diff --git a/templates/terraform/modules/certificate/main.tf b/templates/terraform/modules/certificate/main.tf deleted file mode 100644 index 607d795..0000000 --- a/templates/terraform/modules/certificate/main.tf +++ /dev/null @@ -1,48 +0,0 @@ - -# Create a route53 zone -# resource "aws_route53_zone" "public" { -# name = var.domain_name -# } - -# Reference an existing route53 zone -data "aws_route53_zone" "public" { - name = var.zone_name -} - - - -# To use an ACM cert with CF it has to exist in us-east-1 -provider "aws" { - region = var.region - alias = "custom" -} - -# Create an ACM cert for this domain -resource "aws_acm_certificate" "cert" { - count = length(var.domain_names) - provider = aws.custom - - domain_name = var.domain_names[count.index] - validation_method = "DNS" -} - -# Route53 record to validate the certificate -resource "aws_route53_record" "cert_validation_record" { - count = length(aws_acm_certificate.cert) - provider = aws.custom - - name = aws_acm_certificate.cert[count.index].domain_validation_options[0]["resource_record_name"] - records = [aws_acm_certificate.cert[count.index].domain_validation_options[0]["resource_record_value"]] - type = "CNAME" - allow_overwrite = true - zone_id = data.aws_route53_zone.public.zone_id - ttl = 300 -} - -resource "aws_acm_certificate_validation" "cert" { - count = length(aws_acm_certificate.cert) - provider = aws.custom - - certificate_arn = aws_acm_certificate.cert[count.index].arn - validation_record_fqdns = aws_route53_record.cert_validation_record.*.fqdn -} diff --git a/templates/terraform/modules/certificate/outputs.tf b/templates/terraform/modules/certificate/outputs.tf deleted file mode 100644 index 4214b20..0000000 --- a/templates/terraform/modules/certificate/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "route53_zone_id" { - description = "Identifier of the Route53 Zone" - value = data.aws_route53_zone.public.zone_id -} - -output "certificate_arns" { - description = "The ARNs of the created certificates, keyed by domain name" - value = zipmap(aws_acm_certificate.cert[*].domain_name, aws_acm_certificate.cert[*].arn) -} - -output "certificate_validations" { - description = "The ids of the certificate validations. Provided as a dependency so dependents can wait until the cert is actually valid" - value = aws_acm_certificate_validation.cert[*].id -} diff --git a/templates/terraform/modules/certificate/variables.tf b/templates/terraform/modules/certificate/variables.tf deleted file mode 100644 index 44233ec..0000000 --- a/templates/terraform/modules/certificate/variables.tf +++ /dev/null @@ -1,13 +0,0 @@ -variable "region" { - description = "The AWS region" -} - -variable "zone_name" { - description = "Domains of the Route53 hosted zone" - type = string -} - -variable "domain_names" { - description = "Domains to create an ACM Cert for" - type = list(string) -} diff --git a/templates/terraform/modules/certificate/versions.tf b/templates/terraform/modules/certificate/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/certificate/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/cognito/main.tf b/templates/terraform/modules/cognito/main.tf deleted file mode 100644 index dbca7db..0000000 --- a/templates/terraform/modules/cognito/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -resource "aws_cognito_user_pool" "users" { - name = "${var.user_pool}-user-pool" - - username_attributes = [ - "email", - ] - - # auto_verified_attributes = ["email"] -} - -resource "aws_cognito_user_pool_client" "client" { - name = "${var.user_pool}-cognito-client" - - user_pool_id = "${aws_cognito_user_pool.users.id}" - generate_secret = false - - allowed_oauth_flows_user_pool_client = true - allowed_oauth_flows = ["code", "implicit"] - allowed_oauth_scopes = ["profile", "openid"] - - supported_identity_providers = ["COGNITO"] - refresh_token_validity = "14" - - explicit_auth_flows = [ - "ADMIN_NO_SRP_AUTH", - "USER_PASSWORD_AUTH", - ] - - write_attributes = ["email"] - - callback_urls = ["https://auth.${var.hostname}","https://auth.${var.hostname}/oauth2/idpresponse"] - logout_urls = ["https://auth.