected_id = module.vpc.aws_vpc_subnet_selected - preferred_az = module.vpc.preferred_az + aws_ec2_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_vpc_dns_enabled = module.vpc.aws_vpc_dns_enabled + aws_subnet_selected_id = module.vpc.aws_vpc_subnet_selected + preferred_az = module.vpc.preferred_az # Others - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort - ec2_tags = local.ec2_tags - depends_on = [module.vpc] + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + ec2_tags = local.ec2_tags + depends_on = [module.vpc] providers = { aws = aws.ec2 @@ -37,13 +37,13 @@ module "ec2_sg_to_rds" { # Inputs sg_type = "ingress" sg_rule_description = "${var.aws_resource_identifier} - EC2 Incoming" - sg_rule_from_port = try(module.db_proxy_rds[0].db_proxy_port,module.rds[0].db_port) - sg_rule_to_port = try(module.db_proxy_rds[0].db_proxy_port,module.rds[0].db_port) + sg_rule_from_port = try(module.db_proxy_rds[0].db_proxy_port, module.rds[0].db_port) + sg_rule_to_port = try(module.db_proxy_rds[0].db_proxy_port, module.rds[0].db_port) sg_rule_protocol = "tcp" source_security_group_id = module.ec2[0].aws_security_group_ec2_sg_id - target_security_group_id = try(module.db_proxy_rds[0].db_proxy_sg_id,module.rds[0].rds_sg_id) - - depends_on = [ module.ec2,module.rds ] + target_security_group_id = try(module.db_proxy_rds[0].db_proxy_sg_id, module.rds[0].rds_sg_id) + + depends_on = [module.ec2, module.rds] } module "efs_to_ec2_sg" { @@ -57,22 +57,22 @@ module "efs_to_ec2_sg" { sg_rule_protocol = "tcp" source_security_group_id = try(module.efs[0].aws_efs_sg_id) target_security_group_id = module.ec2[0].aws_security_group_ec2_sg_id - depends_on = [ module.ec2,module.efs ] + depends_on = [module.ec2, module.efs] } module "aws_certificates" { source = "../modules/aws/certificates" - count = ( var.aws_ec2_instance_create || var.aws_ecs_enable ) && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 + count = (var.aws_ec2_instance_create || var.aws_ecs_enable) && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 # Cert aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert aws_r53_create_sub_cert = var.aws_r53_create_sub_cert # R53 - aws_r53_domain_name = var.aws_r53_domain_name - aws_r53_sub_domain_name = var.aws_r53_sub_domain_name + aws_r53_domain_name = var.aws_r53_domain_name + aws_r53_sub_domain_name = var.aws_r53_sub_domain_name # Others - fqdn_provided = local.fqdn_provided - + fqdn_provided = local.fqdn_provided + providers = { aws = aws.r53 } @@ -82,17 +82,17 @@ module "aws_route53" { source = "../modules/aws/route53" count = var.aws_ec2_instance_create && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 # R53 values - aws_r53_domain_name = var.aws_r53_domain_name - aws_r53_sub_domain_name = var.aws_r53_sub_domain_name - aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy - aws_r53_enable_cert = var.aws_r53_enable_cert + aws_r53_domain_name = var.aws_r53_domain_name + aws_r53_sub_domain_name = var.aws_r53_sub_domain_name + aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy + aws_r53_enable_cert = var.aws_r53_enable_cert # ELB - aws_elb_dns_name = try(module.aws_elb[0].aws_elb_dns_name,"") - aws_elb_zone_id = try(module.aws_elb[0].aws_elb_zone_id,"") + aws_elb_dns_name = try(module.aws_elb[0].aws_elb_dns_name, "") + aws_elb_zone_id = try(module.aws_elb[0].aws_elb_zone_id, "") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others - fqdn_provided = local.fqdn_provided + fqdn_provided = local.fqdn_provided providers = { aws = aws.r53 @@ -103,28 +103,28 @@ module "aws_elb" { source = "../modules/aws/elb" count = var.aws_ec2_instance_create && var.aws_elb_create ? 1 : 0 # ELB Values - aws_elb_security_group_name = var.aws_elb_security_group_name - aws_elb_app_port = var.aws_elb_app_port - aws_elb_app_protocol = var.aws_elb_app_protocol - aws_elb_listen_port = var.aws_elb_listen_port - aws_elb_listen_protocol = var.aws_elb_listen_protocol - aws_elb_healthcheck = var.aws_elb_healthcheck - aws_elb_access_log_bucket_name = var.aws_elb_access_log_bucket_name - aws_elb_access_log_expire = var.aws_elb_access_log_expire + aws_elb_security_group_name = var.aws_elb_security_group_name + aws_elb_app_port = var.aws_elb_app_port + aws_elb_app_protocol = var.aws_elb_app_protocol + aws_elb_listen_port = var.aws_elb_listen_port + aws_elb_listen_protocol = var.aws_elb_listen_protocol + aws_elb_healthcheck = var.aws_elb_healthcheck + aws_elb_access_log_bucket_name = var.aws_elb_access_log_bucket_name + aws_elb_access_log_expire = var.aws_elb_access_log_expire # EC2 - aws_instance_server_az = [module.vpc.preferred_az] - aws_vpc_selected_id = module.vpc.aws_selected_vpc_id - aws_vpc_subnet_selected = module.vpc.aws_vpc_subnet_selected - aws_instance_server_id = module.ec2[0].aws_instance_server_id - aws_elb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id + aws_instance_server_az = [module.vpc.preferred_az] + aws_vpc_selected_id = module.vpc.aws_selected_vpc_id + aws_vpc_subnet_selected = module.vpc.aws_vpc_subnet_selected + aws_instance_server_id = module.ec2[0].aws_instance_server_id + aws_elb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id # Certs - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.vpc,module.ec2] - + depends_on = [module.vpc, module.ec2] + providers = { aws = aws.elb } @@ -134,10 +134,10 @@ module "efs" { source = "../modules/aws/efs" count = var.aws_efs_enable ? 1 : 0 # EFS - aws_efs_create = var.aws_efs_create - aws_efs_fs_id = var.aws_efs_fs_id - aws_efs_create_mount_target = var.aws_efs_create_mount_target - aws_efs_create_ha = var.aws_efs_create_ha + aws_efs_create = var.aws_efs_create + aws_efs_fs_id = var.aws_efs_fs_id + aws_efs_create_mount_target = var.aws_efs_create_mount_target + aws_efs_create_ha = var.aws_efs_create_ha aws_efs_vol_encrypted = var.aws_efs_vol_encrypted aws_efs_kms_key_id = var.aws_efs_kms_key_id @@ -151,12 +151,12 @@ module "efs" { aws_efs_replication_destination = var.aws_efs_replication_destination aws_efs_enable_backup_policy = var.aws_efs_enable_backup_policy aws_efs_transition_to_inactive = var.aws_efs_transition_to_inactive - + # VPC Inputs - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnet_id = module.vpc.aws_vpc_subnet_selected - aws_resource_identifier = var.aws_resource_identifier - depends_on = [module.vpc] + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnet_id = module.vpc.aws_vpc_subnet_selected + aws_resource_identifier = var.aws_resource_identifier + depends_on = [module.vpc] providers = { aws = aws.efs @@ -204,10 +204,10 @@ module "rds" { aws_rds_db_copy_tags_to_snapshot = var.aws_rds_db_copy_tags_to_snapshot # Others #aws_ec2_security_group = var.aws_ec2_instance_create ? module.ec2[0].aws_security_group_ec2_sg_id : "" - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_subnets_vpc_subnets_ids = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_subnets_vpc_subnets_ids = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Dependencies depends_on = [module.vpc] @@ -220,29 +220,29 @@ module "db_proxy_rds" { source = "../modules/aws/db_proxy" count = var.aws_rds_db_proxy ? 1 : 0 # PROXY - aws_aurora_proxy = var.aws_aurora_proxy - aws_rds_db_proxy = var.aws_rds_db_proxy - aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) - aws_db_proxy_database_id = module.rds[0].db_id - aws_db_proxy_cluster = false - aws_db_proxy_secret_name = module.rds[0].db_secret_name - aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type - aws_db_proxy_tls = var.aws_db_proxy_tls - aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name - aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow - aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group - aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming - aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable - aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days + aws_aurora_proxy = var.aws_aurora_proxy + aws_rds_db_proxy = var.aws_rds_db_proxy + aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) + aws_db_proxy_database_id = module.rds[0].db_id + aws_db_proxy_cluster = false + aws_db_proxy_secret_name = module.rds[0].db_secret_name + aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type + aws_db_proxy_tls = var.aws_db_proxy_tls + aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name + aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow + aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group + aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming + aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable + aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days # Others #aws_ec2_security_group = var.aws_ec2_instance_create ? module.ec2[0].aws_security_group_ec2_sg_id : "" - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort - incoming_random_string = module.rds[0].random_string + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + incoming_random_string = module.rds[0].random_string # Dependencies - depends_on = [module.vpc,module.rds] + depends_on = [module.vpc, module.rds] providers = { aws = aws.db_proxy @@ -260,17 +260,17 @@ module "aurora_rds" { aws_aurora_availability_zones = var.aws_aurora_availability_zones aws_aurora_cluster_apply_immediately = var.aws_aurora_cluster_apply_immediately # Storage - aws_aurora_allocated_storage = var.aws_aurora_allocated_storage - aws_aurora_storage_encrypted = var.aws_aurora_storage_encrypted - aws_aurora_kms_key_id = var.aws_aurora_kms_key_id - aws_aurora_storage_type = var.aws_aurora_storage_type - aws_aurora_storage_iops = var.aws_aurora_storage_iops + aws_aurora_allocated_storage = var.aws_aurora_allocated_storage + aws_aurora_storage_encrypted = var.aws_aurora_storage_encrypted + aws_aurora_kms_key_id = var.aws_aurora_kms_key_id + aws_aurora_storage_type = var.aws_aurora_storage_type + aws_aurora_storage_iops = var.aws_aurora_storage_iops # DB Details - aws_aurora_database_name = var.aws_aurora_database_name - aws_aurora_master_username = var.aws_aurora_master_username - aws_aurora_database_group_family = var.aws_aurora_database_group_family - aws_aurora_iam_auth_enabled = var.aws_aurora_iam_auth_enabled - aws_aurora_iam_roles = var.aws_aurora_iam_roles + aws_aurora_database_name = var.aws_aurora_database_name + aws_aurora_master_username = var.aws_aurora_master_username + aws_aurora_database_group_family = var.aws_aurora_database_group_family + aws_aurora_iam_auth_enabled = var.aws_aurora_iam_auth_enabled + aws_aurora_iam_roles = var.aws_aurora_iam_roles # Net aws_aurora_cluster_db_instance_class = var.aws_aurora_cluster_db_instance_class aws_aurora_security_group_name = var.aws_aurora_security_group_name @@ -295,11 +295,11 @@ module "aurora_rds" { aws_aurora_snapshot_name = var.aws_aurora_snapshot_name aws_aurora_snapshot_overwrite = var.aws_aurora_snapshot_overwrite # DB Parameters - aws_aurora_db_instances_count = var.aws_aurora_db_instances_count - aws_aurora_db_instance_class = var.aws_aurora_db_instance_class - aws_aurora_db_apply_immediately = var.aws_aurora_db_apply_immediately - aws_aurora_db_ca_cert_identifier = var.aws_aurora_db_ca_cert_identifier - aws_aurora_db_maintenance_window = var.aws_aurora_db_maintenance_window + aws_aurora_db_instances_count = var.aws_aurora_db_instances_count + aws_aurora_db_instance_class = var.aws_aurora_db_instance_class + aws_aurora_db_apply_immediately = var.aws_aurora_db_apply_immediately + aws_aurora_db_ca_cert_identifier = var.aws_aurora_db_ca_cert_identifier + aws_aurora_db_maintenance_window = var.aws_aurora_db_maintenance_window # Extras aws_aurora_performance_insights_enable = var.aws_aurora_performance_insights_enable aws_aurora_performance_insights_kms_key_id = var.aws_aurora_performance_insights_kms_key_id @@ -307,12 +307,12 @@ module "aurora_rds" { # Others # Incoming #aws_ec2_security_group = var.aws_ec2_instance_create ? module.ec2[0].aws_security_group_ec2_sg_id : "" - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_subnets_vpc_subnets_ids = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_subnets_vpc_subnets_ids = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Dependencies - depends_on = [module.vpc,module.ec2] + depends_on = [module.vpc, module.ec2] providers = { aws = aws.aurora @@ -323,29 +323,29 @@ module "db_proxy_aurora" { source = "../modules/aws/db_proxy" count = var.aws_aurora_proxy ? 1 : 0 # PROXY - aws_aurora_proxy = var.aws_aurora_proxy - aws_rds_db_proxy = var.aws_rds_db_proxy - aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) - aws_db_proxy_database_id = module.aurora_rds[0].aurora_db_id - aws_db_proxy_cluster = true - aws_db_proxy_secret_name = module.aurora_rds[0].aurora_secret_name - aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type - aws_db_proxy_tls = var.aws_db_proxy_tls - aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name - aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow - aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group - aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming - aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable - aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days + aws_aurora_proxy = var.aws_aurora_proxy + aws_rds_db_proxy = var.aws_rds_db_proxy + aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) + aws_db_proxy_database_id = module.aurora_rds[0].aurora_db_id + aws_db_proxy_cluster = true + aws_db_proxy_secret_name = module.aurora_rds[0].aurora_secret_name + aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type + aws_db_proxy_tls = var.aws_db_proxy_tls + aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name + aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow + aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group + aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming + aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable + aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days # Others #aws_ec2_security_group = var.aws_ec2_instance_create ? module.ec2[0].aws_security_group_ec2_sg_id : "" - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort - incoming_random_string = module.aurora_rds[0].random_string + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + incoming_random_string = module.aurora_rds[0].random_string # Dependencies - depends_on = [module.vpc,module.aurora_rds] + depends_on = [module.vpc, module.aurora_rds] providers = { aws = aws.db_proxy @@ -357,29 +357,29 @@ module "db_proxy" { source = "../modules/aws/db_proxy" count = var.aws_db_proxy_enable ? 1 : 0 # PROXY - aws_aurora_proxy = var.aws_aurora_proxy - aws_rds_db_proxy = var.aws_rds_db_proxy - aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) - aws_db_proxy_database_id = var.aws_db_proxy_database_id - aws_db_proxy_cluster = var.aws_db_proxy_cluster - aws_db_proxy_secret_name = var.aws_db_proxy_secret_name - aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type - aws_db_proxy_tls = var.aws_db_proxy_tls - aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name - aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow - aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group - aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming - aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable - aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days + aws_aurora_proxy = var.aws_aurora_proxy + aws_rds_db_proxy = var.aws_rds_db_proxy + aws_db_proxy_name = var.aws_db_proxy_name != "" ? var.aws_db_proxy_name : lower(var.aws_resource_identifier) + aws_db_proxy_database_id = var.aws_db_proxy_database_id + aws_db_proxy_cluster = var.aws_db_proxy_cluster + aws_db_proxy_secret_name = var.aws_db_proxy_secret_name + aws_db_proxy_client_password_auth_type = var.aws_db_proxy_client_password_auth_type + aws_db_proxy_tls = var.aws_db_proxy_tls + aws_db_proxy_security_group_name = var.aws_db_proxy_security_group_name + aws_db_proxy_database_security_group_allow = var.aws_db_proxy_database_security_group_allow + aws_db_proxy_allowed_security_group = var.aws_db_proxy_allowed_security_group + aws_db_proxy_allow_all_incoming = var.aws_db_proxy_allow_all_incoming + aws_db_proxy_cloudwatch_enable = var.aws_db_proxy_cloudwatch_enable + aws_db_proxy_cloudwatch_retention_days = var.aws_db_proxy_cloudwatch_retention_days # Others #aws_ec2_security_group = var.aws_ec2_instance_create ? module.ec2[0].aws_security_group_ec2_sg_id : "" - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort - incoming_random_string = null + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + incoming_random_string = null # Dependencies - depends_on = [module.vpc,module.ec2] + depends_on = [module.vpc, module.ec2] providers = { aws = aws.db_proxy @@ -387,11 +387,11 @@ module "db_proxy" { } module "proxy_dot_env" { - source = "../modules/commons/dot_env" - count = var.aws_aurora_proxy ? 