From d35a9ee95e291b92c76969fe083a1b2089973a75 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 17:43:54 -0700 Subject: [PATCH 01/59] Move state storage modules to bootstrap step in anticipation of refactor --- .../terraform/{ => modules/bootstrap}/state_storage/README.md | 0 .../{ => modules/bootstrap}/state_storage/dynamodb-policy.json | 0 .../{ => modules/bootstrap}/state_storage/state-storage.tf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/README.md (100%) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/dynamodb-policy.json (100%) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/state-storage.tf (100%) diff --git a/web/deploy/terraform/state_storage/README.md b/web/deploy/terraform/modules/bootstrap/state_storage/README.md similarity index 100% rename from web/deploy/terraform/state_storage/README.md rename to web/deploy/terraform/modules/bootstrap/state_storage/README.md diff --git a/web/deploy/terraform/state_storage/dynamodb-policy.json b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json similarity index 100% rename from web/deploy/terraform/state_storage/dynamodb-policy.json rename to web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json diff --git a/web/deploy/terraform/state_storage/state-storage.tf b/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf similarity index 100% rename from web/deploy/terraform/state_storage/state-storage.tf rename to web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf From 2beb4653b855cd09a0ccc3f0ebd9323e48af7f6c Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 18:56:10 -0700 Subject: [PATCH 02/59] Refactor state bootstrap to use variables and output modules --- .../{state-storage.tf => main.tf} | 6 ++--- .../bootstrap/state_storage/outputs.tf | 9 ++++++++ .../bootstrap/state_storage/variables.tf | 22 +++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) rename web/deploy/terraform/modules/bootstrap/state_storage/{state-storage.tf => main.tf} (84%) create mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf create mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/variables.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf similarity index 84% rename from web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf rename to web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 9970bcaa..aeaa5259 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -10,11 +10,11 @@ terraform { } provider "aws" { - region = "us-east-1" + region = var.aws_region } resource "aws_s3_bucket" "tf_state" { - bucket = "osm-storage" + bucket = "${var.bucket_name}-${var.development_environment}" versioning { enabled = true } @@ -42,7 +42,7 @@ resource "aws_s3_bucket" "tf_state" { } resource "aws_dynamodb_table" "tf_locks" { - name = "terraform-locks" + name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" hash_key = "LockID" diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf new file mode 100644 index 00000000..8ee08e13 --- /dev/null +++ b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf @@ -0,0 +1,9 @@ +output "s3_bucket_arn" { + value = aws_s3_bucket.terraform_state.arn + description = "The ARN of the S3 bucket" +} + +output "dynamodb_table_name" { + value = aws_dynamodb_table.terraform_locks.name + description = "The name of the DynamoDB table" +} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..a443b3db --- /dev/null +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -0,0 +1,22 @@ +variable "bucket_name" { + description = "The name of the S3 bucket. Must be globally unique." + type = string + default = "osm-storage" +} + +variable "table_name" { + description = "The name of the DynamoDB table. Must be unique in this AWS account." + type = string + default = "terraform-locks" +} + +variable "aws_region" { + description = "The AWS region used by the deployment" + type = string + default = "us-east-1" +} + +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`." + type = string +} From 03630f103ded5c035d2ff778237da8ad12c597e4 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 19:20:39 -0700 Subject: [PATCH 03/59] Use variables in names --- .../terraform/modules/bootstrap/state_storage/main.tf | 6 +++--- .../terraform/modules/bootstrap/state_storage/variables.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index aeaa5259..7a836cbb 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -26,7 +26,7 @@ resource "aws_s3_bucket" "tf_state" { } } lifecycle_rule { - id = "tf_state" + id = "tf_state_${var.development_environment}" enabled = true transition { days = 30 @@ -37,7 +37,7 @@ resource "aws_s3_bucket" "tf_state" { } } tags = { - Name = "terraform-state-storage" + Name = "${var.bucket_name}-${var.development_environment}" } } @@ -52,6 +52,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "terraform-state-locks" + Name = "${var.table_name}-${var.development_environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf index a443b3db..73909033 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -1,13 +1,13 @@ variable "bucket_name" { - description = "The name of the S3 bucket. Must be globally unique." + description = "The name of the S3 bucket to store Terraform state. Must be globally unique." type = string - default = "osm-storage" + default = "osm-terraform-state-storage" } variable "table_name" { description = "The name of the DynamoDB table. Must be unique in this AWS account." type = string - default = "terraform-locks" + default = "terraform-state-locks" } variable "aws_region" { From ddd1b13c6c27f767db108db956dea2f25139517b Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 19:48:46 -0700 Subject: [PATCH 04/59] Refactor versioning and encryption resources --- .../modules/bootstrap/state_storage/main.tf | 46 +++++++++++++------ .../bootstrap/state_storage/outputs.tf | 4 +- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 7a836cbb..cfdc79b2 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -15,32 +15,48 @@ provider "aws" { resource "aws_s3_bucket" "tf_state" { bucket = "${var.bucket_name}-${var.development_environment}" - versioning { - enabled = true - } - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } + + tags = { + Name = "${var.bucket_name}-${var.development_environment}" } - lifecycle_rule { - id = "tf_state_${var.development_environment}" - enabled = true +} + +resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { + bucket = aws_s3_bucket.tf_state.id + rule { + id = "tf_state_${var.development_environment}" + status = "Enabled" + transition { days = 30 storage_class = "STANDARD_IA" } + expiration { days = 365 } } - tags = { - Name = "${var.bucket_name}-${var.development_environment}" +} + +resource "aws_s3_bucket_versioning" "enabled" { + bucket = aws_s3_bucket.tf_state.id + + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.tf_state.