${var.hostname}/logout"] -} - -output "cognito_pool_id" { - value = aws_cognito_user_pool.users.id -} -output "cognito_client_id" { - value = aws_cognito_user_pool_client.client.id -} diff --git a/templates/terraform/modules/cognito/variables.tf b/templates/terraform/modules/cognito/variables.tf deleted file mode 100644 index faa8b1c..0000000 --- a/templates/terraform/modules/cognito/variables.tf +++ /dev/null @@ -1,6 +0,0 @@ -variable "user_pool" { - description = "AWS Cognito pool name" -} -variable "hostname" { - description = "AWS Cognito pool name" -} diff --git a/templates/terraform/modules/database/main.tf b/templates/terraform/modules/database/main.tf deleted file mode 100644 index 4214761..0000000 --- a/templates/terraform/modules/database/main.tf +++ /dev/null @@ -1,153 +0,0 @@ - -module "rds_security_group" { - source = "terraform-aws-modules/security-group/aws" - version = "3.2.0" - - name = "${var.project}-${var.environment}-rds-sg" - description = "Security group for RDS DB" - vpc_id = "${var.vpc_id}" - - number_of_computed_ingress_with_source_security_group_id = 1 - computed_ingress_with_source_security_group_id = [ - var.database_engine == "postgres" ? { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - description = "PostgreSQL from EKS" - source_security_group_id = "${var.allowed_security_group_id}" - }:{ - from_port = 3306 - to_port = 3306 - protocol = "tcp" - description = "MYSQL from EKS" - source_security_group_id = "${var.allowed_security_group_id}" - } - ] - - egress_rules = ["all-all"] - - tags = { - Env = "${var.environment}" - } -} - -data "aws_caller_identity" "current" { -} - -# secret declared so secret version waits for rds-secret to be ready -# or else we often see a AWSDEFAULT VERSION secret not found error -data "aws_secretsmanager_secret" "rds_master_secret" { - name = "${var.project}-${var.environment}-rds-<% index .Params `randomSeed` %>" -} - -# RDS does not support secret-manager, have to provide the actual string -data "aws_secretsmanager_secret_version" "rds_master_secret" { - secret_id = data.aws_secretsmanager_secret.rds_master_secret.name -} - -module "rds_postgres" { - count = var.database_engine == "postgres" ? 1 : 0 - source = "terraform-aws-modules/rds/aws" - version = "2.17.0" - - identifier = "${var.project}-${var.environment}" - - engine = "postgres" - engine_version = "11" - instance_class = var.instance_class - allocated_storage = var.storage_gb - storage_encrypted = true - - name = "${replace(var.project, "-", "")}" - username = "master_user" - password = "${data.aws_secretsmanager_secret_version.rds_master_secret.secret_string}" - port = "5432" - - vpc_security_group_ids = ["${module.rds_security_group.this_security_group_id}"] - - maintenance_window = "Mon:00:00-Mon:03:00" - backup_window = "03:00-06:00" - - # disable backups to create DB faster in non-production environments - backup_retention_period = var.environment == "production" ? 30 : 0 - - # Subnet is created by the vpc module - create_db_subnet_group = false - db_subnet_group_name = "${var.project}-${var.environment}-vpc" - - # DB parameter and option group - family = "postgres11" - major_engine_version = "11" - - final_snapshot_identifier = "final-snapshot" - deletion_protection = true - - # Enhanced monitoring - performance_insights_enabled = true - create_monitoring_role = true - monitoring_role_name = "${var.project}-${var.environment}-rds-postgres-monitoring-role" - monitoring_interval = "30" - - tags = { - Name = "${var.project}-${var.environment}-rds-postgres" - Env = "${var.environment}" - } - depends_on = [module.rds_security_group] -} - -module "rds_mysql" { - count = var.database_engine == "mysql" ? 1 : 0 - source = "terraform-aws-modules/rds/aws" - version = "2.17.0" - - identifier = "${var.project}-${var.environment}" - - engine = "mysql" - engine_version = "5.7" - instance_class = var.instance_class - allocated_storage = var.storage_gb - storage_encrypted = true - - name = "${replace(var.project, "-", "")}" - username = "master_user" - password = "${data.aws_secretsmanager_secret_version.rds_master_secret.secret_string}" - port = "3306" - - vpc_security_group_ids = ["${module.rds_security_group.this_security_group_id}"] - - maintenance_window = "Mon:00:00-Mon:03:00" - backup_window = "03:00-06:00" - - # disable backups to create DB faster in non-production environments - backup_retention_period = var.environment == "production" ? 