diff --git a/terraform/modules/aurora/main.tf b/terraform/modules/aurora/main.tf
index f79d7058..ec332596 100644
--- a/terraform/modules/aurora/main.tf
+++ b/terraform/modules/aurora/main.tf
@@ -1,8 +1,8 @@
locals {
- db_port = var.db_engine_type == "aurora-postgresql" ? 5432 : 3306
+ db_port = var.db_engine_type == "aurora-postgresql" ? 5432 : 3306
protocol = "tcp"
all_ips = ["0.0.0.0/0"]
- any = "-1"
+ any = "-1"
rds_master_password = {
password = random_password.master_password.result
}
@@ -10,35 +10,42 @@ locals {
}
resource "aws_rds_cluster" "rds" {
- cluster_identifier = "${var.resource_prefix}-aurora"
- engine = var.db_engine_type
- engine_version = var.db_engine_version
- engine_mode = var.db_engine_mode
- database_name = var.database_name
- master_username = var.master_username
- master_password = random_password.master_password.result
- final_snapshot_identifier = local.snapshot_name
- skip_final_snapshot = var.skip_final_snapshot
- backup_retention_period = var.backup_retention_period
- preferred_backup_window = var.backup_window
- preferred_maintenance_window = var.maintenance_window
- port = local.db_port
- storage_encrypted = var.storage_encrypted
- allow_major_version_upgrade = var.allow_major_version_upgrade
- enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
- deletion_protection = var.deletion_protection
- db_subnet_group_name = aws_db_subnet_group.subnet_group.name
- vpc_security_group_ids = [aws_security_group.rds.id]
- kms_key_id = data.aws_kms_alias.kms.id
+ cluster_identifier = "${var.resource_prefix}-aurora"
+ engine = var.db_engine_type
+ engine_version = var.db_engine_version
+ engine_mode = var.db_engine_mode
+ database_name = var.database_name
+ master_username = var.master_username
+ master_password = random_password.master_password.result
+ final_snapshot_identifier = local.snapshot_name
+ skip_final_snapshot = var.skip_final_snapshot
+ backup_retention_period = var.backup_retention_period
+ preferred_backup_window = var.backup_window
+ preferred_maintenance_window = var.maintenance_window
+ port = local.db_port
+ storage_encrypted = var.storage_encrypted
+ allow_major_version_upgrade = var.allow_major_version_upgrade
+ enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+ deletion_protection = var.deletion_protection
+ db_subnet_group_name = aws_db_subnet_group.subnet_group.name
+ vpc_security_group_ids = [aws_security_group.rds.id]
+ kms_key_id = data.aws_kms_alias.kms.id
serverlessv2_scaling_configuration {
- max_capacity = var.max_capacity
- min_capacity = var.min_capacity
+ max_capacity = var.max_capacity
+ min_capacity = var.min_capacity
}
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
lifecycle {
ignore_changes = [
- kms_key_id
+ kms_key_id,
+ tags["CreateDate"],
]
}
@@ -57,31 +64,31 @@ resource "random_password" "master_password" {
length = var.master_password_length
special = false
keepers = {
- Name = var.master_username
+ Name = var.master_username
}
}
resource "aws_db_subnet_group" "subnet_group" {
name = "${var.resource_prefix}-rds-aurora-subnet-group"
subnet_ids = var.db_subnet_ids
- tags = var.tags
+ tags = var.tags
}
resource "aws_security_group" "rds" {
- name = "${var.resource_prefix}-rds-aurora-sg"
+ name = "${var.resource_prefix}-rds-aurora-sg"
vpc_id = var.vpc_id
description = "Allow traffic to/from RDS Aurora"
- tags = var.tags
+ tags = var.tags
}
resource "aws_security_group_rule" "rds_inbound" {
- description = "From allowed SGs"
- type = "ingress"
- from_port = local.db_port
- to_port = local.db_port
- protocol = local.protocol
- cidr_blocks = var.allowed_ip_blocks
- security_group_id = aws_security_group.rds.id
+ description = "From allowed SGs"
+ type = "ingress"
+ from_port = local.db_port
+ to_port = local.db_port
+ protocol = local.protocol
+ cidr_blocks = var.allowed_ip_blocks
+ security_group_id = aws_security_group.rds.id
}
resource "random_id" "snapshot" {
@@ -97,15 +104,15 @@ resource "aws_security_group_rule" "egress" {
to_port = 0
protocol = local.any
cidr_blocks = local.all_ips
- security_group_id = aws_security_group.rds.id
+ security_group_id = aws_security_group.rds.id
}
resource "aws_secretsmanager_secret" "db_secret" {
- name = "${var.stack_name}/rds/aurora/${var.env}"
+ name = "${var.stack_name}/rds/aurora/${var.env}"
recovery_window_in_days = var.secret_recovery_window_in_days
}
resource "aws_secretsmanager_secret_version" "secret_version" {
- secret_id = aws_secretsmanager_secret.db_secret.id
+ secret_id = aws_secretsmanager_secret.db_secret.id
secret_string = jsonencode(local.rds_master_password)
}
\ No newline at end of file
diff --git a/terraform/modules/aurora/outputs.tf b/terraform/modules/aurora/outputs.tf
index 6708cacc..0bc1ac84 100644
--- a/terraform/modules/aurora/outputs.tf
+++ b/terraform/modules/aurora/outputs.tf
@@ -2,6 +2,6 @@ output "cluster_endpoint" {
value = aws_rds_cluster.rds.endpoint
}
output "db_password" {
- value = random_password.master_password.result
+ value = random_password.master_password.result
sensitive = false
}
diff --git a/terraform/modules/aurora/variables.tf b/terraform/modules/aurora/variables.tf
index 1dec81e0..6e367106 100644
--- a/terraform/modules/aurora/variables.tf
+++ b/terraform/modules/aurora/variables.tf
@@ -5,11 +5,11 @@ variable "resource_prefix" {
variable "tags" {
description = "tags to associate with this instance"
- type = map(string)
+ type = map(string)
}
variable "stack_name" {
description = "name of the project"
- type = string
+ type = string
}
variable "env" {
@@ -91,8 +91,8 @@ variable "db_engine_version" {
}
variable "lifecycle_policy_name" {
description = "name of resource lifecycle policy"
- default = "ignore_changes"
- type = string
+ default = "ignore_changes"
+ type = string
}
variable "db_engine_mode" {
@@ -139,8 +139,8 @@ variable "max_capacity" {
}
variable "master_password_length" {
description = "length of master user password"
- type = number
- default = 15
+ type = number
+ default = 15
}
variable "vpc_id" {
type = string
@@ -149,16 +149,16 @@ variable "vpc_id" {
variable "secret_recovery_window_in_days" {
description = "number of days to keep secret after deletion"
- type = number
- default = 0
+ type = number
+ default = 0
}
variable "allowed_ip_blocks" {
description = "allowed ip block for the rds ingress"
- type = list(string)
- default = []
+ type = list(string)
+ default = []
}
variable "database_name" {
description = "name of the database"
- type = string
- default = "bento"
+ type = string
+ default = "bento"
}
diff --git a/terraform/modules/cloudfront/cloudwatch.tf b/terraform/modules/cloudfront/cloudwatch.tf
index 80a510d8..7f4455a2 100644
--- a/terraform/modules/cloudfront/cloudwatch.tf
+++ b/terraform/modules/cloudfront/cloudwatch.tf
@@ -1,5 +1,5 @@
resource "aws_cloudwatch_metric_alarm" "cloudfront_alarm" {
- for_each = var.alarms
+ for_each = var.alarms
alarm_name = "${var.resource_prefix}-${each.key}-cloudfront-alarm"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "5"
@@ -14,14 +14,38 @@ resource "aws_cloudwatch_metric_alarm" "cloudfront_alarm" {
DistributionId = aws_cloudfront_distribution.distribution.id
Region = "Global"
}
- alarm_actions = [aws_sns_topic.cloudfront_alarm_topic.arn]
- ok_actions = [aws_sns_topic.cloudfront_alarm_topic.arn]
- tags = var.tags
+ alarm_actions = [aws_sns_topic.cloudfront_alarm_topic.arn]
+ ok_actions = [aws_sns_topic.cloudfront_alarm_topic.arn]
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_sns_topic" "cloudfront_alarm_topic" {
name = "${var.resource_prefix}-cloudfront-4xx-5xx-errors"
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_sns_topic_subscription" "subscribe_slack_endpoint" {
@@ -34,11 +58,35 @@ resource "aws_sns_topic_subscription" "subscribe_slack_endpoint" {
resource "aws_cloudwatch_log_group" "log_group_waf" {
name = "/aws/lambda/${aws_lambda_function.slack_waf.function_name}"
retention_in_days = 30
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_cloudwatch_log_group" "log_group_slack" {
name = "/aws/lambda/${aws_lambda_function.slack_lambda.function_name}"
retention_in_days = 30
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
\ No newline at end of file
diff --git a/terraform/modules/cloudfront/data.tf b/terraform/modules/cloudfront/data.tf
index f8c1a4a2..d5ae5eed 100644
--- a/terraform/modules/cloudfront/data.tf
+++ b/terraform/modules/cloudfront/data.tf
@@ -1,14 +1,14 @@
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_s3_bucket" "files_bucket" {
- count = var.create_files_bucket ? 0 : 1
+ count = var.create_files_bucket ? 0 : 1
bucket = var.cloudfront_distribution_bucket_name
}
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
- resources = [var.create_files_bucket ? "arn:aws:s3:::${local.files_bucket_name}/*" : "${data.aws_s3_bucket.files_bucket[0].arn}/*"]
+ resources = [var.create_files_bucket ? "arn:aws:s3:::${local.files_bucket_name}/*" : "${data.aws_s3_bucket.files_bucket[0].arn}/*"]
principals {
type = "AWS"
@@ -30,18 +30,18 @@ data "aws_cloudfront_cache_policy" "managed_cache" {
data "aws_iam_policy_document" "kinesis_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
- effect = "Allow"
- sid = ""
+ effect = "Allow"
+ sid = ""
principals {
identifiers = ["firehose.amazonaws.com"]
- type = "Service"
+ type = "Service"