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } } } + resource "aws_dynamodb_table" "tf_locks" { name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" @@ -52,6 +68,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "${var.table_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.development_environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf index 8ee08e13..660848bd 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf @@ -1,9 +1,9 @@ output "s3_bucket_arn" { - value = aws_s3_bucket.terraform_state.arn + value = aws_s3_bucket.tf_state.arn description = "The ARN of the S3 bucket" } output "dynamodb_table_name" { - value = aws_dynamodb_table.terraform_locks.name + value = aws_dynamodb_table.tf_locks.name description = "The name of the DynamoDB table" } From 06b17f537c4d2af83c3c7be6446be8908c525119 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 20:14:30 -0700 Subject: [PATCH 05/59] Add dynamodb policy Remove `README.md` because it outlines a manual process that is not automated by terraform/opentofu --- .../modules/bootstrap/state_storage/README.md | 16 ---------------- ...modb-policy.json => dynamodb-policy.json.tpl} | 2 +- .../modules/bootstrap/state_storage/main.tf | 13 +++++++++++++ 3 files changed, 14 insertions(+), 17 deletions(-) delete mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/README.md rename web/deploy/terraform/modules/bootstrap/state_storage/{dynamodb-policy.json => dynamodb-policy.json.tpl} (89%) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/README.md b/web/deploy/terraform/modules/bootstrap/state_storage/README.md deleted file mode 100644 index 9e4ce8d0..00000000 --- a/web/deploy/terraform/modules/bootstrap/state_storage/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Created bucket and table manually: - -``` -aws s3api create-bucket --bucket osm-terraform-storage --region us-east-1 -aws s3api list-buckets -aws s3api list-buckets --region us-east-1 -aws s3api put-bucket-versioning --bucket osm-terraform-storage --versioning-configuration Status=Enabled -aws s3 cp state-storage.tf s3://osm-terraform-storage/test.tf -aws s3 rm s3://osm-terraform-storage --recursive -# Failed: aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 -# Created dynamodb-policy.json -aws iam create-policy --policy-name DynamoDBFullAccess --policy-document file://dynamodb-policy.json -aws iam attach-user-policy --policy-arn arn:aws:iam::507624629289:policy/DynamoDBFullAccess --user-name osm -aws iam list-attached-user-policies --user-name osm -aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 -``` diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl similarity index 89% rename from web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json rename to web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl index 714b91c4..963936be 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json +++ b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl @@ -15,7 +15,7 @@ "dynamodb:Query", "dynamodb:Scan" ], - "Resource": "arn:aws:dynamodb:us-east-1:507624629289:table/terraform-locks" + "Resource": "${resource}" }, { "Effect": "Allow", diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index cfdc79b2..7c71ace7 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -71,3 +71,16 @@ resource "aws_dynamodb_table" "tf_locks" { Name = "${var.bucket_name}-${var.development_environment}" } } + +data "template_file" "dynamodb_policy" { + template = file("dynamodb-policy.json.tpl") + + vars = { + resource = "${aws_dynamodb_table.tf_locks.arn}" + } +} + +resource "aws_dynamodb_resource_policy" "tf_locks" { + resource_arn = aws_dynamodb_table.tf_locks.arn + policy = data.template_file.dynamodb_policy.rendered +} From 216d0a972a032af832864dbd17e4db095c488e73 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 20:31:17 -0700 Subject: [PATCH 06/59] Add empty bootstrap modules for staging and production --- web/deploy/terraform/production/bootstrap/state_storage/main.tf | 0 .../terraform/production/bootstrap/state_storage/variables.tf | 0 web/deploy/terraform/staging/bootstrap/state_storage/main.tf | 0 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf | 0 4 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 web/deploy/terraform/production/bootstrap/state_storage/main.tf create mode 100644 web/deploy/terraform/production/bootstrap/state_storage/variables.tf create mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/main.tf create mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..e69de29b From b7267998000e7e8e6691ecb7d7c9965f75d866d3 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 21:03:01 -0700 Subject: [PATCH 07/59] Add bootstrap modules for state storage for staging and production --- .../terraform/production/bootstrap/state_storage/main.tf | 6 ++++++ .../production/bootstrap/state_storage/variables.tf | 5 +++++ .../terraform/staging/bootstrap/state_storage/main.tf | 6 ++++++ .../terraform/staging/bootstrap/state_storage/variables.tf | 5 +++++ 4 files changed, 22 insertions(+) diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index e69de29b..0d9d0a6e 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -0,0 +1,6 @@ +module "prod_state_bootstrap" { + # I would like to make this path more robust using something like `path.root` + source = "../../../modules/bootstrap/state_storage/" + + development_environment = var.development_environment +} diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf index e69de29b..153d2741 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf @@ -0,0 +1,5 @@ +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" + type = string + default = "prod" +} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index e69de29b..f6a47f72 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -0,0 +1,6 @@ +module "stage_state_bootstrap" { + # I would like to make this path more robust using something like `path.root` + source = "../../../modules/bootstrap/state_storage/" + + development_environment = var.development_environment +} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf index e69de29b..91db6f85 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf @@ -0,0 +1,5 @@ +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" + type = string + default = "stage" +} From 37c370beb242be0fff8a10dff7b758d4f8ce9f5a Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 21:40:44 -0700 Subject: [PATCH 08/59] Temporarily comment out IAM policy resources --- .../modules/bootstrap/state_storage/main.tf | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 7c71ace7..daa7c0e5 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -56,7 +56,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } } - resource "aws_dynamodb_table" "tf_locks" { name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" @@ -72,15 +71,24 @@ resource "aws_dynamodb_table" "tf_locks" { } } -data "template_file" "dynamodb_policy" { - template = file("dynamodb-policy.json.tpl") - - vars = { - resource = "${aws_dynamodb_table.tf_locks.arn}" - } -} - -resource "aws_dynamodb_resource_policy" "tf_locks" { - resource_arn = aws_dynamodb_table.tf_locks.arn - policy = data.template_file.dynamodb_policy.rendered -} +# data "template_file" "dynamodb_policy" { +# template = file("${path.module}/dynamodb-policy.json.tpl") + +# vars = { +# resource = "${aws_dynamodb_table.tf_locks.arn}" +# } +# } + +# resource "aws_iam_policy" "tf_locks" { +# name = "DynamoDBFullAccess-${var.development_environment}" +# policy = data.template_file.dynamodb_policy.rendered +# } + +# resource "aws_iam_policy_attachment" "tf_locks" { +# name = "tf_locks-${var.development_environment}" +# policy_arn = aws_iam_policy.tf_locks.arn +# users = [ +# # This will need to be changed before merge +# "osm", +# ] +# } From 2d9ed4039175c68c66ca4573482e3388ce2340dd Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:43:51 -0700 Subject: [PATCH 09/59] Add required version --- .../terraform/production/bootstrap/state_storage/main.tf | 4 ++++ web/deploy/terraform/staging/bootstrap/state_storage/main.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index 0d9d0a6e..ae91346f 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + module "prod_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index f6a47f72..901a8c09 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + module "stage_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" From 59da31ea3f226d07c33262d6f4a6457de4ee7b1c Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:44:34 -0700 Subject: [PATCH 10/59] Run validate before lint and format --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f876c570..a4e89459 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,6 +37,6 @@ repos: - repo: https://github.com/tofuutils/pre-commit-opentofu rev: v1.0.4 hooks: + - id: tofu_validate - id: tofu_fmt - id: tofu_tflint - - id: tofu_validate From 247a8706bace58d6701ebfe1aede1e2660a0936a Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 15:04:49 -0700 Subject: [PATCH 11/59] Refactor outputs to their own files --- .../modules/shared_resources/main.tf | 26 -------------- .../modules/shared_resources/outputs.tf | 27 ++++++++++++++ web/deploy/terraform/staging/main.tf | 31 ---------------- web/deploy/terraform/staging/outputs.tf | 35 +++++++++++++++++++ 4 files changed, 62 insertions(+), 57 deletions(-) create mode 100644 web/deploy/terraform/modules/shared_resources/outputs.tf create mode 100644 web/deploy/terraform/staging/outputs.tf diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/modules/shared_resources/main.tf index 905c429b..f639a7f5 100644 --- a/web/deploy/terraform/modules/shared_resources/main.tf +++ b/web/deploy/terraform/modules/shared_resources/main.tf @@ -192,29 +192,3 @@ data "aws_ami" "ubuntu" { values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] } } - - - - -# Outputs -output "vpc_id" { - value = aws_vpc.main.id -} -output "subnet_id" { - value = aws_subnet.main.id -} -output "security_group_id" { - value = aws_security_group.allow_all.id -} -output "internet_gateway_id" { - value = aws_internet_gateway.main.id -} -output "route_table_id" { - value = aws_route_table.main.id -} -output "aws_network_acl_id" { - value = aws_network_acl.allow_all.id -} -output "ami_id" { - value = data.aws_ami.ubuntu.id -} diff --git a/web/deploy/terraform/modules/shared_resources/outputs.tf b/web/deploy/terraform/modules/shared_resources/outputs.tf new file mode 100644 index 00000000..07d8bd0b --- /dev/null +++ b/web/deploy/terraform/modules/shared_resources/outputs.tf @@ -0,0 +1,27 @@ +output "vpc_id" { + value = aws_vpc.main.id +} + +output "subnet_id" { + value = aws_subnet.main.id +} + +output "security_group_id" { + value = aws_security_group.allow_all.id +} + +output "internet_gateway_id" { + value = aws_internet_gateway.main.id +} + +output "route_table_id" { + value = aws_route_table.main.id +} + +output "aws_network_acl_id" { + value = aws_network_acl.allow_all.id +} + +output "ami_id" { + value = data.aws_ami.ubuntu.id +} diff --git a/web/deploy/terraform/staging/main.tf b/web/deploy/terraform/staging/main.tf index b2eae00c..a16b3c88 100644 --- a/web/deploy/terraform/staging/main.tf +++ b/web/deploy/terraform/staging/main.tf @@ -69,34 +69,3 @@ resource "aws_eip_association" "staging" { instance_id = aws_instance.staging.id allocation_id = aws_eip.staging.id } - -output "vpc_id" { - value = module.shared_resources.vpc_id -} -output "internet_gateway_id" { - value = module.shared_resources.internet_gateway_id -} -output "route_table_id" { - value = module.shared_resources.route_table_id -} -output "network_acl_id" { - value = module.shared_resources.aws_network_acl_id -} -output "security_group_id" { - value = module.shared_resources.security_group_id -} -output "subnet_id" { - value = module.shared_resources.subnet_id -} - -output "instance_id" { - value = aws_instance.staging.id -} - -output "public_dns" { - value = aws_eip.staging.public_dns -} - -output "public_ip" { - value = aws_eip.staging.public_ip -} diff --git a/web/deploy/terraform/staging/outputs.tf b/web/deploy/terraform/staging/outputs.tf new file mode 100644 index 00000000..74805845 --- /dev/null +++ b/web/deploy/terraform/staging/outputs.tf @@ -0,0 +1,35 @@ +output "vpc_id" { + value = module.shared_resources.vpc_id +} + +output "internet_gateway_id" { + value = module.shared_resources.internet_gateway_id +} + +output "route_table_id" { + value = module.shared_resources.route_table_id +} + +output "network_acl_id" { + value = module.shared_resources.aws_network_acl_id +} + +output "security_group_id" { + value = module.shared_resources.security_group_id +} + +output "subnet_id" { + value = module.shared_resources.subnet_id +} + +output "instance_id" { + value = aws_instance.staging.id +} + +output "public_dns" { + value = aws_eip.staging.public_dns +} + +output "public_ip" { + value = aws_eip.staging.public_ip +} From 9cff3b0bd3bd70bdf863b2fe1533eaa5c5990190 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:24:38 -0700 Subject: [PATCH 12/59] Remove logic for iam policy from bootstrap stage --- .../state_storage/dynamodb-policy.json.tpl | 29 ------------------- .../modules/bootstrap/state_storage/main.tf | 22 -------------- 2 files changed, 51 deletions(-) delete mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl deleted file mode 100644 index 963936be..00000000 --- a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "dynamodb:CreateTable", - "dynamodb:DeleteTable", - "dynamodb:DescribeTable", - "dynamodb:ListTables", - "dynamodb:UpdateTable", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:Query", - "dynamodb:Scan" - ], - "Resource": "${resource}" - }, - { - "Effect": "Allow", - "Action": [ - "dynamodb:ListTables", - "dynamodb:ListTagsOfResource" - ], - "Resource": "*" - } - ] -} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index daa7c0e5..0b291511 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -70,25 +70,3 @@ resource "aws_dynamodb_table" "tf_locks" { Name = "${var.bucket_name}-${var.development_environment}" } } - -# data "template_file" "dynamodb_policy" { -# template = file("${path.module}/dynamodb-policy.json.tpl") - -# vars = { -# resource = "${aws_dynamodb_table.tf_locks.arn}" -# } -# } - -# resource "aws_iam_policy" "tf_locks" { -# name = "DynamoDBFullAccess-${var.development_environment}" -# policy = data.template_file.dynamodb_policy.rendered -# } - -# resource "aws_iam_policy_attachment" "tf_locks" { -# name = "tf_locks-${var.development_environment}" -# policy_arn = aws_iam_policy.tf_locks.arn -# users = [ -# # This will need to be changed before merge -# "osm", -# ] -# } From a60882d9d5ec907d2819e8302ca75931841b4e74 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:30:40 -0700 Subject: [PATCH 13/59] Refactor to move variables to separate file --- .../modules/shared_resources/main.tf | 28 ------------------- .../modules/shared_resources/variables.tf | 27 ++++++++++++++++++ 2 files changed, 27 insertions(+), 28 deletions(-) create mode 100644 web/deploy/terraform/modules/shared_resources/variables.tf diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/modules/shared_resources/main.tf index f639a7f5..ba856059 100644 --- a/web/deploy/terraform/modules/shared_resources/main.tf +++ b/web/deploy/terraform/modules/shared_resources/main.tf @@ -9,34 +9,6 @@ terraform { } } -# tflint-ignore: terraform_unused_declarations -variable "aws_region" { - description = "AWS region" - default = "us-east-1" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "s3_bucket" { - description = "S3 bucket for Terraform state" - default = "osm-storage" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "dynamodb_table" { - description = "DynamoDB table for Terraform state locking" - default = "terraform-locks" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "ssh_port" { - description = "Non-standard port for SSH" - default = 22 - type = number -} - # VPC resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" diff --git a/web/deploy/terraform/modules/shared_resources/variables.tf b/web/deploy/terraform/modules/shared_resources/variables.tf new file mode 100644 index 00000000..ceae8d73 --- /dev/null +++ b/web/deploy/terraform/modules/shared_resources/variables.tf @@ -0,0 +1,27 @@ +# tflint-ignore: terraform_unused_declarations +variable "aws_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "s3_bucket" { + description = "S3 bucket for Terraform state" + default = "osm-storage" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "dynamodb_table" { + description = "DynamoDB table for Terraform state locking" + default = "terraform-locks" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "ssh_port" { + description = "Non-standard port for SSH" + default = 22 + type = number +} From 1cbdbb613458aaa65e84b7ead68994e3853c3d90 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:53:38 -0700 Subject: [PATCH 14/59] Rename `development_environment` variable to `environment`x --- .../terraform/modules/bootstrap/state_storage/main.tf | 10 +++++----- .../modules/bootstrap/state_storage/variables.tf | 2 +- .../production/bootstrap/state_storage/main.tf | 2 +- .../production/bootstrap/state_storage/variables.tf | 2 +- .../terraform/staging/bootstrap/state_storage/main.tf | 2 +- .../staging/bootstrap/state_storage/variables.tf | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 0b291511..e3f304b5 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -14,17 +14,17 @@ provider "aws" { } resource "aws_s3_bucket" "tf_state" { - bucket = "${var.bucket_name}-${var.development_environment}" + bucket = "${var.bucket_name}-${var.environment}" tags = { - Name = "${var.bucket_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.environment}" } } resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { bucket = aws_s3_bucket.tf_state.id rule { - id = "tf_state_${var.development_environment}" + id = "tf_state_${var.environment}" status = "Enabled" transition { @@ -57,7 +57,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } resource "aws_dynamodb_table" "tf_locks" { - name = "${var.table_name}-${var.development_environment}" + name = "${var.table_name}-${var.environment}" billing_mode = "PAY_PER_REQUEST" hash_key = "LockID" @@ -67,6 +67,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "${var.bucket_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf index 73909033..3fef1596 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -16,7 +16,7 @@ variable "aws_region" { default = "us-east-1" } -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`." type = string } diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index ae91346f..e4c48785 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -6,5 +6,5 @@ module "prod_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" - development_environment = var.development_environment + environment = var.environment } diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf index 153d2741..67aaa8e0 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf @@ -1,4 +1,4 @@ -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" type = string default = "prod" diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index 901a8c09..d86f1e4e 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -6,5 +6,5 @@ module "stage_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" - development_environment = var.development_environment + environment = var.environment } diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf index 91db6f85..d7e81385 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf @@ -1,4 +1,4 @@ -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" type = string default = "stage" From f38eea2233d63bbe609ff1f97e5fba5943b1ff52 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 22:22:26 -0700 Subject: [PATCH 15/59] Move all state bootstrap files to a single directory --- .../production/bootstrap/state_storage/main.tf | 10 ---------- .../production/bootstrap/state_storage/variables.tf | 5 ----- .../staging/bootstrap/state_storage/main.tf | 10 ---------- .../staging/bootstrap/state_storage/variables.tf | 5 ----- .../state_storage => state/bootstrap}/main.tf | 0 .../state_storage => state/bootstrap}/outputs.tf | 0 .../state_storage => state/bootstrap}/variables.tf | 0 web/deploy/terraform/state/main.tf | 13 +++++++++++++ 8 files changed, 13 insertions(+), 30 deletions(-) delete mode 100644 web/deploy/terraform/production/bootstrap/state_storage/main.tf delete mode 100644 web/deploy/terraform/production/bootstrap/state_storage/variables.tf delete mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/main.tf delete mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/main.tf (100%) rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/outputs.tf (100%) rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/variables.tf (100%) create mode 100644 web/deploy/terraform/state/main.tf diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf deleted file mode 100644 index e4c48785..00000000 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0, < 2.0.0" -} - -module "prod_state_bootstrap" { - # I would like to make this path more robust using something like `path.root` - source = "../../../modules/bootstrap/state_storage/" - - environment = var.environment -} diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf deleted file mode 100644 index 67aaa8e0..00000000 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "environment" { - description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" - type = string - default = "prod" -} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf deleted file mode 100644 index d86f1e4e..00000000 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0, < 2.0.0" -} - -module "stage_state_bootstrap" { - # I would like to make this path more robust using something like `path.root` - source = "../../../modules/bootstrap/state_storage/" - - environment = var.environment -} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf deleted file mode 100644 index d7e81385..00000000 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "environment" { - description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" - type = string - default = "stage" -} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/state/bootstrap/main.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/main.tf rename to web/deploy/terraform/state/bootstrap/main.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/state/bootstrap/outputs.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf rename to web/deploy/terraform/state/bootstrap/outputs.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/state/bootstrap/variables.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/variables.tf rename to web/deploy/terraform/state/bootstrap/variables.tf diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf new file mode 100644 index 00000000..2aefb443 --- /dev/null +++ b/web/deploy/terraform/state/main.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + +module "stage_state" { + source = "./bootstrap/" + environment = "stage" +} + +module "prod_state" { + source = "./bootstrap/" + environment = "prod" +} From de9dce886dfb193bb8f05eb6c68f5cbe7dd29ea5 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 22:29:30 -0700 Subject: [PATCH 16/59] Add deprecated files for reference --- .../terraform/state/deprecated/README.md | 3 ++ .../state/deprecated/dynamodb-policy.json | 29 +++++++++++++++++++ .../deprecated/manual-bucket-creation.md | 16 ++++++++++ 3 files changed, 48 insertions(+) create mode 100644 web/deploy/terraform/state/deprecated/README.md create mode 100644 web/deploy/terraform/state/deprecated/dynamodb-policy.json create mode 100644 web/deploy/terraform/state/deprecated/manual-bucket-creation.md diff --git a/web/deploy/terraform/state/deprecated/README.md b/web/deploy/terraform/state/deprecated/README.md new file mode 100644 index 00000000..90299444 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/README.md @@ -0,0 +1,3 @@ +The files in this directory are deprecated and only included for reference. + +This directory might be removed in the future diff --git a/web/deploy/terraform/state/deprecated/dynamodb-policy.json b/web/deploy/terraform/state/deprecated/dynamodb-policy.json new file mode 100644 index 00000000..714b91c4 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/dynamodb-policy.json @@ -0,0 +1,29 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:CreateTable", + "dynamodb:DeleteTable", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:UpdateTable", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Resource": "arn:aws:dynamodb:us-east-1:507624629289:table/terraform-locks" + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:ListTables", + "dynamodb:ListTagsOfResource" + ], + "Resource": "*" + } + ] +} diff --git a/web/deploy/terraform/state/deprecated/manual-bucket-creation.md b/web/deploy/terraform/state/deprecated/manual-bucket-creation.md new file mode 100644 index 00000000..9e4ce8d0 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/manual-bucket-creation.md @@ -0,0 +1,16 @@ +Created bucket and table manually: + +``` +aws s3api create-bucket --bucket osm-terraform-storage --region us-east-1 +aws s3api list-buckets +aws s3api list-buckets --region us-east-1 +aws s3api put-bucket-versioning --bucket osm-terraform-storage --versioning-configuration Status=Enabled +aws s3 cp state-storage.tf s3://osm-terraform-storage/test.tf +aws s3 rm s3://osm-terraform-storage --recursive +# Failed: aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 +# Created dynamodb-policy.json +aws iam create-policy --policy-name DynamoDBFullAccess --policy-document file://dynamodb-policy.json +aws iam attach-user-policy --policy-arn arn:aws:iam::507624629289:policy/DynamoDBFullAccess --user-name osm +aws iam list-attached-user-policies --user-name osm +aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 +``` From 565b1935a405a91c66c8b8eedadd7a2215130d13 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:31:23 -0700 Subject: [PATCH 17/59] Reorganize modules --- .../{modules/shared_resources => shared/networking}/main.tf | 0 .../shared_resources => shared/networking}/outputs.tf | 0 .../shared_resources => shared/networking}/variables.tf | 0 web/deploy/terraform/state/main.tf | 4 ++-- web/deploy/terraform/state/{bootstrap => modules}/main.tf | 0 web/deploy/terraform/state/{bootstrap => modules}/outputs.tf | 0 .../terraform/state/{bootstrap => modules}/variables.tf | 0 7 files changed, 2 insertions(+), 2 deletions(-) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/main.tf (100%) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/outputs.tf (100%) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/variables.