30 : 0 - - # Subnet is created by the vpc module - create_db_subnet_group = false - db_subnet_group_name = "${var.project}-${var.environment}-vpc" - - # DB parameter and option group - family = "mysql5.7" - major_engine_version = "5.7" - - final_snapshot_identifier = "final-snapshot" - deletion_protection = true - - # Enhanced monitoring - # Seems like mysql doesnt have performance insight on this instance size - # Amazon RDS for MySQL - # 8.0.17 and higher 8.0 versions, version 5.7.22 and higher 5.7 versions, - # and version 5.6.41 and higher 5.6 versions. Not supported for version 5.5. - # Not supported on the following DB instance classes: - # db.t2.micro, db.t2.small, db.t3.micro, db.t3.small, - # all db.m6g instance classes, and all db.r6g instance classes. - performance_insights_enabled = false - create_monitoring_role = true - monitoring_role_name = "${var.project}-${var.environment}-rds-mysql-monitoring-role" - monitoring_interval = "30" - - tags = { - Name = "${var.project}-${var.environment}-rds-postgres" - Env = "${var.environment}" - } - depends_on = [module.rds_security_group] -} diff --git a/templates/terraform/modules/database/variables.tf b/templates/terraform/modules/database/variables.tf deleted file mode 100644 index ebe7861..0000000 --- a/templates/terraform/modules/database/variables.tf +++ /dev/null @@ -1,27 +0,0 @@ -variable "project" { - description = "The name of the project, mostly for tagging" -} - -variable "environment" { - description = "The environment (development/staging/production)" -} - -variable "vpc_id" { - description = "The id of the VPC to create the DB in" -} - -variable "allowed_security_group_id" { - description = "The security group to allow access" -} - -variable "instance_class" { - description = "The AWS instance class of the db" -} - -variable "storage_gb" { - description = "The amount of storage to allocate for the db, in GB" -} - -variable "database_engine" { - description = "Which database engine to use, currently supports `postgres` or `mysql`" -} diff --git a/templates/terraform/modules/database/versions.tf b/templates/terraform/modules/database/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/database/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/ecr/main.tf b/templates/terraform/modules/ecr/main.tf deleted file mode 100644 index 6e60d4d..0000000 --- a/templates/terraform/modules/ecr/main.tf +++ /dev/null @@ -1,43 +0,0 @@ -resource "aws_ecr_repository" "ecr_repository" { - for_each = var.ecr_repositories - name = each.value - - tags = { - environment = var.environment - } -} - -data "aws_iam_policy_document" "ecr_fullaccess" { - statement { - sid = "FullAccess" - effect = "Allow" - - principals { - type = "AWS" - - identifiers = var.ecr_principals - } - - actions = [ - "ecr:GetAuthorizationToken", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:PutImage", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:DescribeImages", - "ecr:BatchGetImage", - ] - } -} - -resource "aws_ecr_repository_policy" "default" { - for_each = var.ecr_repositories - repository = each.value - policy = data.aws_iam_policy_document.ecr_fullaccess.json - depends_on = [aws_ecr_repository.ecr_repository] -} diff --git a/templates/terraform/modules/ecr/variables.tf b/templates/terraform/modules/ecr/variables.tf deleted file mode 100644 index 786dddc..0000000 --- a/templates/terraform/modules/ecr/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "environment" { - description = "The environment (dev/staging/prod)" -} - -variable "ecr_repositories" { - description = "List of ECR repository names to create" - type = set(string) -} - -variable "ecr_principals" { - description = "List of principals (most likely users) to give full access to the created ECR repositories" - type = list(string) -} - diff --git a/templates/terraform/modules/ecr/versions.tf b/templates/terraform/modules/ecr/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/ecr/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/eks/main.tf