}
}
}
data "aws_iam_policy_document" "firehose_policy" {
statement {
- sid = ""
+ sid = ""
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
@@ -57,9 +57,9 @@ data "aws_iam_policy_document" "firehose_policy" {
]
}
statement {
- effect = "Allow"
- sid = ""
- actions = ["iam:CreateServiceLinkedRole"]
+ effect = "Allow"
+ sid = ""
+ actions = ["iam:CreateServiceLinkedRole"]
resources = ["arn:aws:iam::*:role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging"]
}
}
@@ -72,21 +72,21 @@ data "aws_secretsmanager_secret_version" "cloudfront" {
data "aws_iam_policy_document" "lambda_assume_policy" {
statement {
- sid = ""
+ sid = ""
effect = "Allow"
actions = [
"sts:AssumeRole"
]
principals {
identifiers = ["lambda.amazonaws.com"]
- type = "Service"
+ type = "Service"
}
}
}
data "aws_iam_policy_document" "lambda_s3_policy" {
statement {
- sid = ""
+ sid = ""
effect = "Allow"
actions = [
"s3:GetObject",
@@ -96,7 +96,7 @@ data "aws_iam_policy_document" "lambda_s3_policy" {
resources = ["arn:aws:s3:::${aws_s3_bucket.kinesis_log.bucket}/*"]
}
statement {
- sid = ""
+ sid = ""
effect = "Allow"
actions = [
"s3:ListBucket"
@@ -106,7 +106,7 @@ data "aws_iam_policy_document" "lambda_s3_policy" {
]
}
statement {
- sid = ""
+ sid = ""
effect = "Allow"
actions = [
"wafv2:ListIPSets",
diff --git a/terraform/modules/cloudfront/kinesis.tf b/terraform/modules/cloudfront/kinesis.tf
index 62e25488..4aa065eb 100644
--- a/terraform/modules/cloudfront/kinesis.tf
+++ b/terraform/modules/cloudfront/kinesis.tf
@@ -4,19 +4,43 @@ resource "aws_s3_bucket" "kinesis_log" {
acl = "private"
}
resource "aws_iam_role" "firehose_role" {
- name = local.kenesis_role_name
- assume_role_policy = data.aws_iam_policy_document.kinesis_assume_role_policy.json
- permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn: null
- tags = var.tags
+ name = local.kenesis_role_name
+ assume_role_policy = data.aws_iam_policy_document.kinesis_assume_role_policy.json
+ permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_iam_policy" "firehose_policy" {
- name = local.kenesis_policy_name
+ name = local.kenesis_policy_name
policy = data.aws_iam_policy_document.firehose_policy.json
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_iam_role_policy_attachment" "firehose_policy_attachment" {
- policy_arn = aws_iam_policy.firehose_policy.arn
+ policy_arn = aws_iam_policy.firehose_policy.arn
role = aws_iam_role.firehose_role.name
}
diff --git a/terraform/modules/cloudfront/lambda.tf b/terraform/modules/cloudfront/lambda.tf
index bcafbcfc..ea676b2d 100644
--- a/terraform/modules/cloudfront/lambda.tf
+++ b/terraform/modules/cloudfront/lambda.tf
@@ -1,13 +1,25 @@
resource "aws_iam_role" "lambda_role" {
- assume_role_policy = data.aws_iam_policy_document.lambda_assume_policy.json
- name = local.lambda_role_name
- tags = var.tags
- permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn: null
+ assume_role_policy = data.aws_iam_policy_document.lambda_assume_policy.json
+ name = local.lambda_role_name
+ permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_iam_policy" "lambda_iam_policy" {
policy = data.aws_iam_policy_document.lambda_s3_policy.json
- name = local.lambda_policy_name
+ name = local.lambda_policy_name
}
resource "aws_iam_policy" "cloudwatch_log_iam_policy" {
@@ -16,31 +28,31 @@ resource "aws_iam_policy" "cloudwatch_log_iam_policy" {
}
resource "aws_iam_policy_attachment" "lambda_s3_policy_attachment" {
- name = "${var.resource_prefix}-lambda-s3-attachement"
+ name = "${var.resource_prefix}-lambda-s3-attachement"
policy_arn = aws_iam_policy.lambda_iam_policy.arn
- roles = [aws_iam_role.lambda_role.name]
+ roles = [aws_iam_role.lambda_role.name]
}
resource "aws_iam_policy_attachment" "cloudwatch_log_policy_attachment" {
- name = "${var.resource_prefix}-cloudwatch-log-attachement"
+ name = "${var.resource_prefix}-cloudwatch-log-attachement"
policy_arn = aws_iam_policy.cloudwatch_log_iam_policy.arn
- roles = [aws_iam_role.lambda_role.name]
+ roles = [aws_iam_role.lambda_role.name]
}
resource "aws_lambda_function" "slack_lambda" {
- filename = "${path.module}/send-slack.zip"
- function_name = "${var.stack_name}-${var.env}-send-slack"
- role = aws_iam_role.lambda_role.arn
- handler = "slack.handler"
- memory_size = 512
- timeout = 60
+ filename = "${path.module}/send-slack.zip"
+ function_name = "${var.stack_name}-${var.env}-send-slack"
+ role = aws_iam_role.lambda_role.arn
+ handler = "slack.handler"
+ memory_size = 512
+ timeout = 60
source_code_hash = filebase64sha256("${path.module}/send-slack.zip")
- runtime = "python3.8"
+ runtime = "python3.8"
environment {
variables = {
- SLACK_URL = jsondecode(data.aws_secretsmanager_secret_version.slack_url.secret_string)[var.slack_url_secret_key]
+ SLACK_URL = jsondecode(data.aws_secretsmanager_secret_version.slack_url.secret_string)[var.slack_url_secret_key]
SLACK_CHANNEL = var.cloudfront_slack_channel_name
- REGION = data.aws_region.current.name
+ REGION = data.aws_region.current.name
}
}
@@ -55,45 +67,45 @@ resource "aws_lambda_permission" "lambda_invoke_sns" {
}
resource "aws_lambda_function" "slack_waf" {
- filename = "${path.module}/wafreport.zip"
- function_name = "${var.resource_prefix}-waf-report"
- role = aws_iam_role.lambda_role.arn
- handler = "blocked.handler"
- memory_size = 1024
- timeout = 60
+ filename = "${path.module}/wafreport.zip"
+ function_name = "${var.resource_prefix}-waf-report"
+ role = aws_iam_role.lambda_role.arn
+ handler = "blocked.handler"
+ memory_size = 1024
+ timeout = 60
source_code_hash = filebase64sha256("${path.module}/wafreport.zip")
runtime = "python3.8"
environment {
variables = {
- SLACK_URL = jsondecode(data.aws_secretsmanager_secret_version.slack_url.secret_string)[var.slack_url_secret_key]
- SLACK_CHANNEL = var.cloudfront_slack_channel_name
+ SLACK_URL = jsondecode(data.aws_secretsmanager_secret_version.slack_url.secret_string)[var.slack_url_secret_key]
+ SLACK_CHANNEL = var.cloudfront_slack_channel_name
BLOCK_IP_FILE_NAME = "blocked_ip/ips.txt"
- WAF_SCOPE = "CLOUDFRONT"
- S3_BUCKET_NAME = aws_s3_bucket.kinesis_log.bucket
- TMP_FILE_NAME = "/tmp/blocked_ip.txt"
- IP_SETS_NAME = aws_wafv2_ip_set.ip_sets.name
+ WAF_SCOPE = "CLOUDFRONT"
+ S3_BUCKET_NAME = aws_s3_bucket.kinesis_log.bucket
+ TMP_FILE_NAME = "/tmp/blocked_ip.txt"
+ IP_SETS_NAME = aws_wafv2_ip_set.ip_sets.name
}
}
}
resource "aws_cloudwatch_event_rule" "every_7am" {
- name = "${var.resource_prefix}-every-7am"
- description = "run waf report every 7am"
+ name = "${var.resource_prefix}-every-7am"
+ description = "run waf report every 7am"
schedule_expression = "cron(0 7 ? * MON-FRI *)"
}
resource "aws_cloudwatch_event_target" "run_waf_report_every_7am" {
- rule = aws_cloudwatch_event_rule.every_7am.name
+ rule = aws_cloudwatch_event_rule.every_7am.name
target_id = "${var.resource_prefix}-waf-report"
- arn = aws_lambda_function.slack_waf.arn
+ arn = aws_lambda_function.slack_waf.arn
}
resource "aws_lambda_permission" "cloudwatch_invoke_lambda" {
- statement_id = "AllowExecutionFromCloudWatch"
- action = "lambda:InvokeFunction"
+ statement_id = "AllowExecutionFromCloudWatch"
+ action = "lambda:InvokeFunction"
function_name = aws_lambda_function.slack_waf.function_name
- principal = "events.amazonaws.com"
- source_arn = aws_cloudwatch_event_rule.every_7am.arn
+ principal = "events.amazonaws.com"
+ source_arn = aws_cloudwatch_event_rule.every_7am.arn
}
\ No newline at end of file
diff --git a/terraform/modules/cloudfront/locals.tf b/terraform/modules/cloudfront/locals.tf
index 6b17f54b..61882598 100644
--- a/terraform/modules/cloudfront/locals.tf
+++ b/terraform/modules/cloudfront/locals.tf
@@ -1,6 +1,6 @@
locals {
- s3_origin_id = "${var.stack_name}_files_origin_id"
- env_type = var.env == "dev" || var.env == "qa" ? "nonprod" : "prod"
+ s3_origin_id = "${var.stack_name}_files_origin_id"
+ env_type = var.env == "dev" || var.env == "qa" ? "nonprod" : "prod"
kenesis_role_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-firehose-role" : "${var.resource_prefix}-firehose-role"
kenesis_policy_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-firehose-policy" : "${var.resource_prefix}-firehose-policy"
kenesis_bucket_name = var.target_account_cloudone ? "cloudone-${var.resource_prefix}-kinesis-firehose-stream" : "${var.resource_prefix}-kinesis-firehose-stream"
diff --git a/terraform/modules/cloudfront/main.tf b/terraform/modules/cloudfront/main.tf
index bdcfc5b5..ef832e6e 100644
--- a/terraform/modules/cloudfront/main.tf
+++ b/terraform/modules/cloudfront/main.tf
@@ -6,17 +6,41 @@ resource "aws_cloudfront_origin_access_identity" "origin_access" {
#create bucket for logs
resource "aws_s3_bucket" "files" {
- count = var.create_files_bucket ? 1 : 0
- bucket = local.files_bucket_name
+ count = var.create_files_bucket ? 1 : 0
+ bucket = local.files_bucket_name
acl = "private"
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
#create bucket for logs
resource "aws_s3_bucket" "access_logs" {
- bucket = local.files_log_bucket_name
+ bucket = local.files_log_bucket_name
acl = "private"
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
#create s3 bucket policy
@@ -35,7 +59,7 @@ resource "aws_cloudfront_distribution" "distribution" {
web_acl_id = aws_wafv2_web_acl.waf.arn
origin {