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/main.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/outputs.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/variables.tf (100%) diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/shared/networking/main.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/main.tf rename to web/deploy/terraform/shared/networking/main.tf diff --git a/web/deploy/terraform/modules/shared_resources/outputs.tf b/web/deploy/terraform/shared/networking/outputs.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/outputs.tf rename to web/deploy/terraform/shared/networking/outputs.tf diff --git a/web/deploy/terraform/modules/shared_resources/variables.tf b/web/deploy/terraform/shared/networking/variables.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/variables.tf rename to web/deploy/terraform/shared/networking/variables.tf diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index 2aefb443..5454e134 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -3,11 +3,11 @@ terraform { } module "stage_state" { - source = "./bootstrap/" + source = "./modules/" environment = "stage" } module "prod_state" { - source = "./bootstrap/" + source = "./modules/" environment = "prod" } diff --git a/web/deploy/terraform/state/bootstrap/main.tf b/web/deploy/terraform/state/modules/main.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/main.tf rename to web/deploy/terraform/state/modules/main.tf diff --git a/web/deploy/terraform/state/bootstrap/outputs.tf b/web/deploy/terraform/state/modules/outputs.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/outputs.tf rename to web/deploy/terraform/state/modules/outputs.tf diff --git a/web/deploy/terraform/state/bootstrap/variables.tf b/web/deploy/terraform/state/modules/variables.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/variables.tf rename to web/deploy/terraform/state/modules/variables.tf From a518d60f33679be9d64e9fe33efc78b81fb8efa2 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:33:00 -0700 Subject: [PATCH 18/59] Add shared state storage --- web/deploy/terraform/state/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index 5454e134..a2588933 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -11,3 +11,8 @@ module "prod_state" { source = "./modules/" environment = "prod" } + +module "shared_state" { + source = "./modules/" + environment = "shared" +} From 13dd738748e3326f140c110cb91bb98dd1d14e08 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:52:38 -0700 Subject: [PATCH 19/59] Prevent destruction of state infrastructure --- web/deploy/terraform/state/modules/main.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/web/deploy/terraform/state/modules/main.tf b/web/deploy/terraform/state/modules/main.tf index e3f304b5..399590cc 100644 --- a/web/deploy/terraform/state/modules/main.tf +++ b/web/deploy/terraform/state/modules/main.tf @@ -16,6 +16,10 @@ provider "aws" { resource "aws_s3_bucket" "tf_state" { bucket = "${var.bucket_name}-${var.environment}" + lifecycle { + prevent_destroy = true + } + tags = { Name = "${var.bucket_name}-${var.environment}" } @@ -36,6 +40,10 @@ resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { days = 365 } } + + lifecycle { + prevent_destroy = true + } } resource "aws_s3_bucket_versioning" "enabled" { @@ -44,6 +52,10 @@ resource "aws_s3_bucket_versioning" "enabled" { versioning_configuration { status = "Enabled" } + + lifecycle { + prevent_destroy = true + } } resource "aws_s3_bucket_server_side_encryption_configuration" "default" { @@ -54,6 +66,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { sse_algorithm = "AES256" } } + + lifecycle { + prevent_destroy = true + } } resource "aws_dynamodb_table" "tf_locks" { @@ -66,6 +82,10 @@ resource "aws_dynamodb_table" "tf_locks" { type = "S" } + lifecycle { + prevent_destroy = true + } + tags = { Name = "${var.bucket_name}-${var.environment}" } From 80b92589b87b67df764630a3bd74f031901c499d Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:56:32 -0700 Subject: [PATCH 20/59] Add `.terraform.lock.hcl` to version control --- .../terraform/state/.terraform.lock.hcl | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 web/deploy/terraform/state/.terraform.lock.hcl diff --git a/web/deploy/terraform/state/.terraform.lock.hcl b/web/deploy/terraform/state/.terraform.lock.hcl new file mode 100644 index 00000000..f324fcc5 --- /dev/null +++ b/web/deploy/terraform/state/.terraform.lock.hcl @@ -0,0 +1,20 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/aws" { + version = "5.68.0" + constraints = "~> 5.0" + hashes = [ + "h1:VMfgVqBZ6PPm6vIk0z1jHKX8SHK+/x4IfbOkZhaD6p4=", + "zh:0501ccb379b74832366860699ca6d5993b164ec44314a054453877d39c384869", + "zh:315b4eb957f84ce5580fed31e4b99b25d41634832a6939cd016fb0c4963164c9", + "zh:31defa4c379a4f1761504617824bae1b5efc93f456f055f85d1131676433085d", + "zh:3702a13f06369ee90eea413ec32db6ffa9c59648b3545301f9917f6774a840cb", + "zh:7c524cb809267ec68dd67124aa8d9fbab7722814fa875b1306d527f71b8b3bea", + "zh:ab37ec8b17be8062d804c17f5f4ddd9deaf50b3a48e6c0b979b60ef80f85192b", + "zh:baaf2c46edfe596f085f0f8f389e908a874e45c42ea5e5d5f24de1dbfed7542e", + "zh:cb37278073ede7b5e18116faebea49d5d47496d5093cec6c69065fb9ad1f622d", + "zh:ec4b64d66470b078162c13479446ad6819c93099149b478f43d990702f937fd3", + "zh:f55c3a3ba975ecfe73c729a085efb0432c02c74e91edaf40d351cdb231c3836b", + ] +} From 8011072708276f45c06c30a67315167d9b835f50 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 18:38:56 -0700 Subject: [PATCH 21/59] Move state modules to appropriate