b/templates/terraform/modules/eks/main.tf deleted file mode 100644 index 78525fc..0000000 --- a/templates/terraform/modules/eks/main.tf +++ /dev/null @@ -1,73 +0,0 @@ -# Set up the terraform provider -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id -} -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - load_config_file = false - version = "~> 1.11" -} - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "12.1.0" - - cluster_name = var.cluster_name - cluster_version = var.cluster_version - subnets = var.private_subnets - vpc_id = var.vpc_id - enable_irsa = true - - worker_groups = [ - { - instance_type = var.worker_instance_type - asg_min_size = var.worker_asg_min_size - asg_desired_capacity = var.worker_asg_min_size - asg_max_size = var.worker_asg_max_size - ami_id = var.worker_ami - tags = [ - { - key = "environment" - value = var.environment - propagate_at_launch = true - }, - { - key = "k8s.io/cluster-autoscaler/enabled" - propagate_at_launch = "false" - value = "true" - }, - { - key = "k8s.io/cluster-autoscaler/${var.cluster_name}" - propagate_at_launch = "false" - value = "owned" - } - ] - - }, - ] - - map_roles = [ - { - rolearn = "arn:aws:iam::${var.iam_account_id}:role/<% .Name %>-kubernetes-admin-${var.environment}" - username = "<% .Name %>-kubernetes-admin" - groups = ["system:masters"] - }, - ] - cluster_iam_role_name = "k8s-${var.cluster_name}-cluster" - workers_role_name = "k8s-${var.cluster_name}-workers" - - # Unfortunately fluentd doesn't yet support oidc auth so we need to grant it to the worker nodes - workers_additional_policies = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"] - - write_kubeconfig = false - - tags = { - environment = var.environment - } -} diff --git a/templates/terraform/modules/eks/outputs.tf b/templates/terraform/modules/eks/outputs.tf deleted file mode 100644 index 6e3735a..0000000 --- a/templates/terraform/modules/eks/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "cluster_id" { - description = "Identifier of the EKS cluster" - value = module.eks.cluster_id -} - -output "worker_iam_role_arn" { - description = "The ARN of the EKS worker IAM role" - value = module.eks.worker_iam_role_arn -} - -output "worker_iam_role_name" { - description = "The name of the EKS worker IAM role" - value = module.eks.worker_iam_role_name -} - -output "worker_security_group_id" { - description = "The security group of the EKS workers" - value = module.eks.worker_security_group_id -} diff --git a/templates/terraform/modules/eks/variables.tf b/templates/terraform/modules/eks/variables.tf deleted file mode 100644 index 0feaebc..0000000 --- a/templates/terraform/modules/eks/variables.tf +++ /dev/null @@ -1,45 +0,0 @@ -variable "project" { - description = "Name of the project" -} - -variable "environment" { - description = "The environment (development/staging/production)" -} - -variable "cluster_name" { - description = "Name to be given to the EKS cluster" -} - -variable "cluster_version" { - description = "EKS cluster version number to use. Incrementing this will start a cluster upgrade" -} - -variable "private_subnets" { - description = "VPC subnets for the EKS cluster" - # type = list(string) -} - -variable "vpc_id" { - description = "VPC ID for EKS cluster" -} - -variable "worker_instance_type" { - description = "Instance type for the EKS workers" -} - -variable "worker_asg_min_size" { - description = "Minimum number of instances for the EKS ASG" -} - -variable "worker_asg_max_size" { - description = "Maximum number of instances for the EKS ASG" -} - -variable "worker_ami" { - description = "The (EKS-optimized) AMI for EKS worker instances" -} - -variable "iam_account_id" { - description = "Account ID of the current IAM user" -} - diff --git a/templates/terraform/modules/eks/versions.tf b/templates/terraform/modules/eks/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/eks/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/logging/main.tf b/templates/terraform/modules/logging/main.tf deleted file mode 100644 index 05dbff1..0000000 --- a/templates/terraform/modules/logging/main.tf +++ /dev/null @@ -1,80 +0,0 @@ -# New managed elasticsearch infra for EKS -# After creating the infra, run the manifest in kubernetes/monitoring/ to set up fluentd -module "elasticsearch" { - source = "cloudposse/elasticsearch/aws" - version = "0.20.4" - namespace = var.project - stage = var.environment - name = "logging" - security_groups = var.security_groups - vpc_id = var.vpc_id - subnet_ids = var.subnet_ids - zone_awareness_enabled = (length(var.subnet_ids) > 1) - availability_zone_count = length(var.subnet_ids) - elasticsearch_version = var.elasticsearch_version - instance_type = var.instance_type - instance_count = var.instance_count - ebs_volume_size = var.ebs_volume_size_in_gb - encrypt_at_rest_enabled = !can(regex("(?i)^(M3|R3|T2)", var.instance_type)) # These previous-generation instance types can't support encryption at rest - iam_actions = ["es:*"] - iam_role_arns = ["*"] - - create_iam_service_linked_role = var.create_service_role - - log_publishing_application_enabled = var.enable_cluster_logging - log_publishing_index_enabled = var.enable_cluster_logging - log_publishing_search_enabled = var.enable_cluster_logging - - log_publishing_application_cloudwatch_log_group_arn = aws_cloudwatch_log_group.application_group.arn - log_publishing_index_cloudwatch_log_group_arn = aws_cloudwatch_log_group.index_group.arn - log_publishing_search_cloudwatch_log_group_arn = aws_cloudwatch_log_group.search_group.arn - - advanced_options = { - "rest.action.multi.allow_explicit_index" = "true" - } -} - -resource "aws_cloudwatch_log_group" "application_group" { - name = "/aws/aes/domains/${var.project}-${var.environment}-logging/application-logs" -} - -resource "aws_cloudwatch_log_group" "index_group" { - name = "/aws/aes/domains/${var.project}-${var.environment}-logging/index-logs" -} - -resource "aws_cloudwatch_log_group" "search_group" { - name = "/aws/aes/domains/${var.project}-${var.environment}-logging/search-logs" -} - -data "aws_iam_policy_document" "elasticsearch_log_publishing_policy" { - statement { - actions = [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutLogEventsBatch", - ] - - resources = ["arn:aws:logs:*"] - - principals { - identifiers = ["es.amazonaws.com"] - type = "Service" - } - } -} - -resource "aws_cloudwatch_log_resource_policy" "elasticsearch_log_publishing_policy" { - policy_document = data.aws_iam_policy_document.elasticsearch_log_publishing_policy.json - policy_name = "elasticsearch_log_publishing_policy" -} - -# TODO : Add internal domain, VPC access -# resource "aws_route53_record" "kibana_cname" { -# zone_id = aws_route53_zone.internal_domain.zone_id - -# name = "kibana.${var.internal_domain}" -# type = "CNAME" -# ttl = "300" -# records = [split("/", module.elasticsearch.kibana_endpoint)[0]] # TODO : check this. Was a workaround that may not be necessary after module upgrade -# } - diff --git a/templates/terraform/modules/logging/variables.tf b/templates/terraform/modules/logging/variables.tf deleted file mode 100644 index 0728dfb..0000000 --- a/templates/terraform/modules/logging/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ -variable "project" { - description = "The name of the project, mostly for tagging" -} - -variable "environment" { - description = "The environment (dev/staging/prod)" -} - -variable "vpc_id" { - description = "ID of the VPC to create this cluster in" -} - -variable "elasticsearch_version" { - description = "Version of elasticsearch to use" -} - -variable "security_groups" { - description = "Security groups to allow access from" - type = list(string) -} - -variable "subnet_ids" { - description = "IDs of the subnets to put nodes in. The number of subnets here controls the number of nodes in the cluster, which must be a multiple of this number" - type = list(string) -} - -variable "instance_type" { - description = "Instance type for nodes" - - validation { - condition = can(regex("^[[:alpha:]][[:digit:]]\\..