- domain_name = var.create_files_bucket ? aws_s3_bucket.files[0].bucket_domain_name : data.aws_s3_bucket.files_bucket[0].bucket_domain_name
+ domain_name = var.create_files_bucket ? aws_s3_bucket.files[0].bucket_domain_name : data.aws_s3_bucket.files_bucket[0].bucket_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.origin_access.cloudfront_access_identity_path
@@ -53,9 +77,9 @@ resource "aws_cloudfront_distribution" "distribution" {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
- cache_policy_id = data.aws_cloudfront_cache_policy.managed_cache.id
+ cache_policy_id = data.aws_cloudfront_cache_policy.managed_cache.id
- trusted_key_groups = [aws_cloudfront_key_group.key_group.id]
+ trusted_key_groups = [aws_cloudfront_key_group.key_group.id]
viewer_protocol_policy = "redirect-to-https"
min_ttl = var.min_ttl
default_ttl = var.default_ttl
@@ -72,7 +96,19 @@ resource "aws_cloudfront_distribution" "distribution" {
restriction_type = "none"
}
}
- tags = var.tags
+
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
#create waf
@@ -107,7 +143,18 @@ resource "aws_wafv2_web_acl" "waf" {
}
}
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
visibility_config {
cloudwatch_metrics_enabled = true
@@ -119,13 +166,24 @@ resource "aws_wafv2_web_acl" "waf" {
resource "aws_wafv2_regex_pattern_set" "api_files_pattern" {
- name = "${var.resource_prefix}-api-files-pattern"
- scope = "CLOUDFRONT"
+ name = "${var.resource_prefix}-api-files-pattern"
+ scope = "CLOUDFRONT"
regular_expression {
regex_string = "^/api/files/*"
}
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
@@ -144,7 +202,7 @@ resource "aws_cloudfront_key_group" "key_group" {
resource "aws_wafv2_web_acl_logging_configuration" "waf_logging" {
log_destination_configs = [
- aws_kinesis_firehose_delivery_stream.firehose_stream.arn]
+ aws_kinesis_firehose_delivery_stream.firehose_stream.arn]
resource_arn = aws_wafv2_web_acl.waf.arn
redacted_fields {
single_header {
@@ -173,5 +231,16 @@ resource "aws_wafv2_ip_set" "ip_sets" {
scope = "CLOUDFRONT"
ip_address_version = "IPV4"
addresses = ["127.0.0.1/32"]
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
diff --git a/terraform/modules/cloudfront/variables.tf b/terraform/modules/cloudfront/variables.tf
index f3aabeea..b28b5aba 100644
--- a/terraform/modules/cloudfront/variables.tf
+++ b/terraform/modules/cloudfront/variables.tf
@@ -4,41 +4,41 @@ variable "resource_prefix" {
}
variable "tags" {
description = "tags to associate with this instance"
- type = map(string)
+ type = map(string)
}
variable "stack_name" {
description = "name of the project"
- type = string
+ type = string
}
variable "domain_name" {
description = "domain name for the application"
- type = string
+ type = string
}
variable "env" {
description = "environment"
- type = string
+ type = string
}
variable "cloudfront_distribution_bucket_name" {
description = "specify the name of s3 bucket for cloudfront"
- type = string
+ type = string
}
variable "alarms" {
description = "alarms to be configured"
- type = map(map(string))
+ type = map(map(string))
}
variable "slack_secret_name" {
- type = string
+ type = string
description = "name of cloudfront slack secret"
}
variable "cloudfront_slack_channel_name" {
- type = string
+ type = string
description = "cloudfront slack name"
}
@@ -48,46 +48,46 @@ variable "iam_prefix" {
default = "power-user"
}
-variable "target_account_cloudone"{
+variable "target_account_cloudone" {
description = "to add check conditions on whether the resources are brought up in cloudone or not"
type = bool
- default = false
+ default = false
}
variable "slack_url_secret_key" {
description = "secret key name for the slack url"
- type = string
- default = "cloud-front-slack-url"
+ type = string
+ default = "cloud-front-slack-url"
}
variable "create_files_bucket" {
description = "indicate if you want to create files bucket or use existing one"
- type = bool
- default = false
+ type = bool
+ default = false
}
variable "public_key_path" {
description = "path of public key"
- default = null
+ default = null
}
variable "price_class" {
description = "price class of cloudfront distribution"
- default = "PriceClass_100"
+ default = "PriceClass_100"
}
# TTL
variable "min_ttl" {
description = "minimum time to live"
- default = 0
+ default = 0
}
variable "default_ttl" {
description = "default time to live"
- default = 3600
+ default = 3600
}
variable "max_ttl" {
description = "maximum time to live"
- default = 86400
+ default = 86400
}
\ No newline at end of file
diff --git a/terraform/modules/cloudwatch/data.tf b/terraform/modules/cloudwatch/data.tf
index cfe92d2b..9e28d3e8 100644
--- a/terraform/modules/cloudwatch/data.tf
+++ b/terraform/modules/cloudwatch/data.tf
@@ -1,12 +1,12 @@
data "aws_iam_policy_document" "events_assume_role" {
count = var.target_type != "" ? 1 : 0
statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["events.amazonaws.com"]
+ principals {
+ type = "Service"
+ identifiers = ["events.amazonaws.com"]
+ }
}
}
-}
diff --git a/terraform/modules/cloudwatch/iam.tf b/terraform/modules/cloudwatch/iam.tf
index f1b84f13..410f172d 100644
--- a/terraform/modules/cloudwatch/iam.tf
+++ b/terraform/modules/cloudwatch/iam.tf
@@ -6,7 +6,7 @@ resource "aws_iam_role" "events_role" {
}
resource "aws_iam_role_policy_attachment" "events_attachment" {
- count = var.target_type != "" ? 1 : 0
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
- role = aws_iam_role.events_role[0].name
+ count = var.target_type != "" ? 1 : 0
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+ role = aws_iam_role.events_role[0].name
}
diff --git a/terraform/modules/cloudwatch/main.tf b/terraform/modules/cloudwatch/main.tf
index 9b96c8d3..662450d7 100644
--- a/terraform/modules/cloudwatch/main.tf
+++ b/terraform/modules/cloudwatch/main.tf
@@ -19,12 +19,12 @@ resource "aws_cloudwatch_event_target" "event_target" {
}
resource "aws_cloudwatch_event_permission" "events_permission" {
- count = var.target_type != "" ? 1 : 0
- action = "lambda:InvokeFunction"
- principal = "events.amazonaws.com"
- source_arn = aws_cloudwatch_event_rule.scheduled_event.arn
- statement_id = "AllowInvoke"
- function_name = aws_cloudwatch_event_target.event_target[0].arn
- source_profile = aws_iam_role.events_role.arn
+ count = var.target_type != "" ? 1 : 0
+ action = "lambda:InvokeFunction"
+ principal = "events.amazonaws.com"
+ source_arn = aws_cloudwatch_event_rule.scheduled_event.arn
+ statement_id = "AllowInvoke"
+ function_name = aws_cloudwatch_event_target.event_target[0].arn
+ source_profile = aws_iam_role.events_role.arn
}
diff --git a/terraform/modules/cloudwatch/variable.tf b/terraform/modules/cloudwatch/variable.tf
index bcf6b0a8..c59ad780 100644
--- a/terraform/modules/cloudwatch/variable.tf
+++ b/terraform/modules/cloudwatch/variable.tf
@@ -11,7 +11,7 @@ variable "cron_expression" {
variable "target_type" {
description = "Select a target type for the CloudWatch event"
type = string
- default = ""
+ default = ""
}
variable "custom_target_arn" {
diff --git a/terraform/modules/ecr/locals.tf b/terraform/modules/ecr/locals.tf
index c6e0e811..4edc3c86 100644
--- a/terraform/modules/ecr/locals.tf
+++ b/terraform/modules/ecr/locals.tf
@@ -2,8 +2,8 @@ locals {
account_arn = format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)
# Access Policies
- local = var.access_scheme == "local" ? data.aws_iam_policy_document.local.json : ""
- standard = var.access_scheme == "standard" ? data.aws_iam_policy_document.standard.json : ""
- alternate = var.access_scheme == "alternate" ? data.aws_iam_policy_document.alternate.json : ""
- policy_doc = coalesce(local.local, local.standard, local.alternate)
+ local = var.access_scheme == "local" ? data.aws_iam_policy_document.local.json : ""
+ standard = var.access_scheme == "standard" ? data.aws_iam_policy_document.standard.json : ""
+ alternate = var.access_scheme == "alternate" ? data.aws_iam_policy_document.alternate.json : ""
+ policy_doc = coalesce(local.local, local.standard, local.alternate)
}
\ No newline at end of file
diff --git a/terraform/modules/ecr/main.tf b/terraform/modules/ecr/main.tf
index f4e4a491..6c62ae8c 100644
--- a/terraform/modules/ecr/main.tf
+++ b/terraform/modules/ecr/main.tf
@@ -4,10 +4,17 @@ resource "aws_ecr_repository" "ecr" {
image_tag_mutability = "MUTABLE"
tags = merge(
{
- "Name" = format("%s-%s-%s", each.key, var.env, "ecr-registry")
+ "Name" = format("%s-%s-%s", each.key, var.env, "ecr-registry"),
+ "CreateDate" = timestamp()
},
var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_ecr_repository_policy" "ecr_policy" {
@@ -37,7 +44,7 @@ resource "aws_ecr_lifecycle_policy" "ecr_life_cycle" {
}
resource "aws_ecr_registry_policy" "this" {
- count = var.allow_ecr_replication ? 1: 0
+ count = var.allow_ecr_replication ? 1 : 0
policy = jsonencode({
Version = "2012-10-17",
Statement = [
@@ -60,7 +67,7 @@ resource "aws_ecr_registry_policy" "this" {
}
resource "aws_ecr_replication_configuration" "replication" {
- count = var.enable_ecr_replication ? 1: 0
+ count = var.enable_ecr_replication ? 1 : 0
replication_configuration {
rule {
destination {
diff --git a/terraform/modules/ecr/variables.tf b/terraform/modules/ecr/variables.tf
index ccaff57b..28bfd4d4 100644
--- a/terraform/modules/ecr/variables.tf
