-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmain.tf
395 lines (359 loc) · 19.7 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
locals {
vpc_id = var.vpc_id != null ? var.vpc_id : module.vpc[0].vpc_id
public_subnet_ids = var.vpc_id != null ? var.public_subnet_ids : module.vpc[0].public_subnet_ids
private_subnet_ids = var.vpc_id != null ? var.private_subnet_ids : module.vpc[0].private_subnet_ids
database_subnet_group_id = var.vpc_id != null ? var.database_subnet_group_id : module.vpc[0].database_subnet_group_id
ecs_cluster_id = var.ecs_cluster_id != null ? var.ecs_cluster_id : module.ecs[0].cluster_id
}
moved {
from = module.vpc
to = module.vpc[0]
}
locals {
licence_key_value = var.licence_key_ps_arn != null ? data.aws_ssm_parameter.licence_key[0].value : var.licence_key
}
data "aws_arn" "licence_key" {
count = var.licence_key_ps_arn != null ? 1 : 0
arn = var.licence_key_ps_arn
}
data "aws_ssm_parameter" "licence_key" {
count = var.licence_key_ps_arn != null ? 1 : 0
// the parameter resource is e.g. 'parameter/common-fate/prod/licence-key',
// but we need '/common-fate/prod/licence-key' here.
name = trimprefix(data.aws_arn.licence_key[0].resource, "parameter")
}
module "vpc" {
count = var.vpc_id != null ? 0 : 1
source = "./modules/vpc"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
one_nat_gateway_per_az = var.one_nat_gateway_per_az
single_nat_gateway = var.single_nat_gateway
}
module "alb" {
source = "./modules/alb"
namespace = var.namespace
stage = var.stage
certificate_arn = var.app_certificate_arn
public_subnet_ids = local.public_subnet_ids
vpc_id = local.vpc_id
use_internal_load_balancer = var.use_internal_load_balancer
maintenance_mode_enabled = var.maintenance_mode_enabled
maintenance_mode_message = var.maintenance_mode_message
}
module "control_plane_db" {
source = "./modules/database"
namespace = var.namespace
stage = var.stage
vpc_id = local.vpc_id
subnet_group_id = local.database_subnet_group_id
deletion_protection = var.database_deletion_protection
rds_db_retention_period = var.rds_db_retention_period
restore_to_point_in_time = var.restore_to_point_in_time
rds_multi_az = var.rds_multi_az
apply_immediately = var.rds_apply_immediately
snapshot_identifier = var.rds_snapshot_identifier
rds_instance_identifier_suffix = var.rds_instance_identifier_suffix
rds_instance_type = var.rds_instance_type
}
module "authz_db" {
source = "./modules/authz-database"
namespace = var.namespace
stage = var.stage
dynamodb_restore_date_time = var.dynamodb_restore_date_time
dynamodb_restore_source_name = var.dynamodb_restore_source_name
dynamodb_restore_to_latest_time = var.dynamodb_restore_to_latest_time
}
module "events" {
source = "./modules/events"
namespace = var.namespace
stage = var.stage
}
module "alerts" {
source = "./modules/alerts"
namespace = var.namespace
stage = var.stage
aws_account_id = data.aws_caller_identity.current.account_id
ecs_cluster_id = local.ecs_cluster_id
aws_region = var.aws_region
alert_metadata = var.alert_metadata
event_bus_name = module.events.event_bus_name
alb_arn_suffix = module.alb.alb_arn_suffix
control_plane_tg_arn_suffix = module.control_plane.control_plane_tg_arn_suffix
db_instance_identifier = module.control_plane_db.db_instance_identifier
sqs_queue_name = module.events.sqs_queue_name
}
moved {
from = module.ecs
to = module.ecs[0]
}
moved {
from = module.authz.aws_cloudwatch_log_group.authz_log_group
to = module.authz-legacy.aws_cloudwatch_log_group.authz_log_group
}
module "ecs" {
count = var.ecs_cluster_id != null ? 0 : 1
source = "terraform-aws-modules/ecs/aws"
version = "~> 4.1.3"
cluster_name = "${var.namespace}-${var.stage}-cluster"
default_capacity_provider_use_fargate = true
}
module "ecs_base" {
source = "./modules/ecs-base"