*\\.elasticsearch$", var.instance_type)) - error_message = "The instance_type variable must contain a valid elasticsearch instance type." - } -} - -variable "create_service_role" { - description = "Set this to false if you already have an existing Elasticsearch cluster in this AWS account" - type = bool -} - -variable "instance_count" { - description = "Number of nodes in the cluster. Must be a multiple of the number of" - type = number -} - -variable "ebs_volume_size_in_gb" { - description = "Size of EBS volume (in GB) to attach to *each* of the nodes in the cluster. The maximum size is limited by the size of the instance" - type = number -} - -variable "enable_cluster_logging" { - description = "If enabled, sends the logs from the elasticsearch cluster to Cloudwatch" - type = bool - default = false -} diff --git a/templates/terraform/modules/s3_hosting/main.tf b/templates/terraform/modules/s3_hosting/main.tf deleted file mode 100644 index acc6eda..0000000 --- a/templates/terraform/modules/s3_hosting/main.tf +++ /dev/null @@ -1,163 +0,0 @@ -locals { - assets_access_identity = "${var.project}-${var.environment}-client-assets" -} - -resource "aws_s3_bucket" "client_assets" { - for_each = var.buckets - - // Our bucket's name is going to be the same as our site's domain name. - bucket = each.value - acl = "private" // The contents will be available through cloudfront, they should not be accessible publicly -} - -# Deny public access to this bucket -resource "aws_s3_bucket_public_access_block" "client_assets" { - for_each = var.buckets - - bucket = aws_s3_bucket.client_assets[each.value].id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - -# Access identity for CF access to S3 -resource "aws_cloudfront_origin_access_identity" "client_assets" { - comment = local.assets_access_identity -} - -# Policy to allow CF access to S3 -data "aws_iam_policy_document" "assets_origin" { - for_each = var.buckets - - statement { - actions = ["s3:GetObject"] - resources = ["arn:aws:s3:::${aws_s3_bucket.client_assets[each.value].id}/*"] - - principals { - type = "AWS" - identifiers = [aws_cloudfront_origin_access_identity.client_assets.iam_arn] - } - } - - statement { - actions = ["s3:ListBucket"] - resources = ["arn:aws:s3:::${aws_s3_bucket.client_assets[each.value].id}"] - - principals { - type = "AWS" - identifiers = [aws_cloudfront_origin_access_identity.client_assets.iam_arn] - } - } -} - -# Attach the policy to the bucket -resource "aws_s3_bucket_policy" "client_assets" { - for_each = var.buckets - - bucket = aws_s3_bucket.client_assets[each.value].id - policy = data.aws_iam_policy_document.assets_origin[each.value].json -} - -# Create the cloudfront distribution -resource "aws_cloudfront_distribution" "client_assets_distribution" { - for_each = var.buckets - - // origin is where CloudFront gets its content from. - origin { - domain_name = aws_s3_bucket.client_assets[each.value].bucket_domain_name - origin_id = local.assets_access_identity - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.client_assets.cloudfront_access_identity_path - } - } - - // for single page applications, we need to respond with the index if file is missing - custom_error_response { - error_code = 404 - response_code = 200 - error_caching_min_ttl = 0 - response_page_path = "/index.html" - } - - enabled = true - is_ipv6_enabled = true - default_root_object = "index.html" # Render this when you hit the root - - // All values are defaults from the AWS console. - default_cache_behavior { - target_origin_id = local.assets_access_identity - viewer_protocol_policy = "redirect-to-https" - compress = true - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - min_ttl = 0 - default_ttl = 86400 - max_ttl = 31536000 - - forwarded_values { - query_string = false - cookies { - forward = "none" - } - } - } - - aliases = [ - each.value, - ] - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - # Use our cert - viewer_certificate { - acm_certificate_arn = var.certificate_arns[each.value] - minimum_protocol_version = "TLSv1" - ssl_support_method = "sni-only" - } -} - -locals { - # Find buckets that are the domain apex. These need to have A ALIAS records. - rootDomainBuckets = [ - for bucket in var.buckets: - bucket if length(regexall("\\.", bucket)) == 1 - ] - - # Find buckets that are subdomains. These can have CNAME records. - subDomainBuckets = [ - for bucket in var.buckets: - bucket if