+++ b/terraform/modules/ecr/variables.tf
@@ -25,51 +25,51 @@ variable "env" {
# Access Policy Configuration
variable "nonprod_account_id" {
- type = string
+ type = string
description = "account ID for the project's non-production account"
- default = ""
+ default = ""
}
variable "prod_account_id" {
- type = string
+ type = string
description = "account ID for the project's production account"
- default = ""
+ default = ""
}
variable "access_scheme" {
- type = string
+ type = string
description = "the type of access to apply to the ECR repos"
- default = "local"
+ default = "local"
}
# Lifecycle Policy Configuration
variable "max_images_to_keep" {
description = "the maximum number of images to keep in the repository"
- type = number
- default = 20
+ type = number
+ default = 20
}
# Replication
variable "replication_destination_registry_id" {
- type = string
+ type = string
description = "registry id for destination image"
- default = ""
+ default = ""
}
variable "replication_source_registry_id" {
- type = string
+ type = string
description = "registry id for source image"
- default = ""
+ default = ""
}
variable "enable_ecr_replication" {
description = "enable ecr replication"
- type = bool
- default = false
+ type = bool
+ default = false
}
variable "allow_ecr_replication" {
description = "allow ecr replication"
- type = bool
- default = false
+ type = bool
+ default = false
}
\ No newline at end of file
diff --git a/terraform/modules/ecs/data.tf b/terraform/modules/ecs/data.tf
index 10df861d..143c191e 100644
--- a/terraform/modules/ecs/data.tf
+++ b/terraform/modules/ecs/data.tf
@@ -43,15 +43,15 @@ data "aws_iam_policy_document" "task_execution_kms" {
data "aws_iam_policy_document" "task_execution_secrets" {
statement {
- effect = "Allow"
- actions = [
- "secretsmanager:GetSecretValue",
- "secretsmanager:ListSecrets",
- "secretsmanager:DescribeSecret",
- "secretsmanager:ListSecretVersionIds",
- "secretsmanager:GetResourcePolicy"
- ]
- resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:*"]
+ effect = "Allow"
+ actions = [
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:ListSecrets",
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:ListSecretVersionIds",
+ "secretsmanager:GetResourcePolicy"
+ ]
+ resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:*"]
}
}
@@ -128,7 +128,7 @@ data "aws_iam_policy_document" "ecs_exec_cloudwatch" {
"logs:CreateLogStream",
"logs:CreateLogGroup"
]
- resources = [ var.allow_cloudwatch_stream ? "*" : aws_cloudwatch_log_group.ecs_execute_command_log_group.arn]
+ resources = [var.allow_cloudwatch_stream ? "*" : aws_cloudwatch_log_group.ecs_execute_command_log_group.arn]
}
#need to refine this to exec log groups be referencing ARN in resources
@@ -158,15 +158,15 @@ data "aws_iam_policy_document" "ecs_exec_kms" {
data "aws_iam_policy_document" "os_policy" {
statement {
- effect = "Allow"
- actions = ["es:ESHttp*"]
+ effect = "Allow"
+ actions = ["es:ESHttp*"]
resources = ["arn:aws:es:*:${data.aws_caller_identity.current.account_id}:domain/${local.os_domain_name}/*"]
}
}
data "aws_lb_target_group" "frontend" {
count = var.stack_name == "bento" && var.env == "prod" ? 1 : 0
- name = "${var.resource_prefix}-frontend"
+ name = "${var.resource_prefix}-frontend"
}
data "aws_iam_policy_document" "task_execution_sqs" {
diff --git a/terraform/modules/ecs/iam.tf b/terraform/modules/ecs/iam.tf
index 3938191e..7270e368 100644
--- a/terraform/modules/ecs/iam.tf
+++ b/terraform/modules/ecs/iam.tf
@@ -1,6 +1,6 @@
resource "aws_iam_role" "ecs_task_execution_role" {
name = local.task_execution_role_name
- assume_role_policy = var.use_custom_trust_policy ? var.custom_trust_policy: data.aws_iam_policy_document.ecs_trust_policy.json
+ assume_role_policy = var.use_custom_trust_policy ? var.custom_trust_policy : data.aws_iam_policy_document.ecs_trust_policy.json
permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null
}
@@ -15,8 +15,8 @@ resource "aws_iam_policy" "ecs_task_execution_role_policy" {
}
resource "aws_iam_role" "ecs_task_role" {
- name = local.task_role_name
- assume_role_policy = data.aws_iam_policy_document.ecs_trust_policy.json
+ name = local.task_role_name
+ assume_role_policy = data.aws_iam_policy_document.ecs_trust_policy.json
#permissions_boundary = local.permission_boundary_arn
permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null
}
diff --git a/terraform/modules/ecs/kms.tf b/terraform/modules/ecs/kms.tf
index e4e81065..f0993772 100644
--- a/terraform/modules/ecs/kms.tf
+++ b/terraform/modules/ecs/kms.tf
@@ -4,8 +4,16 @@ resource "aws_kms_key" "ecs_exec" {
tags = merge(
{
- "Name" = format("%s-%s", var.stack_name, "ecs-exec-kms-key")
+ "Name" = format("%s-%s", var.stack_name, "ecs-exec-kms-key"),
+ "CreateDate" = timestamp()
},
- var.tags
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
diff --git a/terraform/modules/ecs/locals.tf b/terraform/modules/ecs/locals.tf
index 8b83fed3..5f2e71f8 100644
--- a/terraform/modules/ecs/locals.tf
+++ b/terraform/modules/ecs/locals.tf
@@ -9,5 +9,5 @@ locals {
vpc_cidr = data.aws_vpc.current.cidr_block
os_domain_name = var.add_opensearch_permission ? "${var.resource_prefix}-opensearch" : "*"
permission_boundary_arn = terraform.workspace == "stage" || terraform.workspace == "prod" ? null : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser"
- ecr_account = var.central_ecr_account_id
+ ecr_account = var.central_ecr_account_id
}
\ No newline at end of file
diff --git a/terraform/modules/ecs/main.tf b/terraform/modules/ecs/main.tf
index a4fce402..8397a21c 100644
--- a/terraform/modules/ecs/main.tf
+++ b/terraform/modules/ecs/main.tf
@@ -25,10 +25,18 @@ resource "aws_ecs_task_definition" "task" {
tags = merge(
{
- "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, each.value.name, "task-definition")
+ "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, each.value.name, "task-definition"),
+ "CreateDate" = timestamp()
},
var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
#ecs service
@@ -50,7 +58,7 @@ resource "aws_ecs_service" "service" {
}
network_configuration {
- security_groups = [ aws_security_group.ecs.id,aws_security_group.app.id]
+ security_groups = [aws_security_group.ecs.id, aws_security_group.app.id]
subnets = var.ecs_subnet_ids
assign_public_ip = false
}
@@ -117,8 +125,16 @@ resource "aws_ecs_cluster" "ecs_cluster" {
tags = merge(
{
- "Name" = format("%s-%s", var.stack_name, "ecs-cluster")
+ "Name" = format("%s-%s", var.stack_name, "ecs-cluster"),
+ "CreateDate" = timestamp()
},
- var.tags
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
diff --git a/terraform/modules/ecs/neo4j.tf b/terraform/modules/ecs/neo4j.tf
index 2e328143..70233f7b 100644
--- a/terraform/modules/ecs/neo4j.tf
+++ b/terraform/modules/ecs/neo4j.tf
@@ -1,6 +1,6 @@
#task definition
resource "aws_ecs_task_definition" "neo4j" {
- count = var.create_neo4j_db ? 1 : 0
+ count = var.create_neo4j_db ? 1 : 0
family = "${var.stack_name}-${var.env}-neo4j-db"
network_mode = var.ecs_network_mode
requires_compatibilities = ["FARGATE"]
@@ -28,16 +28,24 @@ resource "aws_ecs_task_definition" "neo4j" {
])
tags = merge(
- {
- "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, "neo4j", "task-definition")
- },
- var.tags,
+ {
+ "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, "neo4j", "task-definition"),
+ "CreateDate" = timestamp()
+ },
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
#ecs service
resource "aws_ecs_service" "neo4j" {
- count = var.create_neo4j_db ? 1 : 0
+ count = var.create_neo4j_db ? 1 : 0
name = "${var.stack_name}-${var.env}-neo4j"
cluster = aws_ecs_cluster.ecs_cluster.id
task_definition = aws_ecs_task_definition.neo4j[0].arn
@@ -53,7 +61,7 @@ resource "aws_ecs_service" "neo4j" {
}
network_configuration {
- security_groups = [ aws_security_group.ecs.id,aws_security_group.app.id]
+ security_groups = [aws_security_group.ecs.id, aws_security_group.app.id]
subnets = var.ecs_subnet_ids
assign_public_ip = false
}
@@ -67,7 +75,7 @@ resource "aws_ecs_service" "neo4j" {
}
resource "aws_appautoscaling_target" "neo4j_autoscaling_target" {
- count = var.create_neo4j_db ? 1 : 0
+ count = var.create_neo4j_db ? 1 : 0
max_capacity = 5
min_capacity = 1
resource_id = "service/${aws_ecs_cluster.ecs_cluster.name}/${aws_ecs_service.neo4j[0].name}"
@@ -76,7 +84,7 @@ resource "aws_appautoscaling_target" "neo4j_autoscaling_target" {
}
resource "aws_appautoscaling_policy" "neo4j_autoscaling_cpu" {
- count = var.create_neo4j_db ? 1 : 0
+ count = var.create_neo4j_db ? 1 : 0
name = "cpu-autoscaling"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.neo4j_autoscaling_target[0].resource_id
diff --git a/terraform/modules/ecs/outputs.tf b/terraform/modules/ecs/outputs.tf
index 17491a66..394bcf73 100644
--- a/terraform/modules/ecs/outputs.tf
+++ b/terraform/modules/ecs/outputs.tf
@@ -1,17 +1,17 @@
# ECS Outputs:
output "ecs_task_definition_arn" {
- value = {for k, v in aws_ecs_task_definition.task: k => v.arn}
+ value = { for k, v in aws_ecs_task_definition.task : k => v.arn }
}
output "ecs_task_service_arn" {
- value = {for k, v in aws_ecs_service.service: k => v.id}
+ value = { for k, v in aws_ecs_service.service : k => v.id }
}
/* output "appautoscaling_target_arn" {