1 : var.aws_db_proxy_enable ? 1 : var.aws_rds_db_proxy ? 1 : 0 - filename = "proxy.env" - content = join("\n",[try(module.db_proxy_aurora[0].proxy_dot_env,""),try(module.db_proxy_rds[0].proxy_dot_env,""),try(module.db_proxy[0].proxy_dot_env,"")]) - depends_on = [ module.db_proxy_aurora,module.db_proxy_rds,module.db_proxy_rds ] + source = "../modules/commons/dot_env" + count = var.aws_aurora_proxy ? 1 : var.aws_db_proxy_enable ? 1 : var.aws_rds_db_proxy ? 1 : 0 + filename = "proxy.env" + content = join("\n", [try(module.db_proxy_aurora[0].proxy_dot_env, ""), try(module.db_proxy_rds[0].proxy_dot_env, ""), try(module.db_proxy[0].proxy_dot_env, "")]) + depends_on = [module.db_proxy_aurora, module.db_proxy_rds, module.db_proxy_rds] } module "redis" { @@ -429,13 +429,13 @@ module "redis" { aws_redis_cloudwatch_retention_days = var.aws_redis_cloudwatch_retention_days aws_redis_single_line_url_secret = var.aws_redis_single_line_url_secret # Others - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets - aws_resource_identifier = var.aws_resource_identifier - aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Dependencies - depends_on = [module.vpc,module.ec2] + depends_on = [module.vpc, module.ec2] providers = { aws = aws.redis } @@ -445,25 +445,25 @@ module "vpc" { source = "../modules/aws/vpc" #count = var.aws_ec2_instance_create || var.aws_efs_enable || var.aws_aurora_enable ? 1 : 0 # VPC - aws_vpc_create = var.aws_vpc_create - aws_vpc_id = var.aws_vpc_id - aws_vpc_subnet_id = var.aws_vpc_subnet_id - aws_vpc_cidr_block = var.aws_vpc_cidr_block - aws_vpc_name = var.aws_vpc_name - aws_vpc_public_subnets = var.aws_vpc_public_subnets - aws_vpc_private_subnets = var.aws_vpc_private_subnets - aws_vpc_availability_zones = var.aws_vpc_availability_zones + aws_vpc_create = var.aws_vpc_create + aws_vpc_id = var.aws_vpc_id + aws_vpc_subnet_id = var.aws_vpc_subnet_id + aws_vpc_cidr_block = var.aws_vpc_cidr_block + aws_vpc_name = var.aws_vpc_name + aws_vpc_public_subnets = var.aws_vpc_public_subnets + aws_vpc_private_subnets = var.aws_vpc_private_subnets + aws_vpc_availability_zones = var.aws_vpc_availability_zones # Data inputs aws_ec2_instance_type = var.aws_ec2_instance_type aws_ec2_security_group_name = var.aws_ec2_security_group_name # Others - aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier = var.aws_resource_identifier # NEW aws_vpc_enable_nat_gateway = var.aws_vpc_enable_nat_gateway aws_vpc_single_nat_gateway = var.aws_vpc_single_nat_gateway aws_vpc_external_nat_ip_ids = var.aws_vpc_external_nat_ip_ids # Toggle EKS flag to add tags to subnets - aws_eks_create = var.aws_eks_create + aws_eks_create = var.aws_eks_create providers = { aws = aws.vpc } @@ -479,41 +479,41 @@ module "aws_ecs" { source = "../modules/aws/ecs" count = var.aws_ecs_enable ? 1 : 0 # ECS - aws_ecs_service_name = var.aws_ecs_service_name - aws_ecs_cluster_name = var.aws_ecs_cluster_name - aws_ecs_service_launch_type = var.aws_ecs_service_launch_type - aws_ecs_task_type = var.aws_ecs_task_type - aws_ecs_task_name = var.aws_ecs_task_name - aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition - aws_ecs_task_execution_role = var.aws_ecs_task_execution_role - aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file - aws_ecs_task_network_mode = var.aws_ecs_task_network_mode - aws_ecs_task_cpu = var.aws_ecs_task_cpu - aws_ecs_task_mem = var.aws_ecs_task_mem - aws_ecs_container_cpu = var.aws_ecs_container_cpu - aws_ecs_container_mem = var.aws_ecs_container_mem - aws_ecs_node_count = var.aws_ecs_node_count - aws_ecs_app_image = var.aws_ecs_app_image - aws_ecs_security_group_name = var.aws_ecs_security_group_name - aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip - aws_ecs_container_port = var.aws_ecs_container_port - aws_ecs_lb_port = var.aws_ecs_lb_port - aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable - aws_ecs_lb_container_path = var.aws_ecs_lb_container_path - aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy - aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false - aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable - aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes - aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes - aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem - aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu - aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable - aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? ( var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs" ) : null - aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy - aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_region_current_name = module.vpc.aws_region_current_name - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_ecs_service_name = var.aws_ecs_service_name + aws_ecs_cluster_name = var.aws_ecs_cluster_name + aws_ecs_service_launch_type = var.aws_ecs_service_launch_type + aws_ecs_task_type = var.aws_ecs_task_type + aws_ecs_task_name = var.aws_ecs_task_name + aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition + aws_ecs_task_execution_role = var.aws_ecs_task_execution_role + aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file + aws_ecs_task_network_mode = var.aws_ecs_task_network_mode + aws_ecs_task_cpu = var.aws_ecs_task_cpu + aws_ecs_task_mem = var.aws_ecs_task_mem + aws_ecs_container_cpu = var.aws_ecs_container_cpu + aws_ecs_container_mem = var.aws_ecs_container_mem + aws_ecs_node_count = var.aws_ecs_node_count + aws_ecs_app_image = var.aws_ecs_app_image + aws_ecs_security_group_name = var.aws_ecs_security_group_name + aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip + aws_ecs_container_port = var.aws_ecs_container_port + aws_ecs_lb_port = var.aws_ecs_lb_port + aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable + aws_ecs_lb_container_path = var.aws_ecs_lb_container_path + aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy + aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false + aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable + aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes + aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes + aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem + aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu + aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable + aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null + aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy + aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days + aws_region_current_name = module.vpc.aws_region_current_name + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets # Others aws_r53_domain_name = var.aws_r53_enable && var.aws_r53_domain_name != "" ? var.aws_r53_domain_name : "" aws_certificate_enabled = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false @@ -522,7 +522,7 @@ module "aws_ecs" { aws_resource_identifier_supershort = var.aws_resource_identifier_supershort app_repo_name = var.app_repo_name # Dependencies - depends_on = [ module.aws_certificates ] + depends_on = [module.aws_certificates] providers = { aws = aws.ecs } @@ -530,28 +530,28 @@ module "aws_ecs" { module "aws_route53_ecs" { source = "../modules/aws/route53" - count = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && ( var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition ) ? 1 : 0 + count = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && (var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition) ? 1 : 0 # R53 values - aws_r53_domain_name = var.aws_r53_domain_name - aws_r53_sub_domain_name = var.aws_r53_sub_domain_name - aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy - aws_r53_enable_cert = var.aws_r53_enable_cert + aws_r53_domain_name = var.aws_r53_domain_name + aws_r53_sub_domain_name = var.aws_r53_sub_domain_name + aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy + aws_r53_enable_cert = var.aws_r53_enable_cert # ELB - aws_elb_dns_name = module.aws_ecs[0].load_balancer_dns - aws_elb_zone_id = module.aws_ecs[0].load_balancer_zone_id + aws_elb_dns_name = module.aws_ecs[0].load_balancer_dns + aws_elb_zone_id = module.aws_ecs[0].load_balancer_zone_id # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others - fqdn_provided = local.fqdn_provided - depends_on = [ module.aws_certificates ] + fqdn_provided = local.fqdn_provided + depends_on = [module.aws_certificates] providers = { aws = aws.r53 } } module "aws_waf_ecs" { - source = "../modules/aws/waf" - count = var.aws_waf_enable && var.aws_ecs_enable && ( var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition ) ? 1 : 0 + source = "../modules/aws/waf" + count = var.aws_waf_enable && var.aws_ecs_enable && (var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition) ? 1 : 0 aws_waf_enable = var.aws_waf_enable aws_waf_logging_enable = var.aws_waf_logging_enable aws_waf_log_retention_days = var.aws_waf_log_retention_days @@ -573,7 +573,7 @@ module "aws_waf_ecs" { # Incoming aws_lb_resource_arn = module.aws_ecs[0].load_balancer_arn # Others - depends_on = [ module.aws_ecs ] + depends_on = [module.aws_ecs] providers = { aws = aws.waf } @@ -607,7 +607,7 @@ module "aws_ecr" { aws_ecr_public_repo_catalog = var.aws_ecr_public_repo_catalog aws_ecr_registry_policy_input = var.aws_ecr_registry_policy_input # Others - aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier = var.aws_resource_identifier providers = { aws = aws.ecr @@ -620,45 +620,45 @@ module "eks" { # EKS #aws_eks_create = var.aws_eks_create aws_eks_security_group_name_cluster = var.aws_eks_security_group_name_cluster - aws_eks_security_group_name_node = var.aws_eks_security_group_name_node - aws_eks_environment = var.aws_eks_environment - aws_eks_management_cidr = var.aws_eks_management_cidr - aws_eks_allowed_ports = var.aws_eks_allowed_ports - aws_eks_allowed_ports_cidr = var.aws_eks_allowed_ports_cidr - aws_eks_cluster_name = var.aws_eks_cluster_name - aws_eks_cluster_admin_role_arn = var.aws_eks_cluster_admin_role_arn - aws_eks_cluster_log_types = var.aws_eks_cluster_log_types - aws_eks_cluster_log_retention_days = var.aws_eks_cluster_log_retention_days - aws_eks_cluster_log_skip_destroy = var.aws_eks_cluster_log_skip_destroy - aws_eks_cluster_version = var.aws_eks_cluster_version - aws_eks_instance_type = var.aws_eks_instance_type - aws_eks_instance_ami_id = var.aws_eks_instance_ami_id - aws_eks_instance_user_data_file = var.aws_eks_instance_user_data_file - aws_eks_ec2_key_pair = var.aws_eks_ec2_key_pair - aws_eks_store_keypair_sm = var.aws_eks_store_keypair_sm - aws_eks_desired_capacity = var.aws_eks_desired_capacity - aws_eks_max_size = var.aws_eks_max_size - aws_eks_min_size = var.aws_eks_min_size + aws_eks_security_group_name_node = var.aws_eks_security_group_name_node + aws_eks_environment = var.aws_eks_environment + aws_eks_management_cidr = var.aws_eks_management_cidr + aws_eks_allowed_ports = var.aws_eks_allowed_ports + aws_eks_allowed_ports_cidr = var.aws_eks_allowed_ports_cidr + aws_eks_cluster_name = var.aws_eks_cluster_name + aws_eks_cluster_admin_role_arn = var.aws_eks_cluster_admin_role_arn + aws_eks_cluster_log_types = var.aws_eks_cluster_log_types + aws_eks_cluster_log_retention_days = var.aws_eks_cluster_log_retention_days + aws_eks_cluster_log_skip_destroy = var.aws_eks_cluster_log_skip_destroy + aws_eks_cluster_version = var.aws_eks_cluster_version + aws_eks_instance_type = var.aws_eks_instance_type + aws_eks_instance_ami_id = var.aws_eks_instance_ami_id + aws_eks_instance_user_data_file = var.aws_eks_instance_user_data_file + aws_eks_ec2_key_pair = var.aws_eks_ec2_key_pair + aws_eks_store_keypair_sm = var.aws_eks_store_keypair_sm + aws_eks_desired_capacity = var.aws_eks_desired_capacity + aws_eks_max_size = var.aws_eks_max_size + aws_eks_min_size = var.aws_eks_min_size # Others - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_resource_identifier = var.aws_resource_identifier + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_resource_identifier = var.aws_resource_identifier providers = { - aws = aws.eks + aws = aws.eks kubernetes = kubernetes.eks } - depends_on = [ module.vpc ] + depends_on = [module.vpc] } module "ansible" { - source = "../modules/aws/ansible" - count = var.ansible_skip ? 0 : var.aws_ec2_instance_create ? 1 : 0 - aws_ec2_instance_ip = var.ansible_ssh_to_private_ip ? module.ec2[0].instance_private_ip : ( module.ec2[0].instance_public_ip != "" ? module.ec2[0].instance_public_ip : module.ec2[0].instance_private_ip ) - ansible_start_docker_timeout = var.ansible_start_docker_timeout - aws_efs_enable = var.aws_efs_enable - app_repo_name = var.app_repo_name - app_install_root = var.app_install_root - aws_resource_identifier = var.aws_resource_identifier - docker_remove_orphans = var.docker_remove_orphans + source = "../modules/aws/ansible" + count = var.ansible_skip ? 0 : var.aws_ec2_instance_create ? 