length(regexall("\\.", bucket)) > 1 - ] - -} - -# Root domains to point at CF -resource "aws_route53_record" "client_assets_root" { - count = length(local.rootDomainBuckets) - - zone_id = var.route53_zone_id - name = local.rootDomainBuckets[count.index] - type = "A" - - alias { - name = aws_cloudfront_distribution.client_assets_distribution[local.rootDomainBuckets[count.index]].domain_name - zone_id = aws_cloudfront_distribution.client_assets_distribution[local.rootDomainBuckets[count.index]].hosted_zone_id - evaluate_target_health = false - } -} - -# Subdomains to point at CF -resource "aws_route53_record" "client_assets_subdomain" { - count = length(local.subDomainBuckets) - - zone_id = var.route53_zone_id - name = local.subDomainBuckets[count.index] - type = "CNAME" - ttl = "120" - records = [aws_cloudfront_distribution.client_assets_distribution[local.subDomainBuckets[count.index]].domain_name] -} diff --git a/templates/terraform/modules/s3_hosting/outputs.tf b/templates/terraform/modules/s3_hosting/outputs.tf deleted file mode 100644 index 2f61542..0000000 --- a/templates/terraform/modules/s3_hosting/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "cloudfront_distribution_ids" { - description = "Identifiers of the created cloudfront distributions" - value = values(aws_cloudfront_distribution.client_assets_distribution)[*].id -} diff --git a/templates/terraform/modules/s3_hosting/variables.tf b/templates/terraform/modules/s3_hosting/variables.tf deleted file mode 100644 index 0e75609..0000000 --- a/templates/terraform/modules/s3_hosting/variables.tf +++ /dev/null @@ -1,22 +0,0 @@ -variable "project" { - description = "The name of the project, mostly for tagging" -} - -variable "environment" { - description = "The environment (dev/staging/prod)" -} - -variable "buckets" { - description = "S3 hosting buckets" - type = set(string) -} - -variable "certificate_arns" { - description = "ARN of the certificate we created for the assets domain, keyed by domain" - type = map -} - -variable "route53_zone_id" { - description = "ID of the Route53 zone to create a record in" - type = string -} diff --git a/templates/terraform/modules/s3_hosting/versions.tf b/templates/terraform/modules/s3_hosting/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/s3_hosting/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/secret/main.tf b/templates/terraform/modules/secret/main.tf deleted file mode 100644 index c9f28ed..0000000 --- a/templates/terraform/modules/secret/main.tf +++ /dev/null @@ -1,37 +0,0 @@ -# Add the keys to AWS secrets manager -resource "aws_secretsmanager_secret" "secret" { - name = var.name - tags = var.tags -} - -resource "aws_secretsmanager_secret_version" "string_secret" { - count = var.type == "string" ? 1 : 0 - secret_id = aws_secretsmanager_secret.secret.id - secret_string = var.value -} - -resource "aws_secretsmanager_secret_version" "map_secret" { - count = var.type == "map" ? 1 : 0 - secret_id = aws_secretsmanager_secret.secret.id - secret_string = jsonencode(var.values) -} - -resource "aws_secretsmanager_secret_version" "random_secret" { - count = var.type == "random" ? 1 : 0 - secret_id = aws_secretsmanager_secret.secret.id - secret_string = random_password.random[0].result -} - -resource "random_password" "random" { - # this allows terraform state to have an identifier for generated passwords - keepers = { - aws_secret = var.name - } - count = var.type == "random" ? 1 : 0 - length = var.random_length - special = true - override_special = "_-+." - min_special = 2 - min_numeric = 2 - min_upper = 2 -} diff --git a/templates/terraform/modules/secret/output.tf b/templates/terraform/modules/secret/output.tf deleted file mode 100644 index aec1a9b..0000000 --- a/templates/terraform/modules/secret/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "secret_name" { - value = aws_secretsmanager_secret.secret.name -} diff --git a/templates/terraform/modules/secret/variables.tf b/templates/terraform/modules/secret/variables.tf deleted file mode 100644 index 4fd7e55..0000000 --- a/templates/terraform/modules/secret/variables.tf +++ /dev/null @@ -1,30 +0,0 @@ -variable "name" { - default = "" - description = "The