directory --- web/deploy/terraform/state/main.tf | 6 +++--- web/deploy/terraform/state/modules/{ => state}/main.tf | 0 web/deploy/terraform/state/modules/{ => state}/outputs.tf | 0 web/deploy/terraform/state/modules/{ => state}/variables.tf | 0 4 files changed, 3 insertions(+), 3 deletions(-) rename web/deploy/terraform/state/modules/{ => state}/main.tf (100%) rename web/deploy/terraform/state/modules/{ => state}/outputs.tf (100%) rename web/deploy/terraform/state/modules/{ => state}/variables.tf (100%) diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index a2588933..463189bc 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -3,16 +3,16 @@ terraform { } module "stage_state" { - source = "./modules/" + source = "./modules/state/" environment = "stage" } module "prod_state" { - source = "./modules/" + source = "./modules/state/" environment = "prod" } module "shared_state" { - source = "./modules/" + source = "./modules/state/" environment = "shared" } diff --git a/web/deploy/terraform/state/modules/main.tf b/web/deploy/terraform/state/modules/state/main.tf similarity index 100% rename from web/deploy/terraform/state/modules/main.tf rename to web/deploy/terraform/state/modules/state/main.tf diff --git a/web/deploy/terraform/state/modules/outputs.tf b/web/deploy/terraform/state/modules/state/outputs.tf similarity index 100% rename from web/deploy/terraform/state/modules/outputs.tf rename to web/deploy/terraform/state/modules/state/outputs.tf diff --git a/web/deploy/terraform/state/modules/variables.tf b/web/deploy/terraform/state/modules/state/variables.tf similarity index 100% rename from web/deploy/terraform/state/modules/variables.tf rename to web/deploy/terraform/state/modules/state/variables.tf From 8f372d176af30a032cc6a947214448237ba05456 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:29:52 -0700 Subject: [PATCH 22/59] Move state modules to modules directory --- .../{state => }/modules/state/main.tf | 0 .../{state => }/modules/state/outputs.tf | 0 .../{state => }/modules/state/variables.tf | 0 .../terraform/state/.terraform.lock.hcl | 20 ------------------- web/deploy/terraform/state/main.tf | 6 +++--- 5 files changed, 3 insertions(+), 23 deletions(-) rename web/deploy/terraform/{state => }/modules/state/main.tf (100%) rename web/deploy/terraform/{state => }/modules/state/outputs.tf (100%) rename web/deploy/terraform/{state => }/modules/state/variables.tf (100%) delete mode 100644 web/deploy/terraform/state/.terraform.lock.hcl diff --git a/web/deploy/terraform/state/modules/state/main.tf b/web/deploy/terraform/modules/state/main.tf similarity index 100% rename from web/deploy/terraform/state/modules/state/main.tf rename to web/deploy/terraform/modules/state/main.tf diff --git a/web/deploy/terraform/state/modules/state/outputs.tf b/web/deploy/terraform/modules/state/outputs.tf similarity index 100% rename from web/deploy/terraform/state/modules/state/outputs.tf rename to web/deploy/terraform/modules/state/outputs.tf diff --git a/web/deploy/terraform/state/modules/state/variables.tf b/web/deploy/terraform/modules/state/variables.tf similarity index 100% rename from web/deploy/terraform/state/modules/state/variables.tf rename to web/deploy/terraform/modules/state/variables.tf diff --git a/web/deploy/terraform/state/.terraform.lock.hcl b/web/deploy/terraform/state/.terraform.lock.hcl deleted file mode 100644 index f324fcc5..00000000 --- a/web/deploy/terraform/state/.terraform.lock.hcl +++ /dev/null @@ -1,20 +0,0 @@ -# This file is maintained automatically by "tofu init". -# Manual edits may be lost in future updates. - -provider "registry.opentofu.org/hashicorp/aws" { - version = "5.68.0" - constraints = "~> 5.0" - hashes = [ - "h1:VMfgVqBZ6PPm6vIk0z1jHKX8SHK+/x4IfbOkZhaD6p4=", - "zh:0501ccb379b74832366860699ca6d5993b164ec44314a054453877d39c384869", - "zh:315b4eb957f84ce5580fed31e4b99b25d41634832a6939cd016fb0c4963164c9", - "zh:31defa4c379a4f1761504617824bae1b5efc93f456f055f85d1131676433085d", - "zh:3702a13f06369ee90eea413ec32db6ffa9c59648b3545301f9917f6774a840cb", - "zh:7c524cb809267ec68dd67124aa8d9fbab7722814fa875b1306d527f71b8b3bea", - "zh:ab37ec8b17be8062d804c17f5f4ddd9deaf50b3a48e6c0b979b60ef80f85192b", - "zh:baaf2c46edfe596f085f0f8f389e908a874e45c42ea5e5d5f24de1dbfed7542e", - "zh:cb37278073ede7b5e18116faebea49d5d47496d5093cec6c69065fb9ad1f622d", - "zh:ec4b64d66470b078162c13479446ad6819c93099149b478f43d990702f937fd3", - "zh:f55c3a3ba975ecfe73c729a085efb0432c02c74e91edaf40d351cdb231c3836b", - ] -} diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index 463189bc..183795c1 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -3,16 +3,16 @@ terraform { } module "stage_state" { - source = "./modules/state/" + source = "../modules/state/" environment = "stage" } module "prod_state" { - source = "./modules/state/" + source = "../modules/state/" environment = "prod" } module "shared_state" { - source = "./modules/state/" + source = "../modules/state/" environment = "shared" } From 66c2d274dea3245c1f6712932ece3a10a13fd029 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:14:33 -0700 Subject: [PATCH 23/59] Move network module files to appropriate location --- web/deploy/terraform/{shared => modules}/networking/main.tf | 0 web/deploy/terraform/{shared => modules}/networking/outputs.tf | 0 web/deploy/terraform/{shared => modules}/networking/variables.tf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename web/deploy/terraform/{shared => modules}/networking/main.tf (100%) rename web/deploy/terraform/{shared => modules}/networking/outputs.tf (100%) rename web/deploy/terraform/{shared => modules}/networking/variables.tf (100%) diff --git a/web/deploy/terraform/shared/networking/main.tf b/web/deploy/terraform/modules/networking/main.tf similarity index 100% rename from web/deploy/terraform/shared/networking/main.tf rename to web/deploy/terraform/modules/networking/main.tf diff --git a/web/deploy/terraform/shared/networking/outputs.tf b/web/deploy/terraform/modules/networking/outputs.tf similarity index 100% rename from web/deploy/terraform/shared/networking/outputs.tf rename to web/deploy/terraform/modules/networking/outputs.tf diff --git a/web/deploy/terraform/shared/networking/variables.tf b/web/deploy/terraform/modules/networking/variables.tf similarity index 100% rename from web/deploy/terraform/shared/networking/variables.tf rename to web/deploy/terraform/modules/networking/variables.tf From 38a6ce61f0e47fe985c7d78018ae6e8049f3574f Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 