value = {for k, v in aws_appautoscaling_target.microservice_autoscaling_target: k => v.arn}
} */
output "appautoscaling_policy_arn" {
- value = {for k, v in aws_appautoscaling_policy.microservice_autoscaling_cpu: k => v.arn}
+ value = { for k, v in aws_appautoscaling_policy.microservice_autoscaling_cpu : k => v.arn }
}
output "ecs_cluster_arn" {
diff --git a/terraform/modules/ecs/securitygroups.tf b/terraform/modules/ecs/securitygroups.tf
index bba5355e..a06cb015 100644
--- a/terraform/modules/ecs/securitygroups.tf
+++ b/terraform/modules/ecs/securitygroups.tf
@@ -5,10 +5,18 @@ resource "aws_security_group" "ecs" {
tags = merge(
{
- "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, "ecs", "sg")
+ "Name" = format("%s-%s-%s-%s", var.stack_name, var.env, "ecs", "sg"),
+ "CreateDate" = timestamp()
},
- var.tags
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
@@ -23,15 +31,24 @@ resource "aws_security_group_rule" "all_egress" {
#create app security group
resource "aws_security_group" "app" {
- name = "${var.resource_prefix}-app-sg"
- description = "Allow application to communicate with other aws resources"
- vpc_id = var.vpc_id
+ name = "${var.resource_prefix}-app-sg"
+ description = "Allow application to communicate with other aws resources"
+ vpc_id = var.vpc_id
+
tags = merge(
- {
- "Name" = format("%s-%s-app-sg",var.stack_name,terraform.workspace),
- },
- var.tags,
+ {
+ "Name" = format("%s-%s-app-sg", var.stack_name, terraform.workspace),
+ "CreateDate" = timestamp()
+ },
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
resource "aws_security_group_rule" "app_all_egress" {
diff --git a/terraform/modules/ecs/tg.tf b/terraform/modules/ecs/tg.tf
index 5a01aa72..d0a384af 100644
--- a/terraform/modules/ecs/tg.tf
+++ b/terraform/modules/ecs/tg.tf
@@ -21,12 +21,21 @@ resource "aws_lb_target_group" "target_group" {
healthy_threshold = 2
unhealthy_threshold = 2
}
+
tags = merge(
{
- "Name" = format("%s-%s", var.stack_name, "${each.value.name}-alb-target-group")
+ "Name" = format("%s-%s", var.stack_name, "${each.value.name}-alb-target-group"),
+ "CreateDate" = timestamp()
},
var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
+
}
resource "aws_lb_listener_rule" "alb_listener" {
@@ -51,7 +60,7 @@ resource "aws_lb_listener_rule" "alb_listener" {
}
resource "aws_lb_listener_rule" "alb_listener_additional_url" {
- count = var.stack_name == "bento" && var.env == "prod" ? 1 : 0
+ count = var.stack_name == "bento" && var.env == "prod" ? 1 : 0
listener_arn = var.alb_https_listener_arn
action {
type = "forward"
@@ -59,7 +68,7 @@ resource "aws_lb_listener_rule" "alb_listener_additional_url" {
}
condition {
host_header {
- values = ["www.${var.domain_name}","${var.stack_name}.${var.domain_name}"]
+ values = ["www.${var.domain_name}", "${var.stack_name}.${var.domain_name}"]
}
}
condition {
diff --git a/terraform/modules/ecs/variables.tf b/terraform/modules/ecs/variables.tf
index 522c3ad1..01c0f498 100644
--- a/terraform/modules/ecs/variables.tf
+++ b/terraform/modules/ecs/variables.tf
@@ -93,47 +93,47 @@ variable "container_insights_setting" {
default = "disabled"
}
-variable "target_account_cloudone"{
+variable "target_account_cloudone" {
description = "to add check conditions on whether the resources are brought up in cloudone or not"
type = bool
default = true
}
variable "add_opensearch_permission" {
- type = bool
- default = false
+ type = bool
+ default = false
description = "choose to create opensearch permission or not"
}
variable "allow_cloudwatch_stream" {
- type = bool
- default = false
+ type = bool
+ default = false
description = "allow cloudwatch stream for the containers"
}
variable "domain_name" {
- type = string
+ type = string
description = "domain name of this app"
- default = "bento-tools.org"
+ default = "bento-tools.org"
}
variable "create_neo4j_db" {
- type = bool
- default = false
+ type = bool
+ default = false
description = "choose to add neo4j container or not"
}
variable "central_ecr_account_id" {
- type = string
+ type = string
description = "central ecr account number"
- default = null
+ default = null
}
variable "use_custom_trust_policy" {
- type = bool
+ type = bool
description = "use custom role trust policy"
- default = false
+ default = false
}
variable "custom_trust_policy" {
- type = string
+ type = string
description = "custom role trust policy"
- default = null
+ default = null
}
\ No newline at end of file
diff --git a/terraform/modules/firehose-metrics/outputs.tf b/terraform/modules/firehose-metrics/outputs.tf
index 23f52eff..16969c54 100644
--- a/terraform/modules/firehose-metrics/outputs.tf
+++ b/terraform/modules/firehose-metrics/outputs.tf
@@ -1,4 +1,4 @@
output "read_only_role_arn" {
- value = module.iam_read_only.arn
+ value = module.iam_read_only.arn
description = "The ARN to copy/paste when creating a New Relic Linked Account"
}
\ No newline at end of file
diff --git a/terraform/modules/firehose-metrics/versions.tf b/terraform/modules/firehose-metrics/versions.tf
index c9eccaba..cd1c75a9 100644
--- a/terraform/modules/firehose-metrics/versions.tf
+++ b/terraform/modules/firehose-metrics/versions.tf
@@ -1,5 +1,5 @@
terraform {
-# required_version = ">= 1.3"
+ # required_version = ">= 1.3"
required_providers {
aws = {
diff --git a/terraform/modules/loadbalancer/main.tf b/terraform/modules/loadbalancer/main.tf
index 4f182548..3dcb50d7 100644
--- a/terraform/modules/loadbalancer/main.tf
+++ b/terraform/modules/loadbalancer/main.tf
@@ -1,8 +1,8 @@
resource "aws_lb" "alb" {
- name = local.alb_name
- load_balancer_type = var.alb_type
- subnets = var.alb_subnet_ids
- security_groups = [aws_security_group.alb.id]
+ name = local.alb_name
+ load_balancer_type = var.alb_type
+ subnets = var.alb_subnet_ids
+ security_groups = [aws_security_group.alb.id]
#tfsec:ignore:aws-elb-alb-not-public
internal = var.alb_internal
drop_invalid_header_fields = true
@@ -21,10 +21,17 @@ resource "aws_lb" "alb" {
tags = merge(
{
- "Name" = format("%s-%s-lb", var.stack_name, var.env)
+ "Name" = format("%s-%s-lb", var.stack_name, var.env),
+ "CreateDate" = timestamp()
},
var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
#create https redirect
@@ -43,7 +50,18 @@ resource "aws_lb_listener" "http" {
}
}
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_lb_listener" "https" {
@@ -63,7 +81,18 @@ resource "aws_lb_listener" "https" {
}
}
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_security_group" "alb" {
@@ -71,11 +100,18 @@ resource "aws_security_group" "alb" {
description = local.alb_sg_description
vpc_id = var.vpc_id
tags = merge(
- {
- "Name" = format("%s-sg", local.alb_name)
- },
- var.tags,
+ {
+ "Name" = format("%s-sg", local.alb_name),
+ "CreateDate" = timestamp()
+ },
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_security_group_rule" "all_egress" {
diff --git a/terraform/modules/monitoring/monitoring.tf b/terraform/modules/monitoring/monitoring.tf
index 084b902e..17770636 100644
--- a/terraform/modules/monitoring/monitoring.tf
+++ b/terraform/modules/monitoring/monitoring.tf
@@ -1,13 +1,13 @@
#Sumologic
#Createacollector
-resource"sumologic_collector""collector"{
- name="${var.resource_prefix}-${var.service}"
+resource "sumologic_collector" "collector" {
+ name = "${var.resource_prefix}-${var.service}"
}
#CreateanHTTPsources
-resource"sumologic_http_source""sumo_source"{
- for_each=var.microservices
- name="${each.value.name}"
- category="${var.program}/${terraform.workspace}/${var.app}/${each.value.name}"
- collector_id=sumologic_collector.collector.id
+resource "sumologic_http_source" "sumo_source" {
+ for_each = var.microservices
+ name = each.value.name
+ category = "${var.program}/${terraform.workspace}/${var.app}/${each.value.name}"
+ collector_id = sumologic_collector.collector.id
}
\ No newline at end of file
diff --git a/terraform/modules/monitoring/outputs.tf b/terraform/modules/monitoring/outputs.tf
index a0da99db..7a23a386 100644
--- a/terraform/modules/monitoring/outputs.tf
+++ b/terraform/modules/monitoring/outputs.tf
@@ -1,4 +1,4 @@
output "sumo_source_urls" {
- value = {for k, v in sumologic_http_source.sumo_source: k => regex(".*/(.*)", sumologic_http_source.sumo_source[k].url)}
+ value = { for k, v in sumologic_http_source.sumo_source : k => regex(".*/(.*)", sumologic_http_source.sumo_source[k].url) }
description = "map of name, source url for sumo collectors"
}
\ No newline at end of file
diff --git a/terraform/modules/monitoring/variables.tf b/terraform/modules/monitoring/variables.tf
index 9488e27c..edd078bc 100644
--- a/terraform/modules/monitoring/variables.tf
+++ b/terraform/modules/monitoring/variables.tf
@@ -1,15 +1,15 @@
variable "resource_prefix" {
description = "the prefix to add when creating resources"
- type = string
+ type = string
}
variable "service" {
- type = string
+ type = string
description = "Name of the service where the monitoring is configured. example ecs, database etc"
}
variable "program" {
- type = string
+ type = string
description = "Name of the program where the application is running. example ccdi or crdc etc"
}
diff --git a/terraform/modules/neo4j/data.tf b/terraform/modules/neo4j/data.tf
index 0a9e9596..79f30032 100644
--- a/terraform/modules/neo4j/data.tf
+++ b/terraform/modules/neo4j/data.tf