name of the secret in Secrets Manager (only one of name or name_prefix can be specified)" -} - -variable type { - description = "The type of data to hold in this secret (map, string, random)" -} - -variable "values" { - description = "A map of keys/values to save as json for the secret if type is map" - type = map - default = {} -} - -variable "value" { - description = "A string value to save for the secret if type is string" - default = "" -} - -variable "random_length" { - description = "The length of the generated string if type is random. Suitable for a db master password for example" - default = 16 -} - -variable "tags" { - description = "Tags to include in the secret" - type = map - default = {} -} diff --git a/templates/terraform/modules/secret/versions.tf b/templates/terraform/modules/secret/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/secret/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -} diff --git a/templates/terraform/modules/vpc/main.tf b/templates/terraform/modules/vpc/main.tf deleted file mode 100644 index 9c8a753..0000000 --- a/templates/terraform/modules/vpc/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - - name = "${var.project}-${var.environment}-vpc" - cidr = "10.10.0.0/16" - - azs = ["${var.region}a", "${var.region}b"] # Most regions have 3+ azs - private_subnets = ["10.10.32.0/19", "10.10.64.0/19"] - public_subnets = ["10.10.1.0/24", "10.10.2.0/24"] - database_subnets = ["10.10.10.0/24", "10.10.11.0/24"] - - # Allow kubernetes ALB ingress controller to auto-detect - private_subnet_tags = { - "kubernetes.io/cluster/${var.kubernetes_cluster_name}" = "owned" - "kubernetes.io/role/internal-elb" = "1" - } - - public_subnet_tags = { - "kubernetes.io/cluster/${var.kubernetes_cluster_name}" = "owned" - "kubernetes.io/role/elb" = "1" - } - - enable_nat_gateway = true - single_nat_gateway = var.single_nat_gateway - - enable_vpn_gateway = false - enable_dns_hostnames = true - - create_database_subnet_group = true - create_database_subnet_route_table = true - - tags = { - environment = var.environment - } - - vpc_tags = { - "kubernetes.io/cluster/${var.kubernetes_cluster_name}" = "shared" - } -} diff --git a/templates/terraform/modules/vpc/outputs.tf b/templates/terraform/modules/vpc/outputs.tf deleted file mode 100644 index cd9f19e..0000000 --- a/templates/terraform/modules/vpc/outputs.tf +++ /dev/null @@ -1,35 +0,0 @@ -output "vpc_id" { - description = "The ID of the created VPC" - value = module.vpc.vpc_id -} - -output "vpc_cidr_block" { - description = "The CIDR block of the VPC" - value = module.vpc.vpc_cidr_block -} - -output "azs" { - description = "Availability zones for the VPC" - value = module.vpc.azs -} - -output "private_subnets" { - description = "List of private subnets" - value = module.vpc.private_subnets -} - -output "public_subnets" { - description = "List of public subnets" - value = module.vpc.public_subnets -} - -output "database_subnets" { - description = "List of public subnets" - value = module.vpc.database_subnets -} - -output "database_subnet_group" { - description = "List of subnet groups" - value = module.vpc.database_subnet_group -} - diff --git a/templates/terraform/modules/vpc/variables.tf b/templates/terraform/modules/vpc/variables.tf deleted file mode 100644 index 9f40fdb..0000000 --- a/templates/terraform/modules/vpc/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "project" { - description = "The name of the project, mostly for tagging" -} - -variable "environment" { - description = "The environment (development/staging/production)" -} - -variable "region" { - description = "The AWS region" -} - -variable "kubernetes_cluster_name" { - description = "Kubernetes cluster name used to associate with subnets for auto LB placement" -} - -variable "single_nat_gateway" { - description = "Use single nat-gateway instead of nat-gateway per subnet" - type = bool -} diff --git a/templates/terraform/modules/vpc/versions.tf b/templates/terraform/modules/vpc/versions.tf deleted file mode 100644 index 2606a5a..0000000 --- a/templates/terraform/modules/vpc/versions.tf +++ /dev/null @@ -1,4 +0,0 @@ - -terraform { - required_version = ">= 0.13" -}