1 : 0 + aws_ec2_instance_ip = var.ansible_ssh_to_private_ip ? module.ec2[0].instance_private_ip : (module.ec2[0].instance_public_ip != "" ? module.ec2[0].instance_public_ip : module.ec2[0].instance_private_ip) + ansible_start_docker_timeout = var.ansible_start_docker_timeout + aws_efs_enable = var.aws_efs_enable + app_repo_name = var.app_repo_name + app_install_root = var.app_install_root + aws_resource_identifier = var.aws_resource_identifier + docker_remove_orphans = var.docker_remove_orphans # Cloudwatch docker_cloudwatch_enable = var.docker_cloudwatch_enable docker_cloudwatch_lg_name = var.docker_cloudwatch_lg_name != "" ? var.docker_cloudwatch_lg_name : "${var.aws_resource_identifier}-docker-logs" @@ -670,7 +670,7 @@ module "ansible" { docker_efs_mount_target = var.docker_efs_mount_target aws_efs_fs_id = var.aws_efs_enable ? local.create_efs ? module.efs[0].aws_efs_fs_id : var.aws_efs_fs_id : null # Data inputs - private_key_filename = module.ec2[0].private_key_filename + private_key_filename = module.ec2[0].private_key_filename # Dependencies depends_on = [module.ec2] } @@ -688,20 +688,20 @@ locals { } default_tags = merge(local.aws_tags, jsondecode(var.aws_additional_tags)) # Module tagging - ec2_tags = merge(local.default_tags,jsondecode(var.aws_ec2_additional_tags)) - r53_tags = merge(local.default_tags,jsondecode(var.aws_r53_additional_tags)) - elb_tags = merge(local.default_tags,jsondecode(var.aws_elb_additional_tags)) - efs_tags = merge(local.default_tags,jsondecode(var.aws_efs_additional_tags)) - vpc_tags = var.aws_eks_create ? local.vpc_eks_tags : merge(local.default_tags,jsondecode(var.aws_vpc_additional_tags)) - vpc_eks_tags = merge(local.default_tags,jsondecode(var.aws_vpc_additional_tags),local.eks_vpc_tags) - eks_tags = merge(local.default_tags,jsondecode(var.aws_eks_additional_tags)) - rds_tags = merge(local.default_tags,jsondecode(var.aws_rds_db_additional_tags)) - ecs_tags = merge(local.default_tags,jsondecode(var.aws_ecs_additional_tags)) - aurora_tags = merge(local.default_tags,jsondecode(var.aws_aurora_additional_tags)) - ecr_tags = merge(local.default_tags,jsondecode(var.aws_ecr_additional_tags)) - db_proxy_tags = merge(local.default_tags,jsondecode(var.aws_db_proxy_additional_tags)) - redis_tags = merge(local.default_tags,jsondecode(var.aws_redis_additional_tags)) - waf_tags = merge(local.default_tags,jsondecode(var.aws_waf_additional_tags)) + ec2_tags = merge(local.default_tags, jsondecode(var.aws_ec2_additional_tags)) + r53_tags = merge(local.default_tags, jsondecode(var.aws_r53_additional_tags)) + elb_tags = merge(local.default_tags, jsondecode(var.aws_elb_additional_tags)) + efs_tags = merge(local.default_tags, jsondecode(var.aws_efs_additional_tags)) + vpc_tags = var.aws_eks_create ? local.vpc_eks_tags : merge(local.default_tags, jsondecode(var.aws_vpc_additional_tags)) + vpc_eks_tags = merge(local.default_tags, jsondecode(var.aws_vpc_additional_tags), local.eks_vpc_tags) + eks_tags = merge(local.default_tags, jsondecode(var.aws_eks_additional_tags)) + rds_tags = merge(local.default_tags, jsondecode(var.aws_rds_db_additional_tags)) + ecs_tags = merge(local.default_tags, jsondecode(var.aws_ecs_additional_tags)) + aurora_tags = merge(local.default_tags, jsondecode(var.aws_aurora_additional_tags)) + ecr_tags = merge(local.default_tags, jsondecode(var.aws_ecr_additional_tags)) + db_proxy_tags = merge(local.default_tags, jsondecode(var.aws_db_proxy_additional_tags)) + redis_tags = merge(local.default_tags, jsondecode(var.aws_redis_additional_tags)) + waf_tags = merge(local.default_tags, jsondecode(var.aws_waf_additional_tags)) eks_vpc_tags = { // This is needed for k8s to use VPC resources @@ -718,10 +718,10 @@ locals { false ) create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) - ec2_public_endpoint = var.aws_ec2_instance_create ? ( module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip ) : null - ec2_private_endpoint = var.aws_ec2_instance_create ? ( module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip ) : null - ec2_endpoint = var.aws_ec2_instance_create ? ( local.ec2_public_endpoint != null ? "http://${local.ec2_public_endpoint}" : "http://${local.ec2_private_endpoint}" ) : null - elb_url = try(module.aws_elb[0].aws_elb_dns_name,null ) != null ? "http://${module.aws_elb[0].aws_elb_dns_name}" : null + ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null + ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null + ec2_endpoint = var.aws_ec2_instance_create ? (local.ec2_public_endpoint != null ? "http://${local.ec2_public_endpoint}" : "http://${local.ec2_private_endpoint}") : null + elb_url = try(module.aws_elb[0].aws_elb_dns_name, null) != null ? "http://${module.aws_elb[0].aws_elb_dns_name}" : null } # VPC @@ -736,22 +736,22 @@ output "aws_vpc_prefered_az" { # EC2 output "instance_public_dns" { description = "Public DNS address of the EC2 instance" - value = try(module.ec2[0].instance_public_dns,null) + value = try(module.ec2[0].instance_public_dns, null) } output "instance_public_ip" { description = "Public IP address of the EC2 instance" - value = try(module.ec2[0].instance_public_ip,null) + value = try(module.ec2[0].instance_public_ip, null) } output "instance_private_dns" { description = "Public DNS address of the EC2 instance" - value = try(module.ec2[0].instance_private_dns,null) + value = try(module.ec2[0].instance_private_dns, null) } output "instance_private_ip" { description = "Private IP address of the EC2 instance" - value = try(module.ec2[0].instance_private_ip,null) + value = try(module.ec2[0].instance_private_ip, null) } output "instance_endpoint" { @@ -761,138 +761,138 @@ output "instance_endpoint" { output "ec2_sg_id" { description = "SG ID for the EC2 instance" - value = try(module.ec2[0].aws_security_group_ec2_sg_id,null) + value = try(module.ec2[0].aws_security_group_ec2_sg_id, null) } output "aws_elb_dns_name" { description = "Public DNS address of the LB" - value = try(module.aws_elb[0].aws_elb_dns_name,null) + value = try(module.aws_elb[0].aws_elb_dns_name, null) } output "application_public_dns" { description = "Public DNS address for the application or load balancer public DNS" - value = try(module.aws_route53[0].vm_url,null) + value = try(module.aws_route53[0].vm_url, null) } output "vm_url" { - value = try(module.aws_route53[0].vm_url,local.elb_url) + value = try(module.aws_route53[0].vm_url, local.elb_url) } # EFS output "aws_efs_fs_id" { - value = try(module.efs[0].aws_efs_fs_id,null) + value = try(module.efs[0].aws_efs_fs_id, null) } output "aws_efs_replica_fs_id" { - value = try(module.efs[0].aws_efs_replica_fs_id,null) + value = try(module.efs[0].aws_efs_replica_fs_id, null) } output "aws_efs_sg_id" { - value = try(module.efs[0].aws_efs_sg_id,null) + value = try(module.efs[0].aws_efs_sg_id, null) } # Aurora output "aurora_db_endpoint" { - value = try(module.aurora_rds[0].aurora_db_endpoint,null) + value = try(module.aurora_rds[0].aurora_db_endpoint, null) } output "aurora_db_secret_details_name" { - value = try(module.aurora_rds[0].aurora_secret_name,null) + value = try(module.aurora_rds[0].aurora_secret_name, null) } output "aurora_db_sg_id" { - value = try(module.aurora_rds[0].aurora_sg_id,null) + value = try(module.aurora_rds[0].aurora_sg_id, null) } # Aurora Proxy output "aurora_proxy_endpoint" { - value = try(module.db_proxy_aurora[0].db_proxy_endpoint,null) + value = try(module.db_proxy_aurora[0].db_proxy_endpoint, null) } output "aurora_proxy_secret_name" { - value = try(module.db_proxy_aurora[0].db_proxy_secret_name,null) + value = try(module.db_proxy_aurora[0].db_proxy_secret_name, null) } output "aurora_proxy_sg_id" { - value = try(module.db_proxy_aurora[0].db_proxy_sg_id,null) + value = try(module.db_proxy_aurora[0].db_proxy_sg_id, null) } # RDS output "db_endpoint" { - value = try(module.rds[0].db_endpoint,null) + value = try(module.rds[0].db_endpoint, null) } output "db_secret_details_name" { - value = try(module.rds[0].db_secret_name,null) + value = try(module.rds[0].db_secret_name, null) } output "db_sg_id" { - value = try(module.rds[0].db_sg_id,null) + value = try(module.rds[0].db_sg_id, null) } # RDS Proxy output "db_proxy_rds_endpoint" { - value = try(module.db_proxy_rds[0].db_proxy_endpoint,null) + value = try(module.db_proxy_rds[0].db_proxy_endpoint, null) } output "db_proxy_secret_name_rds" { - value = try(module.db_proxy_rds[0].db_proxy_secret_name,null) + value = try(module.db_proxy_rds[0].db_proxy_secret_name, null) } output "db_proxy_sg_id_rds" { - value = try(module.db_proxy_rds[0].db_proxy_sg_id,null) + value = try(module.db_proxy_rds[0].db_proxy_sg_id, null) } # Proxy output "db_proxy_endpoint" { - value = try(module.db_proxy[0].db_proxy_endpoint,null) + value = try(module.db_proxy[0].db_proxy_endpoint, null) } output "db_proxy_secret_name" { - value = try(module.db_proxy[0].db_proxy_secret_name,null) + value = try(module.db_proxy[0].db_proxy_secret_name, null) } output "db_proxy_sg_id" { - value = try(module.db_proxy[0].db_proxy_sg_id,null) + value = try(module.db_proxy[0].db_proxy_sg_id, null) } # ECS output "ecs_dns_record" { - value = try(module.aws_route53_ecs[0].vm_url,null) + value = try(module.aws_route53_ecs[0].vm_url, null) } output "ecs_load_balancer_dns" { - value = try(module.aws_ecs[0].load_balancer_dns,null) + value = try(module.aws_ecs[0].load_balancer_dns, null) } output "ecs_sg_id" { - value = try(module.aws_ecs[0].ecs_sg.id,null) + value = try(module.aws_ecs[0].ecs_sg.id, null) } output "ecs_lb_sg_id" { - value = try(module.aws_ecs[0].ecs_lb_sg.id,null) + value = try(module.aws_ecs[0].ecs_lb_sg.id, null) } # Redis output "redis_secret_name" { - value = try(module.redis[0].redis_secret_name,null) + value = try(module.redis[0].redis_secret_name, null) } output "redis_endpoint" { - value = try(module.redis[0].redis_endpoint,null) + value = try(module.redis[0].redis_endpoint, null) } output "redis_connection_string_secret" { - value = try(module.redis[0].redis_connection_string_secret,null) + value = try(module.redis[0].redis_connection_string_secret, null) } output "redis_sg_id" { - value = try(module.redis[0].redis_sg_id,null) + value = try(module.redis[0].redis_sg_id, null) } # ECR output "ecr_repository_arn" { - value = try(module.aws_ecr[0].repository_arn,null) + value = try(module.aws_ecr[0].repository_arn, null) } output "ecr_repository_url" { - value = try(module.aws_ecr[0].repository_url,null) + value = try(module.aws_ecr[0].repository_url, null) } # EKS output "eks_cluster_name" { - value = try(module.eks[0].aws_eks_cluster_name,null) + value = try(module.eks[0].aws_eks_cluster_name, null) } output "eks_cluster_role_arn" { - value = try(module.eks[0].aws_eks_cluster_role_arn,null) + value = try(module.eks[0].aws_eks_cluster_role_arn, null) } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/ansible/aws_ansible_cloudwatch.tf b/operations/deployment/terraform/modules/aws/ansible/aws_ansible_cloudwatch.tf index edf9521e8..378dcd22f 100644 --- a/operations/deployment/terraform/modules/aws/ansible/aws_ansible_cloudwatch.tf +++ b/operations/deployment/terraform/modules/aws/ansible/aws_ansible_cloudwatch.tf @@ -7,9 +7,9 @@ resource "aws_cloudwatch_log_group" "cw_log_group" { } resource "local_file" "cloudwatch_docker_config" { - count = var.docker_cloudwatch_enable ? 1 : 0 + count = var.docker_cloudwatch_enable ? 1 : 0 filename = format("%s/%s", abspath(path.root), "bitovi-daemon.json") - content = <<-EOT + content = <<-EOT { "log-driver": "awslogs", "log-opts": { diff --git a/operations/deployment/terraform/modules/aws/ansible/aws_ansible_inventory.tf b/operations/deployment/terraform/modules/aws/ansible/aws_ansible_inventory.tf index f47bef07e..d6aad3b63 100644 --- a/operations/deployment/terraform/modules/aws/ansible/aws_ansible_inventory.tf +++ b/operations/deployment/terraform/modules/aws/ansible/aws_ansible_inventory.tf @@ -16,7 +16,7 @@ EOT } data "aws_efs_file_system" "mount_efs" { - count = var.aws_efs_enable ? 1 : 0 + count = var.aws_efs_enable ? 1 : 0 file_system_id = var.aws_efs_fs_id } diff --git a/operations/deployment/terraform/modules/aws/aurora/aws_aurora.tf b/operations/deployment/terraform/modules/aws/aurora/aws_aurora.tf index c8398dd5a..d8919f2e6 100644 --- a/operations/deployment/terraform/modules/aws/aurora/aws_aurora.tf +++ b/operations/deployment/terraform/modules/aws/aurora/aws_aurora.tf @@ -40,10 +40,10 @@ resource "aws_security_group_rule" "ingress_aurora_extras" { } locals { - aws_aurora_subnets = var.aws_aurora_subnets != "" ? [for n in split(",", var.aws_aurora_subnets) : (n)] : var.aws_subnets_vpc_subnets_ids - skip_snap = length(var.aws_aurora_database_final_snapshot) != "" ? false : true + aws_aurora_subnets = var.aws_aurora_subnets != "" ? [for n in split(",", var.aws_aurora_subnets) : (n)] : var.aws_subnets_vpc_subnets_ids + skip_snap = length(var.aws_aurora_database_final_snapshot) != "" ? false : true aws_aurora_cloudwatch_log_type = var.aws_aurora_cloudwatch_log_type != "" ? [for n in split(",", var.aws_aurora_cloudwatch_log_type) : n] : local.log_types - log_types = strcontains(var.aws_aurora_engine, "postgres") ? ["postgresql"] : strcontains(var.aws_aurora_engine, "mysql") ? ["audit","error","general","slowquery"] : [] + log_types = strcontains(var.aws_aurora_engine, "postgres") ? ["postgresql"] : strcontains(var.aws_aurora_engine, "mysql") ? ["audit", "error", "general", "slowquery"] : [] } resource "aws_db_subnet_group" "selected" { @@ -56,54 +56,54 @@ resource "aws_db_subnet_group" "selected" { resource "aws_rds_cluster" "aurora" { # DB Parameters - cluster_identifier = var.aws_aurora_cluster_name != "" ? var.aws_aurora_cluster_name : var.aws_resource_identifier - engine = var.aws_aurora_engine - engine_version = var.aws_aurora_engine_version - engine_mode = var.aws_aurora_engine_mode != "" ? var.aws_aurora_engine_mode : null - availability_zones = var.aws_aurora_availability_zones != "" ? [var.aws_aurora_availability_zones] : [] - apply_immediately = var.aws_aurora_cluster_apply_immediately + cluster_identifier = var.aws_aurora_cluster_name != "" ? var.aws_aurora_cluster_name : var.aws_resource_identifier + engine = var.aws_aurora_engine + engine_version = var.aws_aurora_engine_version + engine_mode = var.aws_aurora_engine_mode != "" ? var.aws_aurora_engine_mode : null + availability_zones = var.aws_aurora_availability_zones != "" ? [var.aws_aurora_availability_zones] : [] + apply_immediately = var.aws_aurora_cluster_apply_immediately # Storage - allocated_storage = try(tonumber(var.aws_aurora_allocated_storage),null) - storage_encrypted = var.aws_aurora_storage_encrypted - kms_key_id = var.aws_aurora_kms_key_id - storage_type = var.aws_aurora_storage_type - iops = try(tonumber(var.aws_aurora_storage_iops),null) + allocated_storage = try(tonumber(var.aws_aurora_allocated_storage), null) + storage_encrypted = var.aws_aurora_storage_encrypted + kms_key_id = var.aws_aurora_kms_key_id + storage_type = var.aws_aurora_storage_type + iops = try(tonumber(var.aws_aurora_storage_iops), null) # DB Details database_name = var.aws_aurora_database_name master_username = var.aws_aurora_master_username master_password = sensitive(random_password.rds.result) iam_database_authentication_enabled = var.aws_aurora_iam_auth_enabled iam_roles = var.aws_aurora_iam_roles != "" ? [var.aws_aurora_iam_roles] : [] - db_cluster_parameter_group_name = strcontains(var.aws_aurora_engine, "mysql") ? aws_rds_cluster_parameter_group.mysql[0].name : strcontains(var.aws_aurora_engine, "postgres") ? aws_rds_cluster_parameter_group.postgresql[0].name : "" + db_cluster_parameter_group_name = strcontains(var.aws_aurora_engine, "mysql") ? aws_rds_cluster_parameter_group.mysql[0].name : strcontains(var.aws_aurora_engine, "postgres") ? aws_rds_cluster_parameter_group.postgresql[0].name : "" # Backup & Maint - enabled_cloudwatch_logs_exports = var.aws_aurora_cloudwatch_enable ? local.aws_aurora_cloudwatch_log_type : [] - backtrack_window = var.aws_aurora_backtrack_window - backup_retention_period = var.aws_aurora_backup_retention_period - preferred_backup_window = var.aws_aurora_backup_window - preferred_maintenance_window = var.aws_aurora_maintenance_window - deletion_protection = var.aws_aurora_deletion_protection - delete_automated_backups = var.aws_aurora_delete_auto_backups - final_snapshot_identifier = var.aws_aurora_database_final_snapshot != "" ? var.aws_aurora_database_final_snapshot : null - skip_final_snapshot = var.aws_aurora_database_final_snapshot != "" ? false : true - snapshot_identifier = var.aws_aurora_restore_snapshot_id + enabled_cloudwatch_logs_exports = var.aws_aurora_cloudwatch_enable ? local.aws_aurora_cloudwatch_log_type : [] + backtrack_window = var.aws_aurora_backtrack_window + backup_retention_period = var.aws_aurora_backup_retention_period + preferred_backup_window = var.aws_aurora_backup_window + preferred_maintenance_window = var.aws_aurora_maintenance_window + deletion_protection = var.aws_aurora_deletion_protection + delete_automated_backups = var.aws_aurora_delete_auto_backups + final_snapshot_identifier = var.aws_aurora_database_final_snapshot != "" ? var.aws_aurora_database_final_snapshot : null + skip_final_snapshot = var.aws_aurora_database_final_snapshot != "" ? false : true + snapshot_identifier = var.aws_aurora_restore_snapshot_id # Net - db_subnet_group_name = aws_db_subnet_group.selected.id - db_cluster_instance_class = var.aws_aurora_cluster_db_instance_class - vpc_security_group_ids = [aws_security_group.aurora_security_group.id] - port = var.aws_aurora_database_port + db_subnet_group_name = aws_db_subnet_group.selected.id + db_cluster_instance_class = var.aws_aurora_cluster_db_instance_class + vpc_security_group_ids = [aws_security_group.aurora_security_group.id] + port = var.aws_aurora_database_port # Extras performance_insights_enabled = var.aws_aurora_performance_insights_enable performance_insights_retention_period = var.aws_aurora_performance_insights_enable ? var.aws_aurora_performance_insights_retention : null performance_insights_kms_key_id = var.aws_aurora_performance_insights_enable ? var.aws_aurora_performance_insights_kms_key_id : null dynamic "restore_to_point_in_time" { - for_each = length(var.aws_aurora_restore_to_point_in_time) > 0 ? [var.aws_aurora_restore_to_point_in_time] : [] + for_each = length(var.aws_aurora_restore_to_point_in_time) > 0 ? [var.aws_aurora_restore_to_point_in_time] : [] - content { - restore_to_time = try(aws_aurora_restore_to_point_in_time.value.restore_to_time, null) - restore_type = try(aws_aurora_restore_to_point_in_time.value.restore_type, null) - source_cluster_identifier = aws_aurora_restore_to_point_in_time.value.source_cluster_identifier - use_latest_restorable_time = try(aws_aurora_restore_to_point_in_time.value.use_latest_restorable_time, null) - } + content { + restore_to_time = try(aws_aurora_restore_to_point_in_time.value.restore_to_time, null) + restore_type = try(aws_aurora_restore_to_point_in_time.value.restore_type, null) + source_cluster_identifier = aws_aurora_restore_to_point_in_time.value.source_cluster_identifier + use_latest_restorable_time = try(aws_aurora_restore_to_point_in_time.value.use_latest_restorable_time, null) + } } lifecycle { @@ -132,7 +132,7 @@ resource "aws_rds_cluster_instance" "cluster_instance" { ca_cert_identifier = var.aws_aurora_db_ca_cert_identifier preferred_maintenance_window = var.aws_aurora_db_maintenance_window } - + resource "aws_rds_cluster_parameter_group" "mysql" { count = strcontains(var.aws_aurora_engine, "mysql") ? 