@@ -36,7 +36,7 @@ data "aws_ssm_parameter" "sshkey" {
data "aws_iam_policy_document" "sts_policy" {
statement {
- effect = "Allow"
+ effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
identifiers = ["ec2.amazonaws.com"]
@@ -51,15 +51,15 @@ data "aws_iam_policy" "ssm_policy" {
data "aws_security_group" "sg" {
count = var.create_security_group ? 0 : 1
- name = var.db_security_group_name
+ name = var.db_security_group_name
}
data "aws_iam_instance_profile" "profile" {
count = var.create_instance_profile ? 0 : 1
- name = var.db_iam_profile_name
+ name = var.db_iam_profile_name
}
data "aws_ssm_document" "ssm" {
- count = var.create_bootstrap_script ? 0 : 1
+ count = var.create_bootstrap_script ? 0 : 1
name = var.db_boostrap_ssm_document
document_format = "YAML"
}
\ No newline at end of file
diff --git a/terraform/modules/neo4j/main.tf b/terraform/modules/neo4j/main.tf
index 75fcf383..b275427a 100644
--- a/terraform/modules/neo4j/main.tf
+++ b/terraform/modules/neo4j/main.tf
@@ -5,7 +5,7 @@ resource "aws_instance" "db" {
key_name = var.ssh_key_name
subnet_id = var.db_subnet_id
source_dest_check = false
- vpc_security_group_ids = [var.create_security_group ? aws_security_group.database_sg[0].id : data.aws_security_group.sg[0].id ]
+ vpc_security_group_ids = [var.create_security_group ? aws_security_group.database_sg[0].id : data.aws_security_group.sg[0].id]
user_data = data.template_cloudinit_config.user_data.rendered
iam_instance_profile = var.create_instance_profile ? aws_iam_instance_profile.db_profile[0].name : data.aws_iam_instance_profile.profile[0].name
private_ip = var.db_private_ip
@@ -18,16 +18,18 @@ resource "aws_instance" "db" {
}
metadata_options {
- http_tokens = var.require_http_tokens
+ http_tokens = var.require_http_tokens
http_endpoint = var.enable_http_endpoint
}
tags = merge(
{
- "Name" = "${var.resource_prefix}-${var.database_name}",
+ "Name" = "${var.resource_prefix}-${var.database_name}",
+ "CreateDate" = timestamp()
},
var.tags,
)
+
lifecycle {
ignore_changes = all
}
@@ -35,7 +37,7 @@ resource "aws_instance" "db" {
#create boostrap script to hook up the node to ecs cluster
resource "aws_ssm_document" "ssm_neo4j_boostrap" {
- count = var.create_bootstrap_script ? 1 : 0
+ count = var.create_bootstrap_script ? 1 : 0
# name = "${var.stack_name}-${var.env}-setup-database"
name = "${var.resource_prefix}-setup-database"
document_type = "Command"
@@ -63,30 +65,44 @@ mainSteps:
DOC
tags = merge(
{
- "Name" = format("%s-%s", var.resource_prefix, "ssm-document")
+ "Name" = format("%s-%s", var.resource_prefix, "ssm-document"),
+ "CreateDate" = timestamp()
},
var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
#create database security group
resource "aws_security_group" "database_sg" {
- count = var.create_security_group ? 1 : 0
- name = "${var.resource_prefix}-database-sg"
+ count = var.create_security_group ? 1 : 0
+ name = "${var.resource_prefix}-database-sg"
description = "${var.resource_prefix} database security group"
- vpc_id = var.vpc_id
+ vpc_id = var.vpc_id
tags = merge(
- {
- "Name" = format("%s-%s-%s",var.stack_name,var.env,"database-sg")
- },
- var.tags,
+ {
+ "Name" = format("%s-%s-%s", var.stack_name, var.env, "database-sg"),
+ "CreateDate" = timestamp()
+ },
+ var.tags,
)
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_ssm_association" "database" {
name = var.create_bootstrap_script ? aws_ssm_document.ssm_neo4j_boostrap[0].name : data.aws_ssm_document.ssm[0].name
targets {
- key = "tag:Name"
+ key = "tag:Name"
# values = ["${var.stack_name}-${var.env}-${var.database_name}"]
values = ["${var.resource_prefix}-${var.database_name}-4"]
}
@@ -95,15 +111,15 @@ resource "aws_ssm_association" "database" {
}
resource "aws_iam_role" "db_role" {
- count = var.create_instance_profile ? 1 : 0
- name = "${var.resource_prefix}-database-instance-role"
- assume_role_policy = data.aws_iam_policy_document.sts_policy.json
+ count = var.create_instance_profile ? 1 : 0
+ name = "${var.resource_prefix}-database-instance-role"
+ assume_role_policy = data.aws_iam_policy_document.sts_policy.json
managed_policy_arns = [data.aws_iam_policy.ssm_policy.arn]
}
resource "aws_iam_instance_profile" "db_profile" {
count = var.create_instance_profile ? 1 : 0
- role = aws_iam_role.db_role[0].name
- name = "${var.resource_prefix}-database-instance-profile"
+ role = aws_iam_role.db_role[0].name
+ name = "${var.resource_prefix}-database-instance-profile"
}
\ No newline at end of file
diff --git a/terraform/modules/neo4j/variables.tf b/terraform/modules/neo4j/variables.tf
index cbe77351..55e9cc12 100644
--- a/terraform/modules/neo4j/variables.tf
+++ b/terraform/modules/neo4j/variables.tf
@@ -71,45 +71,45 @@ variable "public_ssh_key_ssm_parameter_name" {
type = string
}
variable "require_http_tokens" {
- type = string
+ type = string
description = "choose if http_tokens is required or optional"
- default = "optional"
+ default = "optional"
}
variable "enable_http_endpoint" {
- type = string
+ type = string
description = "choose if http_endpoint is enabled or disabld"
- default = "enabled"
+ default = "enabled"
}
variable "db_security_group_name" {
- type = string
+ type = string
description = "provide existing security group"
- default = null
+ default = null
}
variable "create_security_group" {
- type = bool
- default = true
+ type = bool
+ default = true
description = "create security group or not"
}
variable "create_instance_profile" {
- type = bool
- default = true
+ type = bool
+ default = true
description = "create instance profile or not"
}
variable "db_iam_profile_name" {
- type = string
+ type = string
description = "name of iam profile to apply"
- default = null
+ default = null
}
variable "create_bootstrap_script" {
- type = bool
- default = true
+ type = bool
+ default = true
description = "choose to create bootstrap script or not"
}
variable "db_boostrap_ssm_document" {
- type = string
- default = null
+ type = string
+ default = null
description = "ssm document for db boostrap"
}
\ No newline at end of file
diff --git a/terraform/modules/neptune-instance/variables.tf b/terraform/modules/neptune-instance/variables.tf
index 56f3b74a..12ede0a9 100644
--- a/terraform/modules/neptune-instance/variables.tf
+++ b/terraform/modules/neptune-instance/variables.tf
@@ -75,7 +75,7 @@ variable "promotion_tier" {
sensitive = false
}
-variable "publicly_accessible"{
+variable "publicly_accessible" {
type = bool
description = "if its publicly accessible or not"
default = false
diff --git a/terraform/modules/opensearch/main.tf b/terraform/modules/opensearch/main.tf
index 773dc433..d79b07e0 100644
--- a/terraform/modules/opensearch/main.tf
+++ b/terraform/modules/opensearch/main.tf
@@ -2,7 +2,18 @@ resource "aws_opensearch_domain" "this" {
domain_name = "${var.resource_prefix}-opensearch"
engine_version = var.engine_version
access_policies = local.access_policies
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
cluster_config {
instance_type = local.custom_instance_type
@@ -81,8 +92,18 @@ resource "aws_security_group" "this" {
description = "The security group for the ${var.resource_prefix}-opensearch OpenSearch domain"
vpc_id = var.vpc_id
- tags = {
- Name = "${var.resource_prefix}-opensearch-security-group"
+ tags = merge(
+ {
+ "Name" = "${var.resource_prefix}-opensearch-security-group",
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
}
}
@@ -102,7 +123,18 @@ resource "aws_cloudwatch_log_group" "this" {
name = "/aws/opensearch-service/${var.resource_prefix}"
retention_in_days = var.log_retention_in_days
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_cloudwatch_log_resource_policy" "this" {
@@ -119,7 +151,18 @@ resource "aws_iam_role" "snapshot" {
description = "The snapshot role for the ${var.resource_prefix}-opensearch domain"
assume_role_policy = data.aws_iam_policy_document.trust[0].json
permissions_boundary = local.permissions_boundary
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
resource "aws_iam_policy" "snapshot" {
diff --git a/terraform/modules/rds-mysql/locals.tf b/terraform/modules/rds-mysql/locals.tf
index 82b62bcc..6f722a29 100644
--- a/terraform/modules/rds-mysql/locals.tf
+++ b/terraform/modules/rds-mysql/locals.tf
@@ -1,3 +1,3 @@
locals {
permissions_boundary_arn = var.attach_permissions_boundary ? "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser" : null
- }
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/terraform/modules/rds-mysql/main.tf b/terraform/modules/rds-mysql/main.tf
index 06304f6e..3a49de83 100644
--- a/terraform/modules/rds-mysql/main.tf
+++ b/terraform/modules/rds-mysql/main.tf
@@ -1,27 +1,27 @@
resource "aws_db_instance" "this" {
- allocated_storage = var.allocated_storage
- allow_major_version_upgrade = var.allow_major_version_upgrade
- apply_immediately = var.apply_immediately
- auto_minor_version_upgrade = var.auto_minor_version_upgrade
- backup_retention_period = var.backup_retention_period
- backup_window = var.backup_window
- copy_tags_to_snapshot = true
- db_name = var.db_name
- db_subnet_group_name = var.create_db_subnet_group ? aws_db_subnet_group.this[0].name : var.db_subnet_group_name
- delete_automated_backups = true
- deletion_protection = var.deletion_protection
- enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