namespace = var.namespace
stage = var.stage
log_retention_in_days = var.ecs_opentelemetry_collector_log_retention_in_days
}
module "cognito" {
source = "./modules/cognito"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
app_url = var.app_url
auth_url = var.auth_url
auth_certificate_arn = var.auth_certificate_arn
saml_metadata_is_file = var.saml_metadata_is_file
saml_metadata_source = var.saml_metadata_source
saml_provider_name = var.saml_provider_name
saml_allow_idp_initiated_sign_in = var.saml_allow_idp_initiated_sign_in
web_access_token_validity_duration = var.web_access_token_validity_duration
web_access_token_validity_units = var.web_access_token_validity_units
web_refresh_token_validity_duration = var.web_refresh_token_validity_duration
web_refresh_token_validity_units = var.web_refresh_token_validity_units
cli_access_token_validity_duration = var.cli_access_token_validity_duration
cli_access_token_validity_units = var.cli_access_token_validity_units
cli_refresh_token_validity_duration = var.cli_refresh_token_validity_duration
cli_refresh_token_validity_units = var.cli_refresh_token_validity_units
invite_user_emails = var.administrator_emails
}
module "control_plane" {
source = "./modules/controlplane"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
aws_account_id = data.aws_caller_identity.current.account_id
aws_partition = data.aws_partition.current.id
database_secret_sm_arn = module.control_plane_db.secret_arn
database_security_group_id = module.control_plane_db.security_group_id
eventbus_arn = module.events.event_bus_arn
sqs_queue_arn = module.events.sqs_queue_arn
app_url = var.app_url
release_tag = var.release_tag
scim_source = var.scim_source
scim_token_ps_arn = var.scim_token_ps_arn
subnet_ids = local.private_subnet_ids
vpc_id = local.vpc_id
ecs_cluster_id = local.ecs_cluster_id
database_host = module.control_plane_db.endpoint
database_user = module.control_plane_db.username
alb_listener_arn = module.alb.listener_arn
sqs_queue_name = module.events.sqs_queue_name
auth_issuer = module.cognito.auth_issuer
control_plane_service_client_id = module.cognito.control_plane_service_client_id
control_plane_service_client_secret = module.cognito.control_plane_service_client_secret
slack_service_client_id = module.cognito.slack_service_client_id
slack_service_client_secret = module.cognito.slack_service_client_secret
oidc_slack_issuer = module.cognito.auth_issuer
licence_key = local.licence_key_value
log_level = var.control_plane_log_level
grant_assume_on_role_arns = var.control_plane_grant_assume_on_role_arns
oidc_control_plane_issuer = module.cognito.auth_issuer
otel_log_group_name = module.ecs_base.otel_log_group_name
otel_writer_iam_policy_arn = module.ecs_base.otel_writer_iam_policy_arn
alb_security_group_id = module.alb.alb_security_group_id
additional_cors_allowed_origins = var.additional_cors_allowed_origins
report_bucket_arn = module.report_bucket.arn
report_bucket_name = module.report_bucket.id
assume_role_external_id = var.assume_role_external_id
authz_eval_bucket_name = module.authz_eval_bucket.id
authz_eval_bucket_arn = module.authz_eval_bucket.arn
control_image_repository = var.control_image_repository
worker_image_repository = var.worker_image_repository
service_discovery_namespace_arn = module.ecs_base.service_discovery_namespace_arn
access_handler_security_group_id = module.access_handler.security_group_id
access_handler_service_connect_address = module.access_handler.access_handler_internal_address
xray_monitoring_enabled = var.xray_monitoring_enabled
managed_monitoring_enabled = var.managed_monitoring_enabled
managed_monitoring_endpoint = var.managed_monitoring_endpoint
factory_base_url = var.factory_base_url