1 : 0 name = "${var.aws_resource_identifier}-mysql" @@ -140,9 +140,9 @@ resource "aws_rds_cluster_parameter_group" "mysql" { family = var.aws_aurora_database_group_family != "" ? var.aws_aurora_database_group_family : "${var.aws_aurora_engine}8.0" parameter { - name = "require_secure_transport" - value = "ON" - apply_method = "immediate" + name = "require_secure_transport" + value = "ON" + apply_method = "immediate" } lifecycle { create_before_destroy = true @@ -150,7 +150,7 @@ resource "aws_rds_cluster_parameter_group" "mysql" { } resource "aws_rds_cluster_parameter_group" "postgresql" { - count = strcontains(var.aws_aurora_engine, "postgres")? 1 : 0 + count = strcontains(var.aws_aurora_engine, "postgres") ? 1 : 0 name = "${var.aws_resource_identifier}-postgres" description = "${var.aws_resource_identifier} cluster parameter group" family = var.aws_aurora_database_group_family != "" ? var.aws_aurora_database_group_family : "${var.aws_aurora_engine}15" @@ -173,43 +173,43 @@ resource "aws_rds_cluster_parameter_group" "postgresql" { } resource "random_password" "rds" { - length = 10 + length = 10 special = false } // Creates a secret manager secret for the databse credentials resource "aws_secretsmanager_secret" "aurora_database_credentials" { - name = "${var.aws_resource_identifier_supershort}-aurora-${random_string.random_sm.result}" + name = "${var.aws_resource_identifier_supershort}-aurora-${random_string.random_sm.result}" } # Username and Password are repeated for compatibility with proxy and legacy code. resource "aws_secretsmanager_secret_version" "database_credentials_sm_secret_version_dev" { secret_id = aws_secretsmanager_secret.aurora_database_credentials.id secret_string = jsonencode({ - database_password = sensitive(aws_rds_cluster.aurora.master_password) - username = sensitive(aws_rds_cluster.aurora.master_username) - password = sensitive(aws_rds_cluster.aurora.master_password) - host = sensitive(aws_rds_cluster.aurora.endpoint) - port = sensitive(aws_rds_cluster.aurora.port) - database = sensitive(aws_rds_cluster.aurora.database_name == null ? "" : aws_rds_cluster.aurora.database_name) - engine = sensitive(local.dba_engine) - engine_version = sensitive(aws_rds_cluster.aurora.engine_version_actual) - DB_USER = sensitive(aws_rds_cluster.aurora.master_username) - DB_USERNAME = sensitive(aws_rds_cluster.aurora.master_username) - DB_PASSWORD = sensitive(aws_rds_cluster.aurora.master_password) - DB_HOST = sensitive(aws_rds_cluster.aurora.endpoint) - DB_PORT = sensitive(aws_rds_cluster.aurora.port) - DB_NAME = sensitive(aws_rds_cluster.aurora.database_name == null ? "" : aws_rds_cluster.aurora.database_name) - DB_ENGINE = sensitive(local.dba_engine) - DB_ENGINE_VERSION = sensitive(aws_rds_cluster.aurora.engine_version_actual) + database_password = sensitive(aws_rds_cluster.aurora.master_password) + username = sensitive(aws_rds_cluster.aurora.master_username) + password = sensitive(aws_rds_cluster.aurora.master_password) + host = sensitive(aws_rds_cluster.aurora.endpoint) + port = sensitive(aws_rds_cluster.aurora.port) + database = sensitive(aws_rds_cluster.aurora.database_name == null ? "" : aws_rds_cluster.aurora.database_name) + engine = sensitive(local.dba_engine) + engine_version = sensitive(aws_rds_cluster.aurora.engine_version_actual) + DB_USER = sensitive(aws_rds_cluster.aurora.master_username) + DB_USERNAME = sensitive(aws_rds_cluster.aurora.master_username) + DB_PASSWORD = sensitive(aws_rds_cluster.aurora.master_password) + DB_HOST = sensitive(aws_rds_cluster.aurora.endpoint) + DB_PORT = sensitive(aws_rds_cluster.aurora.port) + DB_NAME = sensitive(aws_rds_cluster.aurora.database_name == null ? "" : aws_rds_cluster.aurora.database_name) + DB_ENGINE = sensitive(local.dba_engine) + DB_ENGINE_VERSION = sensitive(aws_rds_cluster.aurora.engine_version_actual) }) } resource "random_string" "random_sm" { - length = 5 - lower = true - special = false - numeric = false + length = 5 + lower = true + special = false + numeric = false } resource "aws_cloudwatch_log_group" "logs" { @@ -219,7 +219,7 @@ resource "aws_cloudwatch_log_group" "logs" { ### All of this added to handle snapshots resource "aws_db_cluster_snapshot" "db_snapshot" { - count = var.aws_aurora_snapshot_name != "" ? ( var.aws_aurora_snapshot_overwrite ? 0 : 1 ) : 0 + count = var.aws_aurora_snapshot_name != "" ? (var.aws_aurora_snapshot_overwrite ? 0 : 1) : 0 db_cluster_identifier = aws_rds_cluster.aurora.cluster_identifier db_cluster_snapshot_identifier = var.aws_aurora_snapshot_name lifecycle { @@ -228,7 +228,7 @@ resource "aws_db_cluster_snapshot" "db_snapshot" { } resource "aws_db_cluster_snapshot" "overwrite_db_snapshot" { - count = var.aws_aurora_snapshot_name != "" ? ( var.aws_aurora_snapshot_overwrite ? 1 : 0 ) : 0 + count = var.aws_aurora_snapshot_name != "" ? (var.aws_aurora_snapshot_overwrite ? 1 : 0) : 0 db_cluster_identifier = aws_rds_cluster.aurora.cluster_identifier db_cluster_snapshot_identifier = var.aws_aurora_snapshot_name lifecycle { @@ -262,5 +262,5 @@ output "random_string" { } output "aurora_sg_id" { - value = aws_security_group.aurora_security_group.id + value = aws_security_group.aurora_security_group.id } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 70999b574..96e20e67b 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -9,7 +9,7 @@ data "aws_acm_certificate" "issued" { for_each = local.is_enabled_and_valid ? { "domain" : var.aws_r53_domain_name, "wildcard" : "*.${var.aws_r53_domain_name}" - "sub": "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" + "sub" : "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" } : {} domain = var.aws_r53_domain_name } @@ -41,13 +41,13 @@ resource "aws_acm_certificate_validation" "root_domain" { # This block will create and validate the sub domain cert ONLY resource "aws_acm_certificate" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1 ) : 0) : 0) : 0) :0 + count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 domain_name = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" validation_method = "DNS" } resource "aws_route53_record" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1 ) : 0) : 0) : 0) :0 + count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 allow_overwrite = true name = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value] @@ -57,7 +57,7 @@ resource "aws_route53_record" "sub_domain" { } resource "aws_acm_certificate_validation" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) :0 + count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0 certificate_arn = aws_acm_certificate.sub_domain[0].arn validation_record_fqdns = [for record in aws_route53_record.sub_domain : record.fqdn] } @@ -65,14 +65,14 @@ resource "aws_acm_certificate_validation" "sub_domain" { locals { is_enabled_and_valid = var.aws_r53_domain_name != "" ? true : false selected_arn = ( - local.is_enabled_and_valid ? + local.is_enabled_and_valid ? (var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn : (!var.aws_r53_create_root_cert ? (!var.aws_r53_create_sub_cert ? (var.fqdn_provided ? local.acm_arn : "") : aws_acm_certificate.sub_domain[0].arn ) : aws_acm_certificate.root_domain[0].arn - ) + ) ) : "" ) cert_available = ( diff --git a/operations/deployment/terraform/modules/aws/db_proxy/aws_db_proxy.tf b/operations/deployment/terraform/modules/aws/db_proxy/aws_db_proxy.tf index 97e6b12ef..91a3ffca1 100644 --- a/operations/deployment/terraform/modules/aws/db_proxy/aws_db_proxy.tf +++ b/operations/deployment/terraform/modules/aws/db_proxy/aws_db_proxy.tf @@ -37,12 +37,12 @@ locals { } data "aws_db_instance" "db" { - count = var.aws_db_proxy_cluster ? 0 : 1 + count = var.aws_db_proxy_cluster ? 0 : 1 db_instance_identifier = var.aws_db_proxy_database_id } data "aws_rds_cluster" "db" { - count = var.aws_db_proxy_cluster ? 1 : 0 + count = var.aws_db_proxy_cluster ? 1 : 0 cluster_identifier = var.aws_db_proxy_database_id } @@ -59,14 +59,14 @@ resource "aws_db_proxy" "rds_proxy" { vpc_subnet_ids = var.aws_selected_subnets auth { - auth_scheme = "SECRETS" + auth_scheme = "SECRETS" client_password_auth_type = var.aws_db_proxy_client_password_auth_type != "" ? var.aws_db_proxy_client_password_auth_type : local.auth_selected - description = "RDS Proxy for master user" - iam_auth = "DISABLED" - secret_arn = data.aws_secretsmanager_secret_version.database_credentials.arn + description = "RDS Proxy for master user" + iam_auth = "DISABLED" + secret_arn = data.aws_secretsmanager_secret_version.database_credentials.arn } lifecycle { - ignore_changes = [ debug_logging,engine_family,vpc_subnet_ids ] # Need this to avoid recreation each time. + ignore_changes = [debug_logging, engine_family, vpc_subnet_ids] # Need this to avoid recreation each time. } } @@ -77,57 +77,57 @@ resource "aws_db_proxy_default_target_group" "default" { connection_borrow_timeout = 120 max_connections_percent = 100 max_idle_connections_percent = 50 - } + } } resource "aws_db_proxy_target" "db_instance" { - count = var.aws_db_proxy_cluster ? 0 : 1 + count = var.aws_db_proxy_cluster ? 0 : 1 db_instance_identifier = data.aws_db_instance.db[0].id db_proxy_name = aws_db_proxy.rds_proxy[0].name target_group_name = aws_db_proxy_default_target_group.default.name lifecycle { - ignore_changes = [ db_instance_identifier ] - replace_triggered_by = [ data.aws_db_instance.db ] + ignore_changes = [db_instance_identifier] + replace_triggered_by = [data.aws_db_instance.db] } - depends_on = [ aws_db_proxy.rds_proxy ] + depends_on = [aws_db_proxy.rds_proxy] } resource "aws_db_proxy_target" "db_cluster" { - count = var.aws_db_proxy_cluster ? 1 : 0 - db_cluster_identifier = data.aws_rds_cluster.db[0].id - db_proxy_name = aws_db_proxy.rds_proxy[0].name - target_group_name = aws_db_proxy_default_target_group.default.name + count = var.aws_db_proxy_cluster ? 1 : 0 + db_cluster_identifier = data.aws_rds_cluster.db[0].id + db_proxy_name = aws_db_proxy.rds_proxy[0].name + target_group_name = aws_db_proxy_default_target_group.default.name lifecycle { - ignore_changes = [ db_instance_identifier ] - replace_triggered_by = [ data.aws_rds_cluster.db ] + ignore_changes = [db_instance_identifier] + replace_triggered_by = [data.aws_rds_cluster.db] } - depends_on = [ aws_db_proxy.rds_proxy ] + depends_on = [aws_db_proxy.rds_proxy] } // Creates a secret manager secret for the databse credentials resource "aws_secretsmanager_secret" "proxy_credentials" { - name = "${var.aws_resource_identifier_supershort}-proxy-${local.random_string}" + name = "${var.aws_resource_identifier_supershort}-proxy-${local.random_string}" } # Username and Password are repeated for compatibility with proxy and legacy code. resource "aws_secretsmanager_secret_version" "database_credentials_sm_secret_version_dev" { secret_id = aws_secretsmanager_secret.proxy_credentials.id secret_string = jsonencode({ - username = sensitive(try(local.secret_json.DB_USER,local.secret_json.DB_USERNAME,local.secret_json.username)) - password = sensitive(try(local.secret_json.DB_PASS,local.secret_json.DB_PASSWORD,local.secret_json.password)) - host = sensitive(aws_db_proxy.rds_proxy[0].endpoint) - port = sensitive(try(local.secret_json.DB_PORT,local.secret_json.port)) - database = sensitive(try(local.secret_json.DB_NAME,local.secret_json.database)) - engine = sensitive(try(local.secret_json.DB_ENGINE,local.secret_json.engine)) - engine_version = sensitive(try(local.secret_json.DB_ENGINE_VERSION,local.secret_json.engine_version)) - DB_USER = sensitive(try(local.secret_json.DB_USER,local.secret_json.DB_USERNAME,local.secret_json.username)) - DB_USERNAME = sensitive(try(local.secret_json.DB_USER,local.secret_json.DB_USERNAME,local.secret_json.username)) - DB_PASSWORD = sensitive(try(local.secret_json.DB_PASS,local.secret_json.DB_PASSWORD,local.secret_json.password)) - DB_HOST = sensitive(aws_db_proxy.rds_proxy[0].endpoint) - DB_PORT = sensitive(try(local.secret_json.DB_PORT,local.secret_json.port)) - DB_NAME = sensitive(try(local.secret_json.DB_NAME,local.secret_json.database)) - DB_ENGINE = sensitive(try(local.secret_json.DB_ENGINE,local.secret_json.engine)) - DB_ENGINE_VERSION = sensitive(try(local.secret_json.DB_ENGINE_VERSION,local.secret_json.engine_version)) + username = sensitive(try(local.secret_json.DB_USER, local.secret_json.DB_USERNAME, local.secret_json.username)) + password = sensitive(try(local.secret_json.DB_PASS, local.secret_json.DB_PASSWORD, local.secret_json.password)) + host = sensitive(aws_db_proxy.rds_proxy[0].endpoint) + port = sensitive(try(local.secret_json.DB_PORT, local.secret_json.port)) + database = sensitive(try(local.secret_json.DB_NAME, local.secret_json.database)) + engine = sensitive(try(local.secret_json.DB_ENGINE, local.secret_json.engine)) + engine_version = sensitive(try(local.secret_json.DB_ENGINE_VERSION, local.secret_json.engine_version)) + DB_USER = sensitive(try(local.secret_json.DB_USER, local.secret_json.DB_USERNAME, local.secret_json.username)) + DB_USERNAME = sensitive(try(local.secret_json.DB_USER, local.secret_json.DB_USERNAME, local.secret_json.username)) + DB_PASSWORD = sensitive(try(local.secret_json.DB_PASS, local.secret_json.DB_PASSWORD, local.secret_json.password)) + DB_HOST = sensitive(aws_db_proxy.rds_proxy[0].endpoint) + DB_PORT = sensitive(try(local.secret_json.DB_PORT, local.secret_json.port)) + DB_NAME = sensitive(try(local.secret_json.DB_NAME, local.secret_json.database)) + DB_ENGINE = sensitive(try(local.secret_json.DB_ENGINE, local.secret_json.engine)) + DB_ENGINE_VERSION = sensitive(try(local.secret_json.DB_ENGINE_VERSION, local.secret_json.engine_version)) }) } @@ -147,10 +147,10 @@ resource "aws_security_group" "sg_rds_proxy" { vpc_id = var.aws_selected_vpc_id egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } @@ -180,14 +180,14 @@ resource "aws_security_group_rule" "sg_rds_proxy_extras" { # Proxy SG incoming from 0.0.0.0 resource "aws_security_group_rule" "sg_rds_proxy_outside" { - count = var.aws_db_proxy_allow_all_incoming ? 1 : 0 - type = "ingress" - description = "${var.aws_resource_identifier} - RDS All internal" - from_port = local.db_port - to_port = local.db_port - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = aws_security_group.sg_rds_proxy.id + count = var.aws_db_proxy_allow_all_incoming ? 