- engine = "mysql"
- engine_version = var.engine_version
- final_snapshot_identifier = "${var.resource_prefix}-rds-snapshot-final"
- iam_database_authentication_enabled = var.iam_database_authentication_enabled
- identifier = "${var.resource_prefix}-${var.rds_suffix}"
- instance_class = var.instance_class
- iops = var.allocated_storage > 399 ? var.iops : null
- maintenance_window = var.maintenance_window
- monitoring_interval = var.monitoring_interval
- monitoring_role_arn = var.enable_enhanced_monitoring ? aws_iam_role.this[0].arn : null
- multi_az = var.multi_az
+ allocated_storage = var.allocated_storage
+ allow_major_version_upgrade = var.allow_major_version_upgrade
+ apply_immediately = var.apply_immediately
+ auto_minor_version_upgrade = var.auto_minor_version_upgrade
+ backup_retention_period = var.backup_retention_period
+ backup_window = var.backup_window
+ copy_tags_to_snapshot = true
+ db_name = var.db_name
+ db_subnet_group_name = var.create_db_subnet_group ? aws_db_subnet_group.this[0].name : var.db_subnet_group_name
+ delete_automated_backups = true
+ deletion_protection = var.deletion_protection
+ enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+ engine = "mysql"
+ engine_version = var.engine_version
+ final_snapshot_identifier = "${var.resource_prefix}-rds-snapshot-final"
+ iam_database_authentication_enabled = var.iam_database_authentication_enabled
+ identifier = "${var.resource_prefix}-${var.rds_suffix}"
+ instance_class = var.instance_class
+ iops = var.allocated_storage > 399 ? var.iops : null
+ maintenance_window = var.maintenance_window
+ monitoring_interval = var.monitoring_interval
+ monitoring_role_arn = var.enable_enhanced_monitoring ? aws_iam_role.this[0].arn : null
+ multi_az = var.multi_az
#network_type = "IPV4"
password = var.password
performance_insights_enabled = var.performance_insights_enabled
@@ -33,16 +33,25 @@ resource "aws_db_instance" "this" {
storage_encrypted = true
storage_type = var.storage_type
#storage_throughput = var.allocated_storage > 399 ? var.storage_throughput : null
- tags = var.tags
- username = var.username
- vpc_security_group_ids = var.create_security_group ? [aws_security_group.this[0].id] : var.vpc_security_group_ids
+ username = var.username
+ vpc_security_group_ids = var.create_security_group ? [aws_security_group.this[0].id] : var.vpc_security_group_ids
blue_green_update {
enabled = true
}
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
lifecycle {
- ignore_changes = [snapshot_identifier]
+ ignore_changes = [
+ tags["CreateDate"],
+ snapshot_identifier
+ ]
}
}
@@ -53,8 +62,18 @@ resource "aws_db_subnet_group" "this" {
description = "Subnet group for ${var.resource_prefix} RDS instance"
subnet_ids = var.subnet_ids
- tags = {
- Name = "${var.resource_prefix}-rds-subnet-group"
+ tags = merge(
+ {
+ "Name" = "${var.resource_prefix}-rds-subnet-group",
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
}
}
@@ -88,8 +107,18 @@ resource "aws_security_group" "this" {
description = "controls ingress and egress traffic for the ${var.resource_prefix} rds instance"
vpc_id = var.vpc_id
- tags = {
- Name = "${var.resource_prefix}-${var.rds_suffix}"
+ tags = merge(
+ {
+ "Name" = "${var.resource_prefix}-${var.rds_suffix}",
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
}
}
diff --git a/terraform/modules/roles/main.tf b/terraform/modules/roles/main.tf
index 16e31a73..a366da64 100644
--- a/terraform/modules/roles/main.tf
+++ b/terraform/modules/roles/main.tf
@@ -8,7 +8,18 @@ module "iam_assumable_role" {
number_of_custom_role_policy_arns = length(local.all_custom_policy_arns)
trusted_role_services = var.trusted_role_services
role_description = var.role_description
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
module "iam_policy" {
@@ -18,5 +29,16 @@ module "iam_policy" {
name = var.custom_policy_name
description = var.iam_policy_description
policy = var.iam_policy
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
\ No newline at end of file
diff --git a/terraform/modules/route53/main.tf b/terraform/modules/route53/main.tf
index 416b9bad..90933ba9 100644
--- a/terraform/modules/route53/main.tf
+++ b/terraform/modules/route53/main.tf
@@ -10,8 +10,8 @@ resource "aws_route53_record" "dns_record" {
}
resource "aws_route53_record" "dns_record_prod" {
- count = var.env == "prod" ? 1 : 0
- name = "${var.application_subdomain}"
+ count = var.env == "prod" ? 1 : 0
+ name = var.application_subdomain
type = "A"
zone_id = data.aws_route53_zone.zone.id
alias {
@@ -22,22 +22,22 @@ resource "aws_route53_record" "dns_record_prod" {
}
resource "aws_route53_record" "www" {
- count = var.env == "prod" ? 1 : 0
- name = "www"
- type = "CNAME"
+ count = var.env == "prod" ? 1 : 0
+ name = "www"
+ type = "CNAME"
zone_id = data.aws_route53_zone.zone.zone_id
- ttl = "5"
+ ttl = "5"
records = [var.domain_name]
}
resource "aws_route53_record" "bento_url" {
- count = var.env == "prod" && var.stack_name == "bento" ? 1 : 0
- name = var.domain_name
- type = "A"
+ count = var.env == "prod" && var.stack_name == "bento" ? 1 : 0
+ name = var.domain_name
+ type = "A"
zone_id = data.aws_route53_zone.zone.zone_id
alias {
evaluate_target_health = false
- name = var.alb_dns_name
- zone_id = var.alb_zone_id
+ name = var.alb_dns_name
+ zone_id = var.alb_zone_id
}
}
\ No newline at end of file
diff --git a/terraform/modules/route53/variables.tf b/terraform/modules/route53/variables.tf
index ce98dd30..b131f6c3 100644
--- a/terraform/modules/route53/variables.tf
+++ b/terraform/modules/route53/variables.tf
@@ -21,6 +21,6 @@ variable "env" {
}
variable "stack_name" {
description = "stack name"
- type = string
- default = "bento"
+ type = string
+ default = "bento"
}
\ No newline at end of file
diff --git a/terraform/modules/s3-replication-destination/data.tf b/terraform/modules/s3-replication-destination/data.tf
index d4f3e137..1b82302e 100644
--- a/terraform/modules/s3-replication-destination/data.tf
+++ b/terraform/modules/s3-replication-destination/data.tf
@@ -1,5 +1,5 @@
data "aws_s3_bucket" "dest" {
- count = var.create_destination_bucket ? 0 : 1
+ count = var.create_destination_bucket ? 0 : 1
bucket = var.destination_bucket_name
}
@@ -58,7 +58,7 @@ data "aws_iam_policy_document" "dest" {
resources = ["${local.destination_bucket_arn}/*"]
}
statement {
- sid = "AllowDataloaderAccess"
+ sid = "AllowDataloaderAccess"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/power-user-integration-server-profile"]
@@ -72,7 +72,7 @@ data "aws_iam_policy_document" "dest" {
resources = [local.destination_bucket_arn]
}
statement {
- sid = "AllowDataloaderOperation"
+ sid = "AllowDataloaderOperation"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/power-user-integration-server-profile"]
diff --git a/terraform/modules/s3-replication-destination/locals.tf b/terraform/modules/s3-replication-destination/locals.tf
index 5122fda7..d4de4930 100644
--- a/terraform/modules/s3-replication-destination/locals.tf
+++ b/terraform/modules/s3-replication-destination/locals.tf
@@ -1,3 +1,3 @@
locals {
- destination_bucket_arn = var.create_destination_bucket ? aws_s3_bucket.dest[0].arn : data.aws_s3_bucket.dest[0].arn
+ destination_bucket_arn = var.create_destination_bucket ? aws_s3_bucket.dest[0].arn : data.aws_s3_bucket.dest[0].arn
}
\ No newline at end of file
diff --git a/terraform/modules/s3-replication-destination/main.tf b/terraform/modules/s3-replication-destination/main.tf
index 651695d1..b9d66249 100644
--- a/terraform/modules/s3-replication-destination/main.tf
+++ b/terraform/modules/s3-replication-destination/main.tf
@@ -1,7 +1,18 @@
resource "aws_s3_bucket" "dest" {
- count = var.create_destination_bucket ? 1 : 0
+ count = var.create_destination_bucket ? 1 : 0
bucket = var.destination_bucket_name
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
@@ -19,6 +30,6 @@ resource "aws_s3_bucket_versioning" "dest" {
}
resource "aws_s3_bucket_policy" "dest" {
- bucket = var.create_destination_bucket ? aws_s3_bucket.dest[0].id : data.aws_s3_bucket.dest[0].id
- policy = data.aws_iam_policy_document.dest.json
+ bucket = var.create_destination_bucket ? aws_s3_bucket.dest[0].id : data.aws_s3_bucket.dest[0].id
+ policy = data.aws_iam_policy_document.dest.json
}
\ No newline at end of file
diff --git a/terraform/modules/s3-replication-destination/variables.tf b/terraform/modules/s3-replication-destination/variables.tf
index bcf6e966..3502f26f 100644
--- a/terraform/modules/s3-replication-destination/variables.tf
+++ b/terraform/modules/s3-replication-destination/variables.tf
@@ -6,16 +6,16 @@ variable "tags" {
variable "destination_bucket_name" {
description = "destination bucket name"
- type = string
- default = ""
+ type = string
+ default = ""
}
variable "create_destination_bucket" {
- type = bool
- default = false
+ type = bool
+ default = false
description = "choose to create destination bucket"
}
variable "replication_role_arn" {
description = "replication role arn"
- type = string
+ type = string
}
diff --git a/terraform/modules/s3-replication-source/README.md b/terraform/modules/s3-replication-source/README.md
index 47ce5481..215a5550 100644
--- a/terraform/modules/s3-replication-source/README.md
+++ b/terraform/modules/s3-replication-source/README.md
@@ -37,6 +37,7 @@ No modules.