factory_oidc_issuer = var.factory_oidc_issuer
database_auto_migrate = var.database_auto_migrate
oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id
oidc_provisioner_service_client_id = module.cognito.provisioner_client_id
oidc_terraform_client_id = module.cognito.terraform_client_id
oidc_read_only_client_id = module.cognito.read_only_client_id
usage_reporting_enabled = var.usage_reporting_enabled
usage_reporting_interval = var.usage_reporting_interval
ecs_task_cpu = var.control_plane_ecs_task_cpu
ecs_task_memory = var.control_plane_ecs_task_memory
worker_ecs_task_cpu = var.worker_ecs_task_cpu
worker_ecs_task_memory = var.worker_ecs_task_memory
saml_acs_url = module.cognito.saml_acs_url
saml_entity_id = module.cognito.saml_entity_id
sync_entra_identities_enabled = var.sync_entra_identities_enabled
sync_okta_enabled = var.sync_okta_enabled
terraform_service_client_secret = module.cognito.terraform_client_secret
provisioner_service_client_secret = module.cognito.provisioner_client_secret
read_only_service_client_secret = module.cognito.read_only_client_secret
factory_monitoring = var.factory_monitoring
administrator_emails = var.administrator_emails
control_plane_target_group_arns = var.control_plane_target_group_arns
builtin_provisioner_url = module.provisioner.provisioner_url
managed_deployment = var.managed_deployment
compare_entitlements_enabled = var.compare_entitlements_enabled
iam_role_permission_boundary = var.iam_role_permission_boundary
shell_session_logs_bucket_arn = module.shell_session_logs_bucket.arn
shell_session_logs_bucket_name = module.shell_session_logs_bucket.id
}
module "report_bucket" {
source = "./modules/s3bucket"
bucket_prefix = "${var.namespace}-${var.stage}-reports"
aws_account_id = data.aws_caller_identity.current.account_id
region = var.aws_region
namespace = var.namespace
stage = var.stage
component = "reports"
}
module "authz_eval_bucket" {
source = "./modules/s3bucket"
bucket_prefix = "${var.namespace}-${var.stage}-evals"
aws_account_id = data.aws_caller_identity.current.account_id
region = var.aws_region
namespace = var.namespace
stage = var.stage
component = "evals"
}
module "shell_session_logs_bucket" {
source = "./modules/s3bucket"
bucket_prefix = "${var.namespace}-${var.stage}-shell-session-logs"
aws_account_id = data.aws_caller_identity.current.account_id
region = var.aws_region
namespace = var.namespace
stage = var.stage
component = "shell-session-logs"
cors_rules = [{
allowed_methods = ["GET", "PUT", "POST"]
allowed_origins = [var.app_url]
allowed_headers = ["Authorization", "Content-Type"]
expose_headers = ["ETag"]
max_age_seconds = 3000
}]
}
module "web" {
source = "./modules/web"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
aws_account_id = data.aws_caller_identity.current.account_id
release_tag = var.release_tag
subnet_ids = local.private_subnet_ids
vpc_id = local.vpc_id
auth_authority_url = module.cognito.auth_authority_url
auth_cli_client_id = module.cognito.cli_client_id
auth_url = module.cognito.auth_url
auth_web_client_id = module.cognito.web_client_id
ecs_cluster_id = local.ecs_cluster_id
alb_listener_arn = module.alb.listener_arn
app_url = var.app_url
auth_issuer = module.cognito.auth_issuer
alb_security_group_id = module.alb.alb_security_group_id
web_image_repository = var.web_image_repository
centralised_support = var.centralised_support
web_target_group_arns = var.web_target_group_arns
iam_role_permission_boundary = var.iam_role_permission_boundary
shell_session_logs_bucket_domain_name = module.shell_session_logs_bucket.bucket_regional_domain_name
}
module "access_handler" {
source = "./modules/access"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
aws_account_id = data.aws_caller_identity.current.account_id