1 : 0 + type = "ingress" + description = "${var.aws_resource_identifier} - RDS All internal" + from_port = local.db_port + to_port = local.db_port + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.sg_rds_proxy.id } locals { @@ -225,7 +225,7 @@ resource "aws_iam_role" "rds_proxy" { } resource "aws_iam_policy" "rds_proxy_iam" { - name = "${var.aws_resource_identifier}-RdsProxySecretsManager" + name = "${var.aws_resource_identifier}-RdsProxySecretsManager" policy = < 0 ? [ + "name" : var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}", + "image" : local.aws_ecs_app_image[count.index], + "cpu" : local.aws_ecs_container_cpu[count.index], + "memory" : local.aws_ecs_container_mem[count.index], + "essential" : true, + "networkMode" : "awsvpc", + "portMappings" : length(local.aws_ecs_container_port) > 0 ? [ { - "name": "port-${local.aws_ecs_container_port[count.index]}", - "containerPort": tonumber(local.aws_ecs_container_port[count.index]), - "hostPort": tonumber(local.aws_ecs_container_port[count.index]), - "protocol": "tcp", - "appProtocol": "http" + "name" : "port-${local.aws_ecs_container_port[count.index]}", + "containerPort" : tonumber(local.aws_ecs_container_port[count.index]), + "hostPort" : tonumber(local.aws_ecs_container_port[count.index]), + "protocol" : "tcp", + "appProtocol" : "http" } ] : [] - "environment": local.env_repo_vars, - "logConfiguration": var.aws_ecs_cloudwatch_enable ? { - "logDriver": "awslogs", - "options": { - "awslogs-create-group": "true", - "awslogs-region": var.aws_region_current_name, - "awslogs-group": var.aws_ecs_cloudwatch_lg_name, - "awslogs-stream-prefix": aws_ecs_cluster.cluster.name + "environment" : local.env_repo_vars, + "logConfiguration" : var.aws_ecs_cloudwatch_enable ? { + "logDriver" : "awslogs", + "options" : { + "awslogs-create-group" : "true", + "awslogs-region" : var.aws_region_current_name, + "awslogs-group" : var.aws_ecs_cloudwatch_lg_name, + "awslogs-stream-prefix" : aws_ecs_cluster.cluster.name } - } : null + } : null } ] ) @@ -76,7 +76,7 @@ resource "aws_ecs_task_definition" "ecs_task" { resource "aws_ecs_task_definition" "ecs_task_from_json" { count = var.aws_ecs_task_ignore_definition ? 0 : length(local.aws_ecs_task_json_definition_file) - family = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)] : "${local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)]}${count.index+length(local.aws_ecs_app_image)}" + family = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)] : "${local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)]}${count.index + length(local.aws_ecs_app_image)}" network_mode = local.aws_ecs_task_network_mode[count.index + length(local.aws_ecs_app_image)] requires_compatibilities = [local.aws_ecs_task_type[count.index + length(local.aws_ecs_app_image)]] cpu = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)] @@ -87,21 +87,21 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" { resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { count = var.aws_ecs_task_ignore_definition ? 1 : 0 - family = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}" + family = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}" network_mode = local.aws_ecs_task_network_mode[count.index] requires_compatibilities = [local.aws_ecs_task_type[count.index]] cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole - container_definitions = sensitive(jsonencode([ + container_definitions = sensitive(jsonencode([ { - "name": var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}", - "image": "nginx:alpine", - "essential": true, - "portMappings": [ + "name" : var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}", + "image" : "nginx:alpine", + "essential" : true, + "portMappings" : [ { - "containerPort": 80, - "protocol": "tcp" + "containerPort" : 80, + "protocol" : "tcp" } ] } @@ -112,13 +112,13 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { } resource "aws_ecs_service" "ecs_service" { - count = var.aws_ecs_task_ignore_definition ? 0 : local.tasks_count - name = var.aws_ecs_service_name != "" ? "${var.aws_ecs_service_name}${count.index}" : "${var.aws_resource_identifier}-${count.index}-service" - cluster = aws_ecs_cluster.cluster.id - task_definition = local.tasks_arns[count.index] + count = var.aws_ecs_task_ignore_definition ? 0 : local.tasks_count + name = var.aws_ecs_service_name != "" ? "${var.aws_ecs_service_name}${count.index}" : "${var.aws_resource_identifier}-${count.index}-service" + cluster = aws_ecs_cluster.cluster.id + task_definition = local.tasks_arns[count.index] - desired_count = local.aws_ecs_node_count[count.index] - launch_type = var.aws_ecs_service_launch_type + desired_count = local.aws_ecs_node_count[count.index] + launch_type = var.aws_ecs_service_launch_type network_configuration { security_groups = [aws_security_group.ecs_sg.id] @@ -139,13 +139,13 @@ resource "aws_ecs_service" "ecs_service" { } resource "aws_ecs_service" "ecs_service_ignore_definition" { - count = var.aws_ecs_task_ignore_definition ? 1 : 0 - name = var.aws_ecs_service_name != "" ? "${var.aws_ecs_service_name}${count.index}" : "${var.aws_resource_identifier}-${count.index}-service" - cluster = aws_ecs_cluster.cluster.id - task_definition = aws_ecs_task_definition.aws_ecs_task_ignore_definition[0].arn + count = var.aws_ecs_task_ignore_definition ? 1 : 0 + name = var.aws_ecs_service_name != "" ? "${var.aws_ecs_service_name}${count.index}" : "${var.aws_resource_identifier}-${count.index}-service" + cluster = aws_ecs_cluster.cluster.id + task_definition = aws_ecs_task_definition.aws_ecs_task_ignore_definition[0].arn - desired_count = local.aws_ecs_node_count[count.index] - launch_type = var.aws_ecs_service_launch_type + desired_count = local.aws_ecs_node_count[count.index] + launch_type = var.aws_ecs_service_launch_type network_configuration { security_groups = [aws_security_group.ecs_sg.id] diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_autoscaling.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_autoscaling.tf index fe06fe3a5..583c991cb 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_autoscaling.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_autoscaling.tf @@ -11,8 +11,8 @@ resource "aws_appautoscaling_target" "ecs_target" { locals { aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes != "" ? [for n in split(",", var.aws_ecs_autoscaling_max_nodes) : tonumber(n)] : [for _ in range(local.tasks_count) : 2] aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes != "" ? [for n in split(",", var.aws_ecs_autoscaling_min_nodes) : tonumber(n)] : [for _ in range(local.tasks_count) : 1] - aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem != "" ? [for n in split(",", var.aws_ecs_autoscaling_max_mem) : tonumber(n)] : [for _ in range(local.tasks_count) : 80] - aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu != "" ? [for n in split(",", var.aws_ecs_autoscaling_max_cpu) : tonumber(n)] : [for _ in range(local.tasks_count) : 80] + aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem != "" ? [for n in split(",", var.aws_ecs_autoscaling_max_mem) : tonumber(n)] : [for _ in range(local.tasks_count) : 80] + aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu != "" ? [for n in split(",", var.aws_ecs_autoscaling_max_cpu) : tonumber(n)] : [for _ in range(local.tasks_count) : 80] } resource "aws_appautoscaling_policy" "ecs_policy_memory" { diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf index ca1832646..515e305f8 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf @@ -1,9 +1,9 @@ locals { - aws_ecs_container_port = var.aws_ecs_container_port != "" ? [for n in split(",", var.aws_ecs_container_port) : tonumber(n)] : var.aws_ecs_task_ignore_definition ? [80] : [] - aws_ecs_sg_container_port = distinct(local.aws_ecs_container_port) - aws_ecs_lb_port = var.aws_ecs_lb_port != "" ? [for n in split(",", var.aws_ecs_lb_port) : tonumber(n)] : local.aws_ecs_container_port - aws_ecs_sg_lb_port = distinct(local.aws_ecs_lb_port) - aws_ecs_lb_container_path = var.aws_ecs_lb_container_path != "" ? [for n in split(",", var.aws_ecs_lb_container_path) : n ] : [] + aws_ecs_container_port = var.aws_ecs_container_port != "" ? [for n in split(",", var.aws_ecs_container_port) : tonumber(n)] : var.aws_ecs_task_ignore_definition ? [80] : [] + aws_ecs_sg_container_port = distinct(local.aws_ecs_container_port) + aws_ecs_lb_port = var.aws_ecs_lb_port != "" ? [for n in split(",", var.aws_ecs_lb_port) : tonumber(n)] : local.aws_ecs_container_port + aws_ecs_sg_lb_port = distinct(local.aws_ecs_lb_port) + aws_ecs_lb_container_path = var.aws_ecs_lb_container_path != "" ? [for n in split(",", var.aws_ecs_lb_container_path) : n] : [] aws_ecs_lb_container_path_redirect = length(aws_alb_listener.https_redirect) > 0 || length(aws_alb_listener.http_redirect) > 0 ? local.aws_ecs_lb_container_path : [] } @@ -60,7 +60,7 @@ resource "aws_alb_target_group" "lb_targets" { vpc_id = var.aws_selected_vpc_id target_type = "ip" - lifecycle { + lifecycle { replace_triggered_by = [aws_security_group.ecs_sg.id] } } @@ -79,9 +79,9 @@ resource "aws_alb_listener" "lb_listener_ssl" { load_balancer_arn = aws_alb.ecs_lb[0].id port = local.aws_ecs_lb_port[count.index] # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ssl_policy = var.aws_ecs_lb_ssl_policy - protocol = "HTTPS" - certificate_arn = var.aws_certificates_selected_arn + ssl_policy = var.aws_ecs_lb_ssl_policy + protocol = "HTTPS" + certificate_arn = var.aws_certificates_selected_arn default_action { target_group_arn = aws_alb_target_group.lb_targets[count.index].id type = "forward" @@ -89,7 +89,7 @@ resource "aws_alb_listener" "lb_listener_ssl" { lifecycle { replace_triggered_by = [null_resource.http_redirect_dep.id] } - depends_on = [ aws_alb_listener.http_redirect ] + depends_on = [aws_alb_listener.http_redirect] } resource "aws_alb_listener" "lb_listener" { @@ -104,11 +104,11 @@ resource "aws_alb_listener" "lb_listener" { lifecycle { replace_triggered_by = [null_resource.http_redirect_dep.id] } - depends_on = [ aws_alb_listener.http_redirect ] + depends_on = [aws_alb_listener.http_redirect] } resource "aws_alb_listener_rule" "redirect_based_on_path" { - for_each = { for idx, path in local.aws_ecs_lb_container_path : idx => path if length(path) > 0 } + for_each = { for idx, path in local.aws_ecs_lb_container_path : idx => path if length(path) > 0 } listener_arn = var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].arn : aws_alb_listener.lb_listener[0].arn action { @@ -124,7 +124,7 @@ resource "aws_alb_listener_rule" "redirect_based_on_path" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && var.aws_certificate_enabled ? 1 : 0 + count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port, 80) && var.aws_certificate_enabled ? 1 : 0 load_balancer_arn = aws_alb.ecs_lb[0].id port = "80" protocol = "HTTP" @@ -145,7 +145,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && !var.aws_certificate_enabled && !var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0 + count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port, 80) && !var.aws_certificate_enabled && !var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0 load_balancer_arn = aws_alb.ecs_lb[0].id port = "80" protocol = "HTTP" @@ -171,7 +171,7 @@ resource "aws_security_group_rule" "incoming_alb_http" { } resource "aws_alb_listener" "https_redirect" { - count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) && var.aws_certificate_enabled ? 1 : 0 + count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port, 443) && var.aws_certificate_enabled ? 1 : 0 #count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) ? var.aws_certificates_selected_arn != "" ? 1 : 0 : 0 #count = var.aws_ecs_lb_redirect_enable && var.aws_certificates_selected_arn != "" && !contains(local.aws_ecs_lb_port,443) ? 1 : 0 load_balancer_arn = aws_alb.ecs_lb[0].id @@ -207,14 +207,14 @@ resource "aws_alb_listener_rule" "redirect_based_on_path_for_http" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && !var.aws_certificate_enabled && var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0 + count = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port, 80) && !var.aws_certificate_enabled && var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0 load_balancer_arn = aws_alb.ecs_lb[0].id port = "80" protocol = "HTTP" default_action { type = "fixed-response" - + fixed_response { content_type = "text/plain" message_body = "Not Found" @@ -285,9 +285,9 @@ resource "aws_security_group" "ecs_lb_sg" { vpc_id = var.aws_selected_vpc_id egress { - from_port = 0 - to_port = 0 - protocol = "-1" + from_port = 0 + to_port = 0 + protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { @@ -296,12 +296,12 @@ resource "aws_security_group" "ecs_lb_sg" { } resource "aws_security_group_rule" "incoming_ecs_lb_ports" { - count = length(local.aws_ecs_sg_lb_port) - type = "ingress" - from_port = local.aws_ecs_sg_lb_port[count.index] - to_port = local.aws_ecs_sg_lb_port[count.index] - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + count = length(local.aws_ecs_sg_lb_port) + type = "ingress" + from_port = local.aws_ecs_sg_lb_port[count.index] + to_port = local.aws_ecs_sg_lb_port[count.index] + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.ecs_lb_sg.id } diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_read_envs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_read_envs.tf index f3dce0eec..4452e76d4 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_read_envs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_read_envs.tf @@ -6,30 +6,30 @@ locals { } data "local_file" "env_repo_file" { - count = fileexists(local.env_repo_file) ? 1 : 0 - filename = local.env_repo_file + count = fileexists(local.env_repo_file) ? 1 : 0 + filename = local.env_repo_file } data "local_file" "env_ghv_file" { - count = fileexists(local.env_ghv_file) ? 1 : 0 - filename = local.env_ghv_file + count = fileexists(local.env_ghv_file) ? 1 : 0 + filename = local.env_ghv_file } data "local_file" "env_ghs_file" { - count = fileexists(local.env_ghs_file) ? 1 : 0 - filename = local.env_ghs_file + count = fileexists(local.env_ghs_file) ? 1 : 0 + filename = local.env_ghs_file } data "local_file" "env_aws_file" { - count = fileexists(local.env_aws_file) ? 1 : 0 - filename = local.env_aws_file + count = fileexists(local.env_aws_file) ? 