| [env](#input\_env) | name of the environment to provision | `string` | n/a | yes |
| [iam\_prefix](#input\_iam\_prefix) | The string prefix for IAM roles and policies to conform to NCI power-user compliance | `string` | `"power-user"` | no |
| [replication\_destination\_account\_id](#input\_replication\_destination\_account\_id) | replication account id | `string` | `""` | no |
+| [resource\_prefix](#input\_resource\_prefix) | The string prefix for resource names | `string` | n/a | yes |
| [source\_bucket\_name](#input\_source\_bucket\_name) | source bucket name | `string` | `""` | no |
| [stack\_name](#input\_stack\_name) | name of the project | `string` | n/a | yes |
| [tags](#input\_tags) | tags to associate with this instance | `map(string)` | n/a | yes |
diff --git a/terraform/modules/s3-replication-source/data.tf b/terraform/modules/s3-replication-source/data.tf
index 8b8b8565..846e3bf8 100644
--- a/terraform/modules/s3-replication-source/data.tf
+++ b/terraform/modules/s3-replication-source/data.tf
@@ -1,7 +1,7 @@
data "aws_caller_identity" "current" {}
data "aws_s3_bucket" "source" {
- count = var.create_source_bucket ? 0 : 1
+ count = var.create_source_bucket ? 0 : 1
bucket = var.source_bucket_name
}
diff --git a/terraform/modules/s3-replication-source/locals.tf b/terraform/modules/s3-replication-source/locals.tf
index 3d7a6644..64036d52 100644
--- a/terraform/modules/s3-replication-source/locals.tf
+++ b/terraform/modules/s3-replication-source/locals.tf
@@ -1,6 +1,6 @@
locals {
- role_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-s3-replication-role" : "${var.resource_prefix}-s3-replication-role"
- policy_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-s3-replication-policy" : "${var.resource_prefix}-s3-replication-policy"
- source_bucket_arn = var.create_source_bucket ? aws_s3_bucket.source[0].arn : data.aws_s3_bucket.source[0].arn
- permission_boundary_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser"
+ role_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-s3-replication-role" : "${var.resource_prefix}-s3-replication-role"
+ policy_name = var.target_account_cloudone ? "${var.iam_prefix}-${var.resource_prefix}-s3-replication-policy" : "${var.resource_prefix}-s3-replication-policy"
+ source_bucket_arn = var.create_source_bucket ? aws_s3_bucket.source[0].arn : data.aws_s3_bucket.source[0].arn
+ permission_boundary_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser"
}
\ No newline at end of file
diff --git a/terraform/modules/s3-replication-source/main.tf b/terraform/modules/s3-replication-source/main.tf
index e2bc68e6..d0380deb 100644
--- a/terraform/modules/s3-replication-source/main.tf
+++ b/terraform/modules/s3-replication-source/main.tf
@@ -1,7 +1,7 @@
resource "aws_iam_role" "main" {
name = local.role_name
assume_role_policy = data.aws_iam_policy_document.main.json
- permissions_boundary = local.permission_boundary_arn
+ permissions_boundary = local.permission_boundary_arn
}
resource "aws_iam_policy" "main" {
@@ -16,8 +16,8 @@ resource "aws_iam_role_policy_attachment" "attach" {
}
resource "aws_s3_bucket" "source" {
- count = var.create_source_bucket ? 1 : 0
- bucket = var.source_bucket_name
+ count = var.create_source_bucket ? 1 : 0
+ bucket = var.source_bucket_name
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
@@ -36,8 +36,8 @@ resource "aws_s3_bucket_versioning" "source" {
resource "aws_s3_bucket_replication_configuration" "replication" {
depends_on = [aws_s3_bucket_versioning.source]
- role = aws_iam_role.main.arn
- bucket = var.create_source_bucket ? aws_s3_bucket.source[0].id : data.aws_s3_bucket.source[0].id
+ role = aws_iam_role.main.arn
+ bucket = var.create_source_bucket ? aws_s3_bucket.source[0].id : data.aws_s3_bucket.source[0].id
rule {
id = "data-loader"
filter {
@@ -48,8 +48,8 @@ resource "aws_s3_bucket_replication_configuration" "replication" {
}
status = "Enabled"
destination {
- account = var.replication_destination_account_id
- bucket = "arn:aws:s3:::${var.destination_bucket_name}"
+ account = var.replication_destination_account_id
+ bucket = "arn:aws:s3:::${var.destination_bucket_name}"
storage_class = "STANDARD"
access_control_translation {
owner = "Destination"
diff --git a/terraform/modules/s3-replication-source/variables.tf b/terraform/modules/s3-replication-source/variables.tf
index 66cdecef..6883f34a 100644
--- a/terraform/modules/s3-replication-source/variables.tf
+++ b/terraform/modules/s3-replication-source/variables.tf
@@ -3,11 +3,14 @@ variable "iam_prefix" {
type = string
default = "power-user"
}
-
-variable "target_account_cloudone"{
+variable "resource_prefix" {
+ description = "The string prefix for resource names"
+ type = string
+}
+variable "target_account_cloudone" {
description = "to add check conditions on whether the resources are brought up in cloudone or not"
type = bool
- default = false
+ default = false
}
variable "tags" {
description = "tags to associate with this instance"
@@ -23,21 +26,21 @@ variable "env" {
}
variable "source_bucket_name" {
description = "source bucket name"
- type = string
- default = ""
+ type = string
+ default = ""
}
variable "destination_bucket_name" {
description = "destination bucket name"
- type = string
- default = ""
+ type = string
+ default = ""
}
variable "create_source_bucket" {
- type = bool
- default = false
+ type = bool
+ default = false
description = "choose to create source bucket"
}
variable "replication_destination_account_id" {
- type = string
+ type = string
description = "replication account id"
- default = ""
+ default = ""
}
\ No newline at end of file
diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/main.tf
index 657f840d..aa847e51 100644
--- a/terraform/modules/s3/main.tf
+++ b/terraform/modules/s3/main.tf
@@ -1,9 +1,20 @@
resource "aws_s3_bucket" "s3" {
- # checkov:skip=CKV_AWS_145: Ignore customer managed key (cmk) warning
- # checkov:skip=CKV_AWS_144: Ignore cross-region replication warnings
+ # checkov:skip=CKV_AWS_145: Ignore customer managed key (cmk) warning
+ # checkov:skip=CKV_AWS_144: Ignore cross-region replication warnings
bucket = local.bucket_name
force_destroy = var.s3_force_destroy
- tags = var.tags
+ tags = merge(
+ {
+ "CreateDate" = timestamp()
+ },
+ var.tags,
+ )
+
+ lifecycle {
+ ignore_changes = [
+ tags["CreateDate"],
+ ]
+ }
}
@@ -41,25 +52,25 @@ resource "aws_s3_bucket_versioning" "s3" {
resource "aws_s3_bucket_intelligent_tiering_configuration" "s3" {
bucket = aws_s3_bucket.s3.bucket
- name = "${local.bucket_name}-intelligent-tiering"
+ name = "${local.bucket_name}-intelligent-tiering"
status = var.s3_intelligent_tiering_status
tiering {
access_tier = "ARCHIVE_ACCESS"
- days = var.days_for_archive_tiering
+ days = var.days_for_archive_tiering
}
tiering {
access_tier = "DEEP_ARCHIVE_ACCESS"
- days = var.days_for_deep_archive_tiering
+ days = var.days_for_deep_archive_tiering
}
}
resource "aws_s3_bucket_logging" "s3" {
count = var.s3_enable_access_logging == true ? 1 : 0
-
- bucket = aws_s3_bucket.s3.id
+
+ bucket = aws_s3_bucket.s3.id
target_bucket = var.s3_access_log_bucket_id
target_prefix = var.s3_log_prefix
}
diff --git a/terraform/modules/s3/outputs.tf b/terraform/modules/s3/outputs.tf
index 87ee5a7a..07fc3a97 100644
--- a/terraform/modules/s3/outputs.tf
+++ b/terraform/modules/s3/outputs.tf
@@ -1,5 +1,5 @@
output "bucket_name" {
- value = aws_s3_bucket.s3.id #module.s3.s3_bucket_id
+ value = aws_s3_bucket.s3.id #module.s3.s3_bucket_id
description = "name of the bucket"
}
diff --git a/terraform/modules/s3/variables.tf b/terraform/modules/s3/variables.tf
index 665b931f..73e12842 100644
--- a/terraform/modules/s3/variables.tf
+++ b/terraform/modules/s3/variables.tf
@@ -24,39 +24,39 @@ variable "env" {
variable "s3_versioning_status" {
description = "Set the status of the bucket versioning feature. Options include Enabled and Disabled"
- type = string
- default = "Enabled"
+ type = string
+ default = "Enabled"
}
variable "s3_intelligent_tiering_status" {
description = "Set the status of the intelligent tiering configuration. Options include Enabled and Disabled"
- type = string
- default = "Enabled"
+ type = string
+ default = "Enabled"
}
variable "days_for_archive_tiering" {
description = "Number of days of consecutive lack of access for an object before it is archived"
- type = number
+ type = number
}
variable "days_for_deep_archive_tiering" {
description = "Number of days of consecutive lack of access for an object before it is archived deeply"
- type = number
+ type = number
}
variable "s3_enable_access_logging" {
description = "set to true to enable s3 access logging"
- type = bool
- default = true
+ type = bool
+ default = true
}
variable "s3_log_prefix" {
description = "The prefix for the destination of the server access logs for an S3 bucket"
- type = string
- default = "logs/"
+ type = string
+ default = "logs/"
}
variable "s3_access_log_bucket_id" {
description = "The destination bucket of access logs for an S3 bucket"
- type = string
+ type = string
}
diff --git a/terraform/modules/secrets/README.md b/terraform/modules/secrets/README.md
index bf3abe89..24a7d589 100644
--- a/terraform/modules/secrets/README.md
+++ b/terraform/modules/secrets/README.md
@@ -28,7 +28,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [app](#input\_app) | name of the app | `string` | n/a | yes |
| [region](#input\_region) | aws region to use for this resource | `string` | `"us-east-1"` | no |
-| [secret\_values](#input\_secret\_values) | n/a | map(object({
secretKey = string
secretValue = map(string)
description = string
})) | n/a | yes |
+| [secret\_values](#input\_secret\_values) | n/a | map(object({
secretKey = string
secretValue = map(string)
description = string
})) | n/a | yes |
## Outputs
diff --git a/terraform/modules/secrets/provider.tf b/terraform/modules/secrets/provider.tf
index 07963ff1..8b249c9e 100644
--- a/terraform/modules/secrets/provider.tf
+++ b/terraform/modules/secrets/provider.tf
@@ -1,8 +1,8 @@
terraform {
required_providers {
aws = {
- source = "hashicorp/aws"
- version = "4.66.1"
+ source = "hashicorp/aws"
+ version = "4.66.1"
}
}
}
diff --git a/terraform/modules/secrets/secrets.tf b/terraform/modules/secrets/secrets.tf
index 7ed240e0..db404dcd 100644
--- a/terraform/modules/secrets/secrets.tf
+++ b/terraform/modules/secrets/secrets.tf
@@ -1,11 +1,11 @@
resource "aws_secretsmanager_secret" "secrets" {
- for_each = var.secret_values
- name = each.value.secretKey
+ for_each = var.secret_values
+ name = each.value.secretKey
description = ""
}
resource "aws_secretsmanager_secret_version" "secrets_value" {
- for_each = var.secret_values
+ for_each = var.secret_values
secret_id = aws_secretsmanager_secret.secrets[each.key].id
secret_string = jsonencode(each.value.secretValue)
}
diff --git a/terraform/modules/secrets/variables.tf b/terraform/modules/secrets/variables.tf
index 2c5662d3..bd05e2fb 100644
--- a/terraform/modules/secrets/variables.tf
+++ b/terraform/modules/secrets/variables.tf
@@ -4,13 +4,13 @@ variable "app" {
}
variable "region" {
description = "aws region to use for this resource"
- type = string
- default = "us-east-1"
+ type = string
+ default = "us-east-1"
}
variable "secret_values" {
type = map(object({
- secretKey = string
+ secretKey = string
secretValue = map(string)
description = string
}))
diff --git a/terraform/modules/sns/iam.tf b/terraform/modules/sns/iam.tf
index 22a84d9f..d19f1471 100644
--- a/terraform/modules/sns/iam.tf
+++ b/terraform/modules/sns/iam.tf
@@ -27,9 +27,9 @@ resource "aws_sns_topic_policy" "sns_publish_policy" {
Version = "2012-10-17",
Statement = [
{
- Effect = "Allow",
- Action = "sns:Publish",
- Resource = aws_sns_topic.main.arn,
+ Effect = "Allow",
+ Action = "sns:Publish",
+ Resource = aws_sns_topic.main.arn,
Principal = {
Service = "lambda.amazonaws.com"
}
diff --git a/terraform/modules/sns/main.tf b/terraform/modules/sns/main.tf
index 9fcbd4e1..64c1e158 100644
--- a/terraform/modules/sns/main.tf
+++ b/terraform/modules/sns/main.tf
@@ -1,5 +1,5 @@
resource "aws_sns_topic" "main" {
- name = "${var.resource_prefix}-${var.sns_topic_name}"
+ name = "${var.resource_prefix}-${var.sns_topic_name}"
display_name = var.sns_display_name
}