From dac44e34a4e72839ad52d5b8b176a8db2b042ae5 Mon Sep 17 00:00:00 2001 From: Sam Ainsworth Date: Wed, 25 Oct 2023 16:29:12 +0100 Subject: [PATCH] UML-3138 Various TF fixes --- terraform/account/region/cloudwatch.tf | 2 +- .../account/region/modules/s3_bucket/main.tf | 6 ---- terraform/account/region/network.tf | 34 +++++++++++++------ terraform/account/region/s3_redacted_logs.tf | 7 ++-- terraform/account/region/vpc_endpoints.tf | 5 +-- 5 files changed, 32 insertions(+), 22 deletions(-) diff --git a/terraform/account/region/cloudwatch.tf b/terraform/account/region/cloudwatch.tf index 028b14aa83..625ace500a 100644 --- a/terraform/account/region/cloudwatch.tf +++ b/terraform/account/region/cloudwatch.tf @@ -10,7 +10,7 @@ resource "aws_cloudwatch_log_group" "use-an-lpa" { } data "aws_kms_alias" "cloudwatch_mrk" { - name = "alias/cloudwatch-encryption-mrk" + name = "alias/cloudwatch_encryption" provider = aws.region } diff --git a/terraform/account/region/modules/s3_bucket/main.tf b/terraform/account/region/modules/s3_bucket/main.tf index 6ee6b1ee2d..48b63f6f33 100644 --- a/terraform/account/region/modules/s3_bucket/main.tf +++ b/terraform/account/region/modules/s3_bucket/main.tf @@ -1,12 +1,6 @@ resource "aws_s3_bucket" "bucket" { bucket = var.bucket_name force_destroy = var.force_destroy - - # Temporary workaround to prevent the bucket being destroyed - lifecycle { - ignore_changes = [bucket] - } - } resource "aws_s3_bucket_acl" "bucket_acl" { diff --git a/terraform/account/region/network.tf b/terraform/account/region/network.tf index b1839edeb8..0414662dfe 100644 --- a/terraform/account/region/network.tf +++ b/terraform/account/region/network.tf @@ -1,3 +1,10 @@ +locals { + availability_zones = [ + "eu-west-1a", + "eu-west-1b", + "eu-west-1c", + ] +} resource "aws_default_vpc" "default" { tags = { "Name" = "default" } @@ -8,27 +15,34 @@ data "aws_availability_zones" "default" { provider = aws.region } +# TODO: Remove this once the above data source has been put into state +resource "aws_key_pair" "foo" { + count = 3 + key_name = "temporary-testing-keypair-${element(data.aws_availability_zones.default.names, count.index)}" + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 temporary-testing-keypair" +} + +#TODO: Fix this by changing availability_zone to a data source resource "aws_default_subnet" "public" { - count = 3 - availability_zone = element(data.aws_availability_zones.default.names, count.index) + count = 3 + availability_zone = local.availability_zones[count.index] + # availability_zone = data.aws_availability_zones.default.names[count.index] map_public_ip_on_launch = false tags = { "Name" = "public" } provider = aws.region } +#TODO: Fix this by changing availability_zone to a data source resource "aws_subnet" "private" { - count = 3 - cidr_block = cidrsubnet(aws_default_vpc.default.cidr_block, 4, count.index + 3) - vpc_id = aws_default_vpc.default.id - availability_zone = element(data.aws_availability_zones.default.names, count.index) + count = 3 + cidr_block = cidrsubnet(aws_default_vpc.default.cidr_block, 4, count.index + 3) + vpc_id = aws_default_vpc.default.id + availability_zone = local.availability_zones[count.index] + # availability_zone = element(data.aws_availability_zones.default.names, count.index) map_public_ip_on_launch = false tags = { "Name" = "private" } - # Ignore changes to the availability zone - this is a temporary workaround to prevent recreation of the subnets - lifecycle { - ignore_changes = [availability_zone] - } provider = aws.region } diff --git a/terraform/account/region/s3_redacted_logs.tf b/terraform/account/region/s3_redacted_logs.tf index 5160d948d6..f47cc7ca80 100644 --- a/terraform/account/region/s3_redacted_logs.tf +++ b/terraform/account/region/s3_redacted_logs.tf @@ -1,8 +1,9 @@ module "redacted-logs" { source = "./modules/s3_bucket" - - account_name = var.environment_name - bucket_name = "opg-use-an-lpa-redacted-logs-${var.environment_name}-${data.aws_region.current.name}" + #TODO: Fix this by changing availability_zone to a data source + account_name = var.environment_name + bucket_name = "opg-use-an-lpa-redacted-logs-${var.environment_name}-eu-west-1" + # bucket_name = "opg-use-an-lpa-redacted-logs-${var.environment_name}-${data.aws_region.current.name}" expiration_days = 400 # Log Retention is 13 Months/400 Days as Policy force_destroy = false kms_key = aws_kms_key.redacted_s3 diff --git a/terraform/account/region/vpc_endpoints.tf b/terraform/account/region/vpc_endpoints.tf index dd4f03a74b..a28470c295 100644 --- a/terraform/account/region/vpc_endpoints.tf +++ b/terraform/account/region/vpc_endpoints.tf @@ -1,11 +1,12 @@ resource "aws_security_group" "vpc_endpoints_private" { - name_prefix = "vpc-endpoint-access-private-subnets-${data.aws_region.current.name}" + #TODO: Fix name_prefix + name_prefix = "vpc-endpoint-access-private-subnets-eu-west-1" + # name_prefix = "vpc-endpoint-access-private-subnets-${data.aws_region.current.name}" description = "vpc endpoint private sg" vpc_id = aws_default_vpc.default.id tags = { Name = "vpc-endpoint-access-private-subnets-${data.aws_region.current.name}" } lifecycle { create_before_destroy = true - ignore_changes = [name_prefix] } provider = aws.region