1 : 0 + filename = local.env_aws_file } locals { repo_content = length(data.local_file.env_repo_file) == 0 ? null : data.local_file.env_repo_file[0].content - ghv_content = length(data.local_file.env_ghv_file) == 0 ? null : data.local_file.env_ghv_file[0].content - ghs_content = length(data.local_file.env_ghs_file) == 0 ? null : data.local_file.env_ghs_file[0].content - aws_content = length(data.local_file.env_aws_file) == 0 ? null : data.local_file.env_aws_file[0].content + ghv_content = length(data.local_file.env_ghv_file) == 0 ? null : data.local_file.env_ghv_file[0].content + ghs_content = length(data.local_file.env_ghs_file) == 0 ? null : data.local_file.env_ghs_file[0].content + aws_content = length(data.local_file.env_aws_file) == 0 ? null : data.local_file.env_aws_file[0].content merged_content = join("\n", [ for content in [ @@ -45,5 +45,5 @@ locals { name = key value = value } - ] + ] } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index 5445c5fac..b1c90cb0d 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -1,6 +1,6 @@ locals { # replica_destination: Checks whether a replica destination exists otherwise sets a default - replica_destination = var.aws_efs_replication_destination != "" ? var.aws_efs_replication_destination : data.aws_region.current.name + replica_destination = var.aws_efs_replication_destination != "" ? var.aws_efs_replication_destination : data.aws_region.current.name } data "aws_region" "current" {} @@ -12,7 +12,7 @@ resource "aws_efs_file_system" "efs" { # File system creation_token = "${var.aws_resource_identifier}-vol" encrypted = var.aws_efs_vol_encrypted - kms_key_id = var.aws_efs_kms_key_id + kms_key_id = var.aws_efs_kms_key_id performance_mode = var.aws_efs_performance_mode throughput_mode = var.aws_efs_throughput_mode @@ -37,7 +37,7 @@ resource "aws_efs_backup_policy" "efs_policy" { } data "aws_efs_file_system" "efs" { - file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id + file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id } resource "aws_efs_mount_target" "efs_mount_target" { @@ -45,7 +45,7 @@ resource "aws_efs_mount_target" "efs_mount_target" { file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id subnet_id = local.aws_efs_subnets[count.index] security_groups = [aws_security_group.efs_security_group[0].id] - depends_on = [ aws_efs_file_system.efs ] + depends_on = [aws_efs_file_system.efs] } resource "aws_efs_replication_configuration" "efs_rep_config" { @@ -65,10 +65,10 @@ resource "aws_security_group" "efs_security_group" { description = "SG for ${var.aws_resource_identifier} - EFS" vpc_id = var.aws_selected_vpc_id egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.aws_resource_identifier}-efs" @@ -88,7 +88,7 @@ resource "aws_security_group_rule" "ingress_efs" { locals { aws_efs_allowed_security_groups = var.aws_efs_allowed_security_groups != null ? [for n in split(",", var.aws_efs_allowed_security_groups) : n] : [] - aws_efs_subnets = var.aws_efs_create_ha ? data.aws_subnets.selected_vpc_id[0].ids : [var.aws_selected_subnet_id] + aws_efs_subnets = var.aws_efs_create_ha ? data.aws_subnets.selected_vpc_id[0].ids : [var.aws_selected_subnet_id] } resource "aws_security_group_rule" "ingress_efs_extras" { @@ -105,7 +105,7 @@ resource "aws_security_group_rule" "ingress_efs_extras" { ###### # Data sources from selected (Coming from VPC module) -data "aws_subnets" "selected_vpc_id" { +data "aws_subnets" "selected_vpc_id" { count = var.aws_selected_vpc_id != null ? 1 : 0 filter { name = "vpc-id" @@ -123,9 +123,9 @@ output "aws_efs_fs_id" { } output "aws_efs_replica_fs_id" { - value = try(aws_efs_replication_configuration.efs_rep_config[0].destination[0].file_system_id,null) + value = try(aws_efs_replication_configuration.efs_rep_config[0].destination[0].file_system_id, null) } output "aws_efs_sg_id" { - value = try(aws_security_group.efs_security_group[0].id,null) + value = try(aws_security_group.efs_security_group[0].id, null) } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/eks/aws_eks_cluster.tf b/operations/deployment/terraform/modules/aws/eks/aws_eks_cluster.tf index b4bcb6772..1cb171b23 100644 --- a/operations/deployment/terraform/modules/aws/eks/aws_eks_cluster.tf +++ b/operations/deployment/terraform/modules/aws/eks/aws_eks_cluster.tf @@ -3,7 +3,7 @@ locals { } resource "aws_cloudwatch_log_group" "eks" { - count = var.aws_eks_cluster_log_types != "" ? 1 : 0 + count = var.aws_eks_cluster_log_types != "" ? 1 : 0 name = "/aws/eks/${var.aws_eks_cluster_name}/cluster" retention_in_days = tonumber(var.aws_eks_cluster_log_retention_days) skip_destroy = var.aws_eks_cluster_log_skip_destroy @@ -25,12 +25,12 @@ resource "aws_eks_cluster" "main" { tags = { "kubernetes.io/cluster/${var.aws_eks_cluster_name}" = "owned" } - depends_on = [ aws_cloudwatch_log_group.eks ] + depends_on = [aws_cloudwatch_log_group.eks] } data "aws_subnets" "private" { filter { - name = "vpc-id" + name = "vpc-id" values = [var.aws_selected_vpc_id] } tags = { @@ -72,7 +72,7 @@ resource "aws_eks_node_group" "node_nodes" { max_unavailable = 1 } - ami_type = "AL2_x86_64" + ami_type = "AL2_x86_64" instance_types = [var.aws_eks_instance_type] remote_access { @@ -86,10 +86,10 @@ resource "aws_eks_node_group" "node_nodes" { aws_security_group.eks_security_group_cluster, aws_security_group.eks_security_group_node ] - tags = { + tags = { "Name" = "${aws_eks_cluster.main.name}-node" } - tags_all = { + tags_all = { "Name" = "${aws_eks_cluster.main.name}-node" } } @@ -102,7 +102,7 @@ locals { { rolearn = aws_iam_role.iam_role_node.arn username = "system:node:{{EC2PrivateDNSName}}" - groups = [ + groups = [ "system:bootstrappers", "system:nodes" ] @@ -112,7 +112,7 @@ locals { for role_arn in local.aws_eks_cluster_admin_role_arn : { rolearn = role_arn username = "cluster-admin" - groups = [ + groups = [ "system:masters" ] } @@ -121,7 +121,7 @@ locals { resource "terraform_data" "replacement" { - input = yamlencode(distinct(concat(local.cluster_admin_roles,local.map_worker_roles))) + input = yamlencode(distinct(concat(local.cluster_admin_roles, local.map_worker_roles))) } resource "kubernetes_config_map" "aws_auth" { @@ -131,7 +131,7 @@ resource "kubernetes_config_map" "aws_auth" { } data = { - mapRoles = yamlencode(distinct(concat(local.cluster_admin_roles,local.map_worker_roles))) + mapRoles = yamlencode(distinct(concat(local.cluster_admin_roles, local.map_worker_roles))) #mapUsers = replace(yamlencode(var.map_additional_iam_users), "\"", local.yaml_quote) mapAccounts = "${data.aws_caller_identity.current.account_id}" } diff --git a/operations/deployment/terraform/modules/aws/eks/aws_eks_ec2_keypair.tf b/operations/deployment/terraform/modules/aws/eks/aws_eks_ec2_keypair.tf index 23531ec84..0fff9c2f3 100644 --- a/operations/deployment/terraform/modules/aws/eks/aws_eks_ec2_keypair.tf +++ b/operations/deployment/terraform/modules/aws/eks/aws_eks_ec2_keypair.tf @@ -13,13 +13,13 @@ resource "aws_key_pair" "aws_key" { // Creates a secret manager secret for the public key resource "aws_secretsmanager_secret" "keys_sm_secret" { - count = var.aws_eks_ec2_key_pair == "" ? ( var.aws_eks_store_keypair_sm ? 1 : 0 ) : 0 - name = "${var.aws_resource_identifier}-ec2kp-eks-${random_string.random.result}" + count = var.aws_eks_ec2_key_pair == "" ? (var.aws_eks_store_keypair_sm ? 1 : 0) : 0 + name = "${var.aws_resource_identifier}-ec2kp-eks-${random_string.random.result}" } - + resource "aws_secretsmanager_secret_version" "keys_sm_secret_version" { - count = var.aws_eks_ec2_key_pair == "" ? ( var.aws_eks_store_keypair_sm ? 1 : 0 ) : 0 - secret_id = aws_secretsmanager_secret.keys_sm_secret[0].id + count = var.aws_eks_ec2_key_pair == "" ? (var.aws_eks_store_keypair_sm ? 1 : 0) : 0 + secret_id = aws_secretsmanager_secret.keys_sm_secret[0].id secret_string = < 0 ? 1 : 0 bucket = aws_s3_bucket.lb_access_logs.id rule { - id = "ExpirationRule" + id = "ExpirationRule" status = "Enabled" filter { prefix = "" @@ -42,7 +42,7 @@ resource "aws_s3_bucket_policy" "allow_access_from_another_account" { } POLICY lifecycle { - ignore_changes = [ policy ] + ignore_changes = [policy] } } @@ -74,21 +74,21 @@ resource "aws_security_group" "elb_security_group" { # Adding rules to accept incoming connections to the ELB resource "aws_security_group_rule" "incoming_elb_ports" { - count = local.aws_ports_ammount - type = "ingress" - from_port = local.aws_elb_listen_port[count.index] - to_port = local.aws_elb_listen_port[count.index] - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + count = local.aws_ports_ammount + type = "ingress" + from_port = local.aws_elb_listen_port[count.index] + to_port = local.aws_elb_listen_port[count.index] + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.elb_security_group.id } # Creating ELB with port mappings resource "aws_elb" "vm_lb" { - name = var.aws_resource_identifier_supershort - security_groups = [aws_security_group.elb_security_group.id] + name = var.aws_resource_identifier_supershort + security_groups = [aws_security_group.elb_security_group.id] #availability_zones = var.aws_instance_server_az - subnets = [var.aws_vpc_subnet_selected] + subnets = [var.aws_vpc_subnet_selected] access_logs { bucket = aws_s3_bucket.lb_access_logs.id @@ -96,7 +96,7 @@ resource "aws_elb" "vm_lb" { } dynamic "listener" { - for_each = local.listener_for_each + for_each = local.listener_for_each content { instance_port = local.aws_elb_app_port[listener.key] @@ -125,32 +125,32 @@ resource "aws_elb" "vm_lb" { Name = "${var.aws_resource_identifier_supershort}" } } - + # TODO: Fix when a user only passes app_ports, the target length should be the same. # The main idea of the next block is to get what should be opened, mapped, and with which protocol. locals { # Check if there is a cert available - elb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false + elb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false # Transform CSV values into arrays. ( Now variables will be called local.xx instead of var.xx ) - aws_elb_listen_port = var.aws_elb_listen_port != "" ? [for n in split(",", var.aws_elb_listen_port) : tonumber(n)] : ( local.elb_ssl_available ? [443] : [80] ) - aws_elb_listen_protocol = var.aws_elb_listen_protocol != "" ? [for n in split(",", var.aws_elb_listen_protocol) : (n)] : ( local.elb_ssl_available ? ["ssl"] : ["tcp"] ) - aws_elb_app_port = var.aws_elb_app_port != "" ? [for n in split(",", var.aws_elb_app_port) : tonumber(n)] : var.aws_elb_listen_port != "" ? local.aws_elb_listen_port : [3000] - aws_elb_app_protocol = var.aws_elb_app_protocol != "" ? [for n in split(",", var.aws_elb_app_protocol) : (n)] : [] + aws_elb_listen_port = var.aws_elb_listen_port != "" ? [for n in split(",", var.aws_elb_listen_port) : tonumber(n)] : (local.elb_ssl_available ? [443] : [80]) + aws_elb_listen_protocol = var.aws_elb_listen_protocol != "" ? [for n in split(",", var.aws_elb_listen_protocol) : (n)] : (local.elb_ssl_available ? ["ssl"] : ["tcp"]) + aws_elb_app_port = var.aws_elb_app_port != "" ? [for n in split(",", var.aws_elb_app_port) : tonumber(n)] : var.aws_elb_listen_port != "" ? local.aws_elb_listen_port : [3000] + aws_elb_app_protocol = var.aws_elb_app_protocol != "" ? [for n in split(",", var.aws_elb_app_protocol) : (n)] : [] # Store the lowest array length. (aws_elb_app_port will be at least 3000) - aws_ports_ammount = length(local.aws_elb_listen_port) < length(local.aws_elb_app_port) ? length(local.aws_elb_listen_port) : length(local.aws_elb_app_port) + aws_ports_ammount = length(local.aws_elb_listen_port) < length(local.aws_elb_app_port) ? length(local.aws_elb_listen_port) : length(local.aws_elb_app_port) # Store the shortest array, and use that to generate ELB listeners. - listener_for_each = length(local.aws_elb_listen_port) < length(local.aws_elb_app_port) ? local.aws_elb_listen_port : local.aws_elb_app_port + listener_for_each = length(local.aws_elb_listen_port) < length(local.aws_elb_app_port) ? local.aws_elb_listen_port : local.aws_elb_app_port # Check protocols ammounts - aws_protos_ammount = length(local.aws_elb_listen_protocol) < length(local.aws_elb_app_protocol) ? length(local.aws_elb_listen_protocol) : length(local.aws_elb_app_protocol) + aws_protos_ammount = length(local.aws_elb_listen_protocol) < length(local.aws_elb_app_protocol) ? length(local.aws_elb_listen_protocol) : length(local.aws_elb_app_protocol) # If no protocols are defined for the app, set up the ammount of ports to be tcp. - elb_app_protocol = length(local.aws_elb_app_protocol) < local.aws_ports_ammount ? [ for _ in range(local.aws_ports_ammount) : "tcp" ] : local.aws_elb_app_protocol + elb_app_protocol = length(local.aws_elb_app_protocol) < local.aws_ports_ammount ? [for _ in range(local.aws_ports_ammount) : "tcp"] : local.aws_elb_app_protocol # Same but for listen protocols, and if a cert is available, make them SSL - elb_listen_protocol = length(local.aws_elb_listen_protocol) < local.aws_ports_ammount ? ( local.elb_ssl_available ? - [ for _ in range(local.aws_ports_ammount) : "ssl" ] : [ for _ in range(local.aws_ports_ammount) : "tcp" ] ) : local.aws_elb_listen_protocol + elb_listen_protocol = length(local.aws_elb_listen_protocol) < local.aws_ports_ammount ? (local.elb_ssl_available ? + [for _ in range(local.aws_ports_ammount) : "ssl"] : [for _ in range(local.aws_ports_ammount) : "tcp"]) : local.aws_elb_listen_protocol } output "aws_elb_dns_name" { diff --git a/operations/deployment/terraform/modules/aws/rds/aws_rds.tf b/operations/deployment/terraform/modules/aws/rds/aws_rds.tf index 30f4d84f8..0839bfbf5 100644 --- a/operations/deployment/terraform/modules/aws/rds/aws_rds.tf +++ b/operations/deployment/terraform/modules/aws/rds/aws_rds.tf @@ -3,10 +3,10 @@ resource "aws_security_group" "rds_db_security_group" { description = "SG for ${var.aws_resource_identifier} - RDS" vpc_id = var.aws_selected_vpc_id egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.aws_resource_identifier}-rds" @@ -40,8 +40,8 @@ resource "aws_security_group_rule" "ingress_rds_extras" { } locals { - aws_rds_db_subnets = var.aws_rds_db_subnets != null ? [for n in split(",", var.aws_rds_db_subnets) : (n)] : var.aws_subnets_vpc_subnets_ids - skip_snap = length(var.aws_rds_db_final_snapshot) != "" ? false : true + aws_rds_db_subnets = var.aws_rds_db_subnets != null ? [for n in split(",", var.aws_rds_db_subnets) : (n)] : var.aws_subnets_vpc_subnets_ids + skip_snap = length(var.aws_rds_db_final_snapshot) != "" ? false : true } resource "aws_db_subnet_group" "selected" { @@ -53,49 +53,49 @@ resource "aws_db_subnet_group" "selected" { } resource "aws_db_instance" "default" { - identifier = var.aws_rds_db_identifier - engine = var.aws_rds_db_engine - engine_version = var.aws_rds_db_engine_version - ca_cert_identifier = var.aws_rds_db_ca_cert_identifier - db_subnet_group_name = aws_db_subnet_group.selected.name - db_name = var.aws_rds_db_name != null ? var.aws_rds_db_name : null - port = var.aws_rds_db_port != null ? tonumber(var.aws_rds_db_port) : null - allocated_storage = tonumber(var.aws_rds_db_allocated_storage) - max_allocated_storage = tonumber(var.aws_rds_db_max_allocated_storage) - storage_encrypted = var.aws_rds_db_storage_encrypted - storage_type = var.aws_rds_db_storage_type - kms_key_id = var.aws_rds_db_kms_key_id - instance_class = var.aws_rds_db_instance_class - username = var.aws_rds_db_user != null ? var.aws_rds_db_user : "dbuser" - password = random_password.rds.result - skip_final_snapshot = var.aws_rds_db_final_snapshot != "" ? false : true - final_snapshot_identifier = var.aws_rds_db_final_snapshot != "" ? var.aws_rds_db_final_snapshot : null - snapshot_identifier = var.aws_rds_db_restore_snapshot_identifier - publicly_accessible = var.aws_rds_db_publicly_accessible - enabled_cloudwatch_logs_exports = [var.aws_rds_db_cloudwatch_logs_exports] - vpc_security_group_ids = [aws_security_group.rds_db_security_group.id] - multi_az = var.aws_rds_db_multi_az - maintenance_window = var.aws_rds_db_maintenance_window - apply_immediately = var.aws_rds_db_apply_immediately - performance_insights_enabled = var.aws_rds_db_performance_insights_enable - performance_insights_retention_period = var.aws_rds_db_performance_insights_enable ? var.aws_rds_db_performance_insights_retention : null - performance_insights_kms_key_id = var.aws_rds_db_performance_insights_enable ? var.aws_rds_db_performance_insights_kms_key_id : null + identifier = var.aws_rds_db_identifier + engine = var.aws_rds_db_engine + engine_version = var.aws_rds_db_engine_version + ca_cert_identifier = var.aws_rds_db_ca_cert_identifier + db_subnet_group_name = aws_db_subnet_group.selected.name + db_name = var.aws_rds_db_name != null ? var.aws_rds_db_name : null + port = var.aws_rds_db_port != null ? tonumber(var.aws_rds_db_port) : null + allocated_storage = tonumber(var.aws_rds_db_allocated_storage) + max_allocated_storage = tonumber(var.aws_rds_db_max_allocated_storage) + storage_encrypted = var.aws_rds_db_storage_encrypted + storage_type = var.aws_rds_db_storage_type + kms_key_id = var.aws_rds_db_kms_key_id + instance_class = var.aws_rds_db_instance_class + username = var.aws_rds_db_user != null ? var.aws_rds_db_user : "dbuser" + password = random_password.rds.result + skip_final_snapshot = var.aws_rds_db_final_snapshot != "" ? false : true + final_snapshot_identifier = var.aws_rds_db_final_snapshot != "" ? var.aws_rds_db_final_snapshot : null + snapshot_identifier = var.aws_rds_db_restore_snapshot_identifier + publicly_accessible = var.aws_rds_db_publicly_accessible + enabled_cloudwatch_logs_exports = [var.aws_rds_db_cloudwatch_logs_exports] + vpc_security_group_ids = [aws_security_group.rds_db_security_group.id] + multi_az = var.aws_rds_db_multi_az + maintenance_window = var.aws_rds_db_maintenance_window + apply_immediately = var.aws_rds_db_apply_immediately + performance_insights_enabled = var.aws_rds_db_performance_insights_enable + performance_insights_retention_period = var.aws_rds_db_performance_insights_enable ? var.aws_rds_db_performance_insights_retention : null + performance_insights_kms_key_id = var.aws_rds_db_performance_insights_enable ? var.aws_rds_db_performance_insights_kms_key_id : null # Updgrades - monitoring_interval = var.aws_rds_db_monitoring_interval - monitoring_role_arn = var.aws_rds_db_monitoring_interval > 0 ? var.aws_rds_db_monitoring_role_arn != "" ? var.aws_rds_db_monitoring_role_arn : aws_iam_role.rds_enhanced_monitoring[0].arn : null - database_insights_mode = var.aws_rds_db_insights_mode - allow_major_version_upgrade = var.aws_rds_db_allow_major_version_upgrade - auto_minor_version_upgrade = var.aws_rds_db_auto_minor_version_upgrade - backup_retention_period = var.aws_rds_db_backup_retention_period - backup_window = var.aws_rds_db_backup_window - copy_tags_to_snapshot = var.aws_rds_db_copy_tags_to_snapshot + monitoring_interval = var.aws_rds_db_monitoring_interval + monitoring_role_arn = var.aws_rds_db_monitoring_interval > 0 ? var.aws_rds_db_monitoring_role_arn != "" ? var.aws_rds_db_monitoring_role_arn : aws_iam_role.rds_enhanced_monitoring[0].arn : null + database_insights_mode = var.aws_rds_db_insights_mode + allow_major_version_upgrade = var.aws_rds_db_allow_major_version_upgrade + auto_minor_version_upgrade = var.aws_rds_db_auto_minor_version_upgrade + backup_retention_period = var.aws_rds_db_backup_retention_period + backup_window = var.aws_rds_db_backup_window + copy_tags_to_snapshot = var.aws_rds_db_copy_tags_to_snapshot tags = { Name = "${var.aws_resource_identifier}-rds" } } resource "aws_iam_role" "rds_enhanced_monitoring" { - count = var.aws_rds_db_monitoring_role_arn != "" ? 