eventbus_arn = module.events.event_bus_arn
release_tag = var.release_tag
subnet_ids = local.private_subnet_ids
vpc_id = local.vpc_id
ecs_cluster_id = local.ecs_cluster_id
alb_listener_arn = module.alb.listener_arn
auth_issuer = module.cognito.auth_issuer
log_level = var.access_handler_log_level
app_url = var.app_url
oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id
oidc_access_handler_service_client_secret = module.cognito.access_handler_service_client_secret
oidc_access_handler_service_issuer = module.cognito.auth_issuer
otel_log_group_name = module.ecs_base.otel_log_group_name
otel_writer_iam_policy_arn = module.ecs_base.otel_writer_iam_policy_arn
alb_security_group_id = module.alb.alb_security_group_id
additional_cors_allowed_origins = var.additional_cors_allowed_origins
access_image_repository = var.access_image_repository
service_discovery_namespace_arn = module.ecs_base.service_discovery_namespace_arn
control_plane_security_group_id = module.control_plane.security_group_id
worker_security_group_id = module.control_plane.worker_security_group_id
database_secret_sm_arn = module.control_plane_db.secret_arn
database_security_group_id = module.control_plane_db.security_group_id
database_host = module.control_plane_db.endpoint
database_user = module.control_plane_db.username
authz_eval_bucket_arn = module.authz_eval_bucket.arn
authz_eval_bucket_name = module.authz_eval_bucket.id
licence_key = local.licence_key_value
xray_monitoring_enabled = var.xray_monitoring_enabled
managed_monitoring_enabled = var.managed_monitoring_enabled
managed_monitoring_endpoint = var.managed_monitoring_endpoint
factory_base_url = var.factory_base_url
factory_oidc_issuer = var.factory_oidc_issuer
ecs_task_cpu = var.access_handler_ecs_task_cpu
ecs_task_memory = var.access_handler_ecs_task_memory
access_target_group_arns = var.access_target_group_arns
builtin_provisioner_url = module.provisioner.provisioner_url
iam_role_permission_boundary = var.iam_role_permission_boundary
shell_session_logs_bucket_arn = module.shell_session_logs_bucket.arn
shell_session_logs_bucket_name = module.shell_session_logs_bucket.id
}
module "provisioner" {
source = "./modules/provisioner"
// A name prefix is used so that this builtin provisioner may be deployed without causing downtime when migrating from an external provisioner deployment
name_prefix = "builtin"
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
aws_account_id = data.aws_caller_identity.current.account_id
release_tag = var.release_tag
access_handler_sg_id = module.access_handler.security_group_id
allow_ingress_from_sg_ids = [module.control_plane.security_group_id]
subnet_ids = local.private_subnet_ids
vpc_id = local.vpc_id
ecs_cluster_id = local.ecs_cluster_id
provisioner_service_client_id = module.cognito.provisioner_client_id
provisioner_service_client_secret = module.cognito.provisioner_client_secret
auth_issuer = module.cognito.auth_issuer
app_url = var.app_url
assume_role_external_id = var.assume_role_external_id
provisioner_image_repository = var.provisioner_image_repository
aws_partition = data.aws_partition.current.id
otel_log_group_name = module.ecs_base.otel_log_group_name
otel_writer_iam_policy_arn = module.ecs_base.otel_writer_iam_policy_arn
licence_key = local.licence_key_value
xray_monitoring_enabled = var.xray_monitoring_enabled
managed_monitoring_enabled = var.managed_monitoring_enabled
managed_monitoring_endpoint = var.managed_monitoring_endpoint
factory_base_url = var.factory_base_url
factory_oidc_issuer = var.factory_oidc_issuer
factory_monitoring = var.factory_monitoring
iam_role_permission_boundary = var.iam_role_permission_boundary
}
module "authz-legacy" {
source = "./modules/authz-legacy"
namespace = var.namespace
stage = var.stage
}