0 : var.aws_rds_db_monitoring_interval > 0 ? 1 : 0 + count = var.aws_rds_db_monitoring_role_arn != "" ? 0 : var.aws_rds_db_monitoring_interval > 0 ? 1 : 0 name = "${var.aws_resource_identifier}-rds" assume_role_policy = jsonencode({ @@ -111,51 +111,51 @@ resource "aws_iam_role" "rds_enhanced_monitoring" { } resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring_attach" { - count = var.aws_rds_db_monitoring_role_arn != "" ? 0 : var.aws_rds_db_monitoring_interval > 0 ? 1 : 0 + count = var.aws_rds_db_monitoring_role_arn != "" ? 0 : var.aws_rds_db_monitoring_interval > 0 ? 1 : 0 role = aws_iam_role.rds_enhanced_monitoring[0].name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" } // Creates a secret manager secret for the databse credentials resource "aws_secretsmanager_secret" "rds_database_credentials" { - name = "${var.aws_resource_identifier_supershort}-rdsdb-pub-${random_string.random_sm.result}" + name = "${var.aws_resource_identifier_supershort}-rdsdb-pub-${random_string.random_sm.result}" } # Username and Password are repeated for compatibility with proxy and legacy code. resource "aws_secretsmanager_secret_version" "database_credentials_sm_secret_version_dev" { secret_id = aws_secretsmanager_secret.rds_database_credentials.id secret_string = jsonencode({ - username = sensitive(aws_db_instance.default.username) - password = sensitive(aws_db_instance.default.password) - host = sensitive(aws_db_instance.default.address) - port = sensitive(aws_db_instance.default.port) - database = sensitive(aws_db_instance.default.db_name) - engine = sensitive(aws_db_instance.default.engine) - engine_version = sensitive(aws_db_instance.default.engine_version) - DB_USER = sensitive(aws_db_instance.default.username) - DB_USERNAME = sensitive(aws_db_instance.default.username) - DB_PASSWORD = sensitive(aws_db_instance.default.password) - DB_HOST = sensitive(aws_db_instance.default.address) - DB_PORT = sensitive(aws_db_instance.default.port) - DB_NAME = sensitive(aws_db_instance.default.db_name) - DB_ENGINE = sensitive(aws_db_instance.default.engine) - DB_ENGINE_VERSION = sensitive(aws_db_instance.default.engine_version) + username = sensitive(aws_db_instance.default.username) + password = sensitive(aws_db_instance.default.password) + host = sensitive(aws_db_instance.default.address) + port = sensitive(aws_db_instance.default.port) + database = sensitive(aws_db_instance.default.db_name) + engine = sensitive(aws_db_instance.default.engine) + engine_version = sensitive(aws_db_instance.default.engine_version) + DB_USER = sensitive(aws_db_instance.default.username) + DB_USERNAME = sensitive(aws_db_instance.default.username) + DB_PASSWORD = sensitive(aws_db_instance.default.password) + DB_HOST = sensitive(aws_db_instance.default.address) + DB_PORT = sensitive(aws_db_instance.default.port) + DB_NAME = sensitive(aws_db_instance.default.db_name) + DB_ENGINE = sensitive(aws_db_instance.default.engine) + DB_ENGINE_VERSION = sensitive(aws_db_instance.default.engine_version) }) } resource "random_password" "rds" { - length = 25 + length = 25 special = false lifecycle { - ignore_changes = all + ignore_changes = all } } resource "random_string" "random_sm" { - length = 5 - lower = true - special = false - numeric = false + length = 5 + lower = true + special = false + numeric = false } data "aws_vpc" "selected" { @@ -180,7 +180,7 @@ output "random_string" { } output "rds_sg_id" { - value = aws_security_group.rds_db_security_group.id + value = aws_security_group.rds_db_security_group.id } output "db_port" { diff --git a/operations/deployment/terraform/modules/aws/redis/aws_redis vars.tf b/operations/deployment/terraform/modules/aws/redis/aws_redis vars.tf index ec3c8c71f..216ee531d 100644 --- a/operations/deployment/terraform/modules/aws/redis/aws_redis vars.tf +++ b/operations/deployment/terraform/modules/aws/redis/aws_redis vars.tf @@ -32,7 +32,7 @@ variable "aws_redis_cloudwatch_log_type" {} variable "aws_redis_cloudwatch_retention_days" {} variable "aws_redis_single_line_url_secret" {} -variable "aws_selected_vpc_id" {} +variable "aws_selected_vpc_id" {} variable "aws_selected_subnets" {} variable "aws_resource_identifier" {} variable "aws_resource_identifier_supershort" {} \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/redis/aws_redis.tf b/operations/deployment/terraform/modules/aws/redis/aws_redis.tf index 7d1d025e6..6ba31036f 100644 --- a/operations/deployment/terraform/modules/aws/redis/aws_redis.tf +++ b/operations/deployment/terraform/modules/aws/redis/aws_redis.tf @@ -5,10 +5,10 @@ resource "aws_security_group" "redis_security_group" { description = "SG for ${var.aws_resource_identifier} - Redis" vpc_id = var.aws_selected_vpc_id egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.aws_resource_identifier}-redis" @@ -39,7 +39,7 @@ resource "aws_security_group_rule" "ingress_redis_extras" { locals { aws_redis_allowed_security_groups = var.aws_redis_allowed_security_groups != "" ? [for n in split(",", var.aws_redis_allowed_security_groups) : n] : [] - aws_redis_subnets = var.aws_redis_subnets != "" ? [for n in split(",", var.aws_redis_subnets) : (n)] : var.aws_selected_subnets + aws_redis_subnets = var.aws_redis_subnets != "" ? [for n in split(",", var.aws_redis_subnets) : (n)] : var.aws_selected_subnets } resource "aws_elasticache_subnet_group" "selected" { @@ -55,27 +55,27 @@ resource "aws_elasticache_subnet_group" "selected" { ######### resource "aws_elasticache_replication_group" "redis_cluster" { - automatic_failover_enabled = var.aws_redis_automatic_failover == null ? tonumber(var.aws_redis_num_cache_clusters) > 1 ? true : strcontains(var.aws_redis_parameter_group_name, "cluster") : var.aws_redis_automatic_failover - replication_group_id = var.aws_redis_replication_group_id != "" ? var.aws_redis_replication_group_id : "${var.aws_resource_identifier_supershort}-redis" - description = "Redis cluster for ${var.aws_resource_identifier}" - node_type = var.aws_redis_node_type - num_cache_clusters = tonumber(var.aws_redis_num_cache_clusters) > 0 ? tonumber(var.aws_redis_num_cache_clusters) : null - parameter_group_name = var.aws_redis_parameter_group_name - port = tonumber(var.aws_redis_port) - apply_immediately = var.aws_redis_apply_immediately - auto_minor_version_upgrade = var.aws_redis_auto_minor_upgrade - maintenance_window = var.aws_redis_maintenance_window - snapshot_window = var.aws_redis_snapshot_window - snapshot_name = var.aws_redis_snapshot_restore_name - final_snapshot_identifier = var.aws_redis_final_snapshot - user_group_ids = [aws_elasticache_user_group.redis.user_group_id] - at_rest_encryption_enabled = var.aws_redis_at_rest_encryption - transit_encryption_enabled = var.aws_redis_in_transit_encryption - subnet_group_name = aws_elasticache_subnet_group.selected.name - security_group_ids = [aws_security_group.redis_security_group.id] - num_node_groups = try(tonumber(var.aws_redis_num_node_groups),null) - replicas_per_node_group = try(tonumber(var.aws_redis_replicas_per_node_group),null) - multi_az_enabled = var.aws_redis_multi_az_enabled + automatic_failover_enabled = var.aws_redis_automatic_failover == null ? tonumber(var.aws_redis_num_cache_clusters) > 1 ? true : strcontains(var.aws_redis_parameter_group_name, "cluster") : var.aws_redis_automatic_failover + replication_group_id = var.aws_redis_replication_group_id != "" ? var.aws_redis_replication_group_id : "${var.aws_resource_identifier_supershort}-redis" + description = "Redis cluster for ${var.aws_resource_identifier}" + node_type = var.aws_redis_node_type + num_cache_clusters = tonumber(var.aws_redis_num_cache_clusters) > 0 ? tonumber(var.aws_redis_num_cache_clusters) : null + parameter_group_name = var.aws_redis_parameter_group_name + port = tonumber(var.aws_redis_port) + apply_immediately = var.aws_redis_apply_immediately + auto_minor_version_upgrade = var.aws_redis_auto_minor_upgrade + maintenance_window = var.aws_redis_maintenance_window + snapshot_window = var.aws_redis_snapshot_window + snapshot_name = var.aws_redis_snapshot_restore_name + final_snapshot_identifier = var.aws_redis_final_snapshot + user_group_ids = [aws_elasticache_user_group.redis.user_group_id] + at_rest_encryption_enabled = var.aws_redis_at_rest_encryption + transit_encryption_enabled = var.aws_redis_in_transit_encryption + subnet_group_name = aws_elasticache_subnet_group.selected.name + security_group_ids = [aws_security_group.redis_security_group.id] + num_node_groups = try(tonumber(var.aws_redis_num_node_groups), null) + replicas_per_node_group = try(tonumber(var.aws_redis_replicas_per_node_group), null) + multi_az_enabled = var.aws_redis_multi_az_enabled dynamic "log_delivery_configuration" { for_each = contains(local.aws_redis_cloudwatch_log_type, "slow-log") ? [1] : [] @@ -104,7 +104,7 @@ resource "aws_cloudwatch_log_group" "this" { } locals { - aws_redis_cloudwatch_log_type = var.aws_redis_cloudwatch_enabled ? [for n in split(",", var.aws_redis_cloudwatch_log_type) : (n)] : [] + aws_redis_cloudwatch_log_type = var.aws_redis_cloudwatch_enabled ? [for n in split(",", var.aws_redis_cloudwatch_log_type) : (n)] : [] } resource "aws_elasticache_user" "redis" { @@ -122,67 +122,67 @@ data "aws_elasticache_user" "default" { resource "aws_elasticache_user_group" "redis" { engine = "REDIS" user_group_id = var.aws_redis_user_group_name != "" ? var.aws_redis_user_group_name : "${var.aws_resource_identifier_supershort}-redis" - user_ids = [aws_elasticache_user.redis.user_id,data.aws_elasticache_user.default.user_id] + user_ids = [aws_elasticache_user.redis.user_id, data.aws_elasticache_user.default.user_id] } resource "random_password" "redis" { - length = 24 + length = 24 special = false } locals { - redis_url = ( aws_elasticache_replication_group.redis_cluster.cluster_enabled ? + redis_url = (aws_elasticache_replication_group.redis_cluster.cluster_enabled ? aws_elasticache_replication_group.redis_cluster.configuration_endpoint_address : - aws_elasticache_replication_group.redis_cluster.primary_endpoint_address ) + aws_elasticache_replication_group.redis_cluster.primary_endpoint_address) redis_protocol = var.aws_redis_in_transit_encryption ? "rediss" : "redis" } // Creates a secret manager secret for the databse credentials resource "aws_secretsmanager_secret" "redis_credentials_url" { count = var.aws_redis_single_line_url_secret ? 1 : 0 - name = "${var.aws_resource_identifier_supershort}-redis-url-${random_string.random.result}" + name = "${var.aws_resource_identifier_supershort}-redis-url-${random_string.random.result}" } resource "aws_secretsmanager_secret_version" "rediscredentials_sm_secret_version_url" { - count = var.aws_redis_single_line_url_secret ? 1 : 0 - secret_id = aws_secretsmanager_secret.redis_credentials_url[0].id + count = var.aws_redis_single_line_url_secret ? 1 : 0 + secret_id = aws_secretsmanager_secret.redis_credentials_url[0].id secret_string = sensitive("${local.redis_protocol}://${aws_elasticache_user.redis.user_name}:${random_password.redis.result}@${local.redis_url}:${aws_elasticache_replication_group.redis_cluster.port}") } // Creates a secret manager secret for the databse credentials resource "aws_secretsmanager_secret" "redis_credentials" { - name = "${var.aws_resource_identifier_supershort}-redis-${random_string.random.result}" + name = "${var.aws_resource_identifier_supershort}-redis-${random_string.random.result}" } resource "aws_secretsmanager_secret_version" "rediscredentials_sm_secret_version" { secret_id = aws_secretsmanager_secret.redis_credentials.id secret_string = jsonencode({ - username = sensitive(aws_elasticache_user.redis.user_name) - password = sensitive(random_password.redis.result) - host = sensitive(local.redis_url) - port = sensitive(aws_elasticache_replication_group.redis_cluster.port) - protocol = sensitive(local.redis_protocol) - DB_USER = sensitive(aws_elasticache_user.redis.user_name) - DB_USERNAME = sensitive(aws_elasticache_user.redis.user_name) - DB_PASSWORD = sensitive(random_password.redis.result) - DB_HOST = sensitive(local.redis_url) - DB_PORT = sensitive(aws_elasticache_replication_group.redis_cluster.port) - DB_PROTOCOL = sensitive(local.redis_protocol) + username = sensitive(aws_elasticache_user.redis.user_name) + password = sensitive(random_password.redis.result) + host = sensitive(local.redis_url) + port = sensitive(aws_elasticache_replication_group.redis_cluster.port) + protocol = sensitive(local.redis_protocol) + DB_USER = sensitive(aws_elasticache_user.redis.user_name) + DB_USERNAME = sensitive(aws_elasticache_user.redis.user_name) + DB_PASSWORD = sensitive(random_password.redis.result) + DB_HOST = sensitive(local.redis_url) + DB_PORT = sensitive(aws_elasticache_replication_group.redis_cluster.port) + DB_PROTOCOL = sensitive(local.redis_protocol) }) } resource "random_string" "random" { - length = 5 - lower = true - special = false - numeric = false + length = 5 + lower = true + special = false + numeric = false lifecycle { ignore_changes = all } } output "redis_url" { - value = local.redis_url + value = local.redis_url } output "redis_secret_name" { @@ -190,11 +190,11 @@ output "redis_secret_name" { } output "redis_connection_string_secret" { - value = try(aws_secretsmanager_secret.redis_credentials_url[0].name,null) + value = try(aws_secretsmanager_secret.redis_credentials_url[0].name, null) } output "redis_endpoint" { - value = "${local.redis_protocol}://${local.redis_url}:${aws_elasticache_replication_group.redis_cluster.port}" + value = "${local.redis_protocol}://${local.redis_url}:${aws_elasticache_replication_group.redis_cluster.port}" } output "redis_sg_id" { diff --git a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf index 2c7a8b13d..0dca0bcd9 100644 --- a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf +++ b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf @@ -44,7 +44,7 @@ resource "aws_route53_record" "www-a" { locals { protocol = var.aws_r53_enable_cert ? var.aws_certificates_selected_arn != "" ? "https://" : "http://" : "http://" - url = (var.fqdn_provided ? + url = (var.fqdn_provided ? (var.aws_r53_root_domain_deploy ? "${local.protocol}${var.aws_r53_domain_name}" : "${local.protocol}${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" diff --git a/operations/deployment/terraform/modules/aws/route53/aws_route53_vars.tf b/operations/deployment/terraform/modules/aws/route53/aws_route53_vars.tf index 319cd00da..e460213de 100644 --- a/operations/deployment/terraform/modules/aws/route53/aws_route53_vars.tf +++ b/operations/deployment/terraform/modules/aws/route53/aws_route53_vars.tf @@ -4,6 +4,6 @@ variable "aws_r53_root_domain_deploy" {} variable "aws_r53_enable_cert" {} variable "aws_elb_dns_name" {} variable "aws_elb_zone_id" {} - # Certs +# Certs variable "aws_certificates_selected_arn" {} variable "fqdn_provided" {} \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/secretmanager_get/aws_secretmanager_get.tf b/operations/deployment/terraform/modules/aws/secretmanager_get/aws_secretmanager_get.tf index 3b26b5456..3584c3f12 100644 --- a/operations/deployment/terraform/modules/aws/secretmanager_get/aws_secretmanager_get.tf +++ b/operations/deployment/terraform/modules/aws/secretmanager_get/aws_secretmanager_get.tf @@ -1,20 +1,20 @@ # This file will create a key=value file with an AWS Secret stored in AWS Secret Manager # With a JSON style of "{"key1":"value1","key2":"value2"}" data "aws_secretsmanager_secret_version" "secret_list" { - count = length(local.env_aws_secret) - secret_id = local.env_aws_secret[count.index] + count = length(local.env_aws_secret) + secret_id = local.env_aws_secret[count.index] } resource "local_file" "tf-secretdotenv" { filename = format("%s/%s", abspath(path.root), "aws.env") - content = join("\n",local.s3_secret_string) + content = join("\n", local.s3_secret_string) } locals { - env_aws_secret = [for n in split(",", var.env_aws_secret) : (n)] + env_aws_secret = [for n in split(",", var.env_aws_secret) : (n)] all_secret_contents = { for secret_name, secret_data in data.aws_secretsmanager_secret_version.secret_list : secret_name => jsondecode(secret_data.secret_string) } - merged_secrets = merge(values(local.all_secret_contents)...) + merged_secrets = merge(values(local.all_secret_contents)...) s3_secret_string = [for key, value in local.merged_secrets : "${key}=${value}"] } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/sg/add_rule/sg_add_rule.tf b/operations/deployment/terraform/modules/aws/sg/add_rule/sg_add_rule.tf index c090e3eef..8776ad4d5 100644 --- a/operations/deployment/terraform/modules/aws/sg/add_rule/sg_add_rule.tf +++ b/operations/deployment/terraform/modules/aws/sg/add_rule/sg_add_rule.tf @@ -1,14 +1,14 @@ resource "aws_security_group_rule" "sg_port_to_port" { - type = var.sg_type - description = var.sg_rule_description - from_port = var.sg_rule_from_port - to_port = var.sg_rule_to_port - protocol = var.sg_rule_protocol - source_security_group_id = var.source_security_group_id - security_group_id = var.target_security_group_id + type = var.sg_type + description = var.sg_rule_description + from_port = var.sg_rule_from_port + to_port = var.sg_rule_to_port + protocol = var.sg_rule_protocol + source_security_group_id = var.source_security_group_id + security_group_id = var.target_security_group_id } -variable "sg_type" {} #-> ingress +variable "sg_type" {} #-> ingress variable "sg_rule_description" {} #-> "${var.aws_resource_identifier} - EC2 Incoming" variable "sg_rule_from_port" {} variable "sg_rule_to_port" {} diff --git a/operations/deployment/terraform/modules/aws/vpc/aws_vpc.tf b/operations/deployment/terraform/modules/aws/vpc/aws_vpc.tf index b3bcf48e1..e99b04787 100644 --- a/operations/deployment/terraform/modules/aws/vpc/aws_vpc.tf +++ b/operations/deployment/terraform/modules/aws/vpc/aws_vpc.tf @@ -8,34 +8,34 @@ data "aws_vpc" "default" { #### VPC IMPORT data "aws_vpc" "exisiting" { - count = var.aws_vpc_create ? 0 : var.aws_vpc_id != "" ? 1 : 0 + count = var.aws_vpc_create ? 0 : var.aws_vpc_id != "" ? 1 : 0 id = var.aws_vpc_id } #### VPC CREATE resource "aws_vpc" "main" { - count = var.aws_vpc_create ? 1 : 0 - cidr_block = var.aws_vpc_cidr_block - enable_dns_hostnames = "true" - tags = { - Name = var.aws_vpc_name != "" ? var.aws_vpc_name : "VPC for ${var.aws_resource_identifier}" - } + count = var.aws_vpc_create ? 1 : 0 + cidr_block = var.aws_vpc_cidr_block + enable_dns_hostnames = "true" + tags = { + Name = var.aws_vpc_name != "" ? var.aws_vpc_name : "VPC for ${var.aws_resource_identifier}" + } } ### Private - resource "aws_subnet" "private" { - count = var.aws_vpc_create ? length(local.aws_vpc_private_subnets) : 0 - vpc_id = aws_vpc.main[0].id - cidr_block = element(local.aws_vpc_private_subnets, count.index) - availability_zone = element(local.aws_vpc_availability_zones, count.index) +resource "aws_subnet" "private" { + count = var.aws_vpc_create ? length(local.aws_vpc_private_subnets) : 0 + vpc_id = aws_vpc.main[0].id + cidr_block = element(local.aws_vpc_private_subnets, count.index) + availability_zone = element(local.aws_vpc_availability_zones, count.index) - tags = merge({ - Name = "${var.aws_resource_identifier}-private${count.index + 1}" - Tier = "Private" - }, - var.aws_eks_create ? local.private_subnet_tags : {}) + tags = merge({ + Name = "${var.aws_resource_identifier}-private${count.index + 1}" + Tier = "Private" + }, + var.aws_eks_create ? local.private_subnet_tags : {}) } resource "aws_route_table" "private" { @@ -43,9 +43,9 @@ resource "aws_route_table" "private" { count = var.aws_vpc_create ? 1 : 0 vpc_id = aws_vpc.main[0].id tags = { - Name = "${var.aws_resource_identifier}-private" + Name = "${var.aws_resource_identifier}-private" } - depends_on = [ aws_vpc.main ] + depends_on = [aws_vpc.main] } resource "aws_route_table_association" "private" { @@ -66,9 +66,9 @@ resource "aws_subnet" "public" { tags = merge({ Name = "${var.aws_resource_identifier}-public${count.index + 1}" Tier = "Public" - }, + }, var.aws_eks_create ? local.public_subnet_tags : {}) - depends_on = [ aws_vpc.main ] + depends_on = [aws_vpc.main] } resource "aws_route_table" "public" { @@ -76,9 +76,9 @@ resource "aws_route_table" "public" { vpc_id = aws_vpc.main[0].id tags = { - Name = "${var.aws_resource_identifier}-public" - } - depends_on = [ aws_vpc.main ] + Name = "${var.aws_resource_identifier}-public" + } + depends_on = [aws_vpc.main] } resource "aws_route_table_association" "public" { @@ -88,9 +88,9 @@ resource "aws_route_table_association" "public" { } resource "aws_internet_gateway" "gw" { - count = var.aws_vpc_create ? 1 : 0 - vpc_id = aws_vpc.main[0].id - depends_on = [ aws_vpc.main ] + count = var.aws_vpc_create ? 1 : 0 + vpc_id = aws_vpc.main[0].id + depends_on = [aws_vpc.main] } resource "aws_route" "public" { @@ -110,7 +110,7 @@ locals { "kubernetes.io/role/internal-elb" = 1 } public_subnet_tags = { - "kubernetes.io/role/elb" = 1 + "kubernetes.io/role/elb" = 1 } } @@ -179,7 +179,7 @@ locals { # Get the VPC details data "aws_vpc" "selected" { - id = local.selected_vpc_id + id = local.selected_vpc_id } # Sort the AZ list, and ensure that the az from the existing EC2 instance is first in the list @@ -187,10 +187,10 @@ data "aws_vpc" "selected" { locals { sorted_availability_zones = sort(data.aws_availability_zones.all.names) index_of_existing_az = index(local.sorted_availability_zones, local.aws_ec2_zone_selected) - + before_existing_az = local.index_of_existing_az == 0 ? [] : slice(local.sorted_availability_zones, 0, local.index_of_existing_az) - after_existing_az = local.index_of_existing_az == length(local.sorted_availability_zones) -1 ? [] : slice(local.sorted_availability_zones, local.index_of_existing_az + 1, length(local.sorted_availability_zones)) - + after_existing_az = local.index_of_existing_az == length(local.sorted_availability_zones) - 1 ? [] : slice(local.sorted_availability_zones, local.index_of_existing_az + 1, length(local.sorted_availability_zones)) + reordered_availability_zones = concat( [element(local.sorted_availability_zones, local.index_of_existing_az)], local.before_existing_az, @@ -216,15 +216,15 @@ output "aws_vpc_subnet_selected" { output "aws_region_current_name" { description = "Current region name" - value = data.aws_region.current.name + value = data.aws_region.current.name } output "aws_vpc_cidr_block" { description = "CIDR block of chosen VPC" - value = data.aws_vpc.selected.cidr_block + value = data.aws_vpc.selected.cidr_block } output "aws_vpc_dns_enabled" { description = "Boolean of DNS enabled in VPC" - value = data.aws_vpc.selected.enable_dns_hostnames + value = data.aws_vpc.selected.enable_dns_hostnames } \ No newline at end of file diff --git a/operations/deployment/terraform/modules/aws/vpc/aws_vpc_azs.tf b/operations/deployment/terraform/modules/aws/vpc/aws_vpc_azs.tf index 996ccc132..4c5a29133 100644 --- a/operations/deployment/terraform/modules/aws/vpc/aws_vpc_azs.tf +++ b/operations/deployment/terraform/modules/aws/vpc/aws_vpc_azs.tf @@ -6,7 +6,7 @@ data "aws_availability_zones" "all" { filter { name = "region-name" values = [data.aws_region.current.name] - } + } state = "available" } @@ -15,7 +15,7 @@ data "aws_subnets" "vpc_subnets" { name = "vpc-id" values = [local.selected_vpc_id] } - + # Add availability-zone filter conditionally dynamic "filter" { for_each = local.aws_vpc_availability_zones != [] ? [1] : [] @@ -58,10 +58,10 @@ data "aws_subnet" "defaultf" { } locals { - use_default = var.aws_vpc_create ? false : var.aws_vpc_id != "" ? false : true + use_default = var.aws_vpc_create ? false : var.aws_vpc_id != "" ? false : true aws_ec2_instance_type_offerings = sort(data.aws_ec2_instance_type_offerings.region_azs.locations) - aws_ec2_zone_selected = local.aws_ec2_instance_type_offerings[random_integer.az_select[0].result] - preferred_az = var.aws_vpc_availability_zones != "" ? local.aws_vpc_availability_zones[0] : var.aws_vpc_id != "" ? data.aws_subnet.selected[0].availability_zone : local.aws_ec2_zone_selected + aws_ec2_zone_selected = local.aws_ec2_instance_type_offerings[random_integer.az_select[0].result] + preferred_az = var.aws_vpc_availability_zones != "" ? local.aws_vpc_availability_zones[0] : var.aws_vpc_id != "" ? data.aws_subnet.selected[0].availability_zone : local.aws_ec2_zone_selected #preferred_az = var.aws_vpc_availability_zones != "" ? local.aws_ec2_zone_selected : var.aws_vpc_id != "" ? data.aws_subnet.selected[0].availability_zone : local.aws_ec2_zone_selected } @@ -76,9 +76,9 @@ data "aws_ec2_instance_type_offerings" "region_azs" { resource "random_integer" "az_select" { count = length(data.aws_ec2_instance_type_offerings.region_azs.locations) > 0 ? 1 : 0 - - min = 0 - max = length(data.aws_ec2_instance_type_offerings.region_azs.locations) - 1 + + min = 0 + max = length(data.aws_ec2_instance_type_offerings.region_azs.locations) - 1 lifecycle { ignore_changes = all @@ -147,10 +147,10 @@ locals { "security_groups" : [data.aws_security_group.default.id] } }) : null - chosen_subnet_id = try(data.aws_subnet.default_selected[0].id,data.aws_subnets.vpc_subnets.ids[0],aws_subnet.public[0].id) + chosen_subnet_id = try(data.aws_subnet.default_selected[0].id, data.aws_subnets.vpc_subnets.ids[0], aws_subnet.public[0].id) # ha_zone_mapping: Creates a zone mapping object list for all available AZs in a region - ha_zone_mapping = merge(local.auto_ha_availability_zonea, local.auto_ha_availability_zoneb, local.auto_ha_availability_zonec, local.auto_ha_availability_zoned, local.auto_ha_availability_zonee, local.auto_ha_availability_zonef) - ec2_zone_mapping = { "${local.preferred_az}" : { "subnet_id" : "${local.chosen_subnet_id}", "security_groups" : ["${local.aws_ec2_security_group_name}"] } } + ha_zone_mapping = merge(local.auto_ha_availability_zonea, local.auto_ha_availability_zoneb, local.auto_ha_availability_zonec, local.auto_ha_availability_zoned, local.auto_ha_availability_zonee, local.auto_ha_availability_zonef) + ec2_zone_mapping = { "${local.preferred_az}" : { "subnet_id" : "${local.chosen_subnet_id}", "security_groups" : ["${local.aws_ec2_security_group_name}"] } } } output "aws_security_group_default_id" { @@ -159,7 +159,7 @@ output "aws_security_group_default_id" { } output "instance_type_available" { - value = length(data.aws_ec2_instance_type_offerings.region_azs.locations) > 0 ? "EC2 Instance type valid for this region" : "EC2 Instance type invalid for this region." + value = length(data.aws_ec2_instance_type_offerings.region_azs.locations) > 0 ? "EC2 Instance type valid for this region" : "EC2 Instance type invalid for this region." } output "ha_zone_mapping" { diff --git a/operations/deployment/terraform/modules/aws/waf/aws_waf.tf b/operations/deployment/terraform/modules/aws/waf/aws_waf.tf index 52fb27805..125ad504a 100644 --- a/operations/deployment/terraform/modules/aws/waf/aws_waf.tf +++ b/operations/deployment/terraform/modules/aws/waf/aws_waf.tf @@ -10,10 +10,10 @@ locals { ### WAF Configuration resource "aws_wafv2_web_acl" "waf" { - count = var.aws_waf_enable ? 1 : 0 - name = "${var.aws_resource_identifier}-waf" + count = var.aws_waf_enable ? 1 : 0 + name = "${var.aws_resource_identifier}-waf" description = "WAF for ${var.aws_resource_identifier}" - scope = "REGIONAL" + scope = "REGIONAL" default_action { allow {} @@ -393,7 +393,7 @@ resource "aws_wafv2_web_acl_logging_configuration" "waf_logging" { name = "cookie" } } - depends_on = [ aws_cloudwatch_log_group.waf_log_group, aws_wafv2_web_acl.waf ] + depends_on = [aws_cloudwatch_log_group.waf_log_group, aws_wafv2_web_acl.waf] } # CloudWatch Log Group for WAF (optional) diff --git a/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf b/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf index d14de3bcb..4dbbea14f 100644 --- a/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf +++ b/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf @@ -5,16 +5,16 @@ variable "aws_waf_logging_enable" {} variable "aws_waf_log_retention_days" {} variable "aws_resource_identifier" {} -variable "aws_waf_rule_rate_limit" {} # - Rate limit (requests per 5 minutes) -variable "aws_waf_rule_managed_rules" {} # - Managed rule groups -variable "aws_waf_rule_managed_bad_inputs" {} # - Known bad inputs rule -variable "aws_waf_rule_ip_reputation" {} # - IP reputation rule -variable "aws_waf_rule_anonymous_ip" {} # - Anonymous IPs rule -variable "aws_waf_rule_bot_control" {} # - Bot control rule -variable "aws_waf_rule_geo_block_countries" {} # - List of countries to block +variable "aws_waf_rule_rate_limit" {} # - Rate limit (requests per 5 minutes) +variable "aws_waf_rule_managed_rules" {} # - Managed rule groups +variable "aws_waf_rule_managed_bad_inputs" {} # - Known bad inputs rule +variable "aws_waf_rule_ip_reputation" {} # - IP reputation rule +variable "aws_waf_rule_anonymous_ip" {} # - Anonymous IPs rule +variable "aws_waf_rule_bot_control" {} # - Bot control rule +variable "aws_waf_rule_geo_block_countries" {} # - List of countries to block variable "aws_waf_rule_geo_allow_only_countries" {} # - List of countries to allow only -variable "aws_waf_rule_user_arn" {} # - ARN of the user-defined rule group -variable "aws_waf_rule_sqli" {} # - SQL injection rule -variable "aws_waf_rule_linux" {} # - Linux rule -variable "aws_waf_rule_unix" {} # - Unix rule -variable "aws_waf_rule_admin_protection" {} # - Admin protection rule \ No newline at end of file +variable "aws_waf_rule_user_arn" {} # - ARN of the user-defined rule group +variable "aws_waf_rule_sqli" {} # - SQL injection rule +variable "aws_waf_rule_linux" {} # - Linux rule +variable "aws_waf_rule_unix" {} # - Unix rule +variable "aws_waf_rule_admin_protection" {} # - Admin protection rule \ No newline at end of file