22:29:21 -0700 Subject: [PATCH 24/59] Store network config values in variables --- .../terraform/modules/networking/main.tf | 44 ++++------ .../terraform/modules/networking/outputs.tf | 6 +- .../terraform/modules/networking/variables.tf | 88 ++++++++++++++++--- 3 files changed, 95 insertions(+), 43 deletions(-) diff --git a/web/deploy/terraform/modules/networking/main.tf b/web/deploy/terraform/modules/networking/main.tf index ba856059..3931dd83 100644 --- a/web/deploy/terraform/modules/networking/main.tf +++ b/web/deploy/terraform/modules/networking/main.tf @@ -9,13 +9,17 @@ terraform { } } +provider "aws" { + region = var.region +} + # VPC resource "aws_vpc" "main" { - cidr_block = "10.0.0.0/16" + cidr_block = var.vpc_ipv4_cidr_block enable_dns_hostnames = true enable_dns_support = true tags = { - Name = "osm-vpc" + Name = "${var.vpc_name}-${var.environment}" } } @@ -24,7 +28,7 @@ resource "aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id tags = { - Name = "osm-internet-gateway" + Name = "${var.internet_gateway_name}-${var.environment}" } } @@ -33,15 +37,15 @@ resource "aws_route_table" "main" { vpc_id = aws_vpc.main.id route { - cidr_block = "0.0.0.0/0" + cidr_block = var.route_table_ipv4_cidr_block gateway_id = aws_internet_gateway.main.id } route { - ipv6_cidr_block = "::/0" + ipv6_cidr_block = var.route_table_ipv6_cidr_block gateway_id = aws_internet_gateway.main.id } tags = { - Name = "osm-route-table" + Name = "${var.route_table_name}-${var.environment}" } } @@ -75,6 +79,7 @@ resource "aws_network_acl_rule" "allow_all_outbound" { from_port = 0 to_port = 65535 } + resource "aws_security_group" "allow_all" { name = "allow_all_security_group" description = "Security group that allows all inbound and outbound traffic" @@ -113,11 +118,11 @@ resource "aws_security_group" "allow_all" { } resource "aws_vpc_dhcp_options" "main" { - domain_name = "compute-1.amazonaws.com" - domain_name_servers = ["AmazonProvidedDNS"] + domain_name = var.vpc_domain_name + domain_name_servers = var.vpc_domain_name_servers tags = { - Name = "osm-dhcp-options" + Name = "${var.vpc_dhcp_options_name}-${var.environment}" } } @@ -126,16 +131,15 @@ resource "aws_vpc_dhcp_options_association" "main" { dhcp_options_id = aws_vpc_dhcp_options.main.id } - # main Subnet resource "aws_subnet" "main" { vpc_id = aws_vpc.main.id - cidr_block = "10.0.1.0/24" - availability_zone = "us-east-1a" + cidr_block = var.subnet_ipv4_cidr_block + availability_zone = "${var.region}${var.availability_zone_letter_identifier}" map_public_ip_on_launch = true tags = { - Name = "main-subnet" + Name = "${var.subnet_name}-${var.environment}" } } @@ -150,17 +154,3 @@ resource "aws_network_acl_association" "main" { subnet_id = aws_subnet.main.id network_acl_id = aws_network_acl.allow_all.id } - - -# Security Group - - -# Data source to find the latest Ubuntu AMI -data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] - } -} diff --git a/web/deploy/terraform/modules/networking/outputs.tf b/web/deploy/terraform/modules/networking/outputs.tf index 07d8bd0b..f8767826 100644 --- a/web/deploy/terraform/modules/networking/outputs.tf +++ b/web/deploy/terraform/modules/networking/outputs.tf @@ -22,6 +22,6 @@ output "aws_network_acl_id" { value = aws_network_acl.allow_all.id } -output "ami_id" { - value = data.aws_ami.ubuntu.id -} +# output "ami_id" { +# value = data.aws_ami.ubuntu.id +# } diff --git a/web/deploy/terraform/modules/networking/variables.tf b/web/deploy/terraform/modules/networking/variables.tf index ceae8d73..5b6ec11c 100644 --- a/web/deploy/terraform/modules/networking/variables.tf +++ b/web/deploy/terraform/modules/networking/variables.tf @@ -1,21 +1,12 @@ -# tflint-ignore: terraform_unused_declarations -variable "aws_region" { +variable "region" { description = "AWS region" default = "us-east-1" type = string } -# tflint-ignore: terraform_unused_declarations -variable "s3_bucket" { - description = "S3 bucket for Terraform state" - default = "osm-storage" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "dynamodb_table" { - description = "DynamoDB table for Terraform state locking" - default = "terraform-locks" +variable "availability_zone_letter_identifier" { + description = "The letter identifier for the AWS Availablity Zone. Usually `a` or `b`." + default = "a" type = string } @@ -25,3 +16,74 @@ variable "ssh_port" { default = 22 type = number } + +variable "environment" { + description = "The name of the environment. Usually `shared`, `stage`, or `prod`." + type = string +} + +variable "vpc_name" { + description = "The name used to tag the VPC." + default = "osm-vpc" + type = string +} + +variable "vpc_ipv4_cidr_block" { + description = "The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length`" + default = "10.0.0.0/16" + type = string +} + +variable "internet_gateway_name" { + description = "The name of the internet gateway" + default = "osm-internet-gateway" + type = string +} + +variable "route_table_name" { + description = "The name used to tag the route table." + default = "osm-route-table" + type = string +} + +variable "route_table_ipv4_cidr_block" { + description = "The IPv4 CIDR block of the route table" + default = "0.0.0.0/0" + type = string +} + +variable "route_table_ipv6_cidr_block" { + description = "The IPv6 CIDR block of the route table" + default = "::/0" + type = string +} + +variable "vpc_domain_name" { + description = "The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the `search` value in the `/etc/resolv.conf` file." + default = "compute-1.amazonaws.com" + type = string +} + +variable "vpc_domain_name_servers" { + description = "List of name servers to configure in `/etc/resolv.conf`. If you want to use the default AWS nameservers you should set this to `AmazonProvidedDNS`." + default = ["AmazonProvidedDNS"] + type = list(string) +} + +variable "vpc_dhcp_options_name" { + description = "The name used to tag the VPC DHCP options" + default = "osm-dhcp-options" + type = string +} + +variable "subnet_name" { + description = "The name used to tag the AWS subnet" + default = "main-subnet" + type = string +} + +variable "subnet_ipv4_cidr_block" { + description = "The IPv4 CIDR block for the subnet." + default = "10.0.1.0/24" + type = string +} From dfd83e5f31ed0606466983ad160ba06e2e04a5ec Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 22:48:12 -0700 Subject: [PATCH 25/59] Set up networking infrastructure config --- web/deploy/terraform/shared/main.tf | 23 +++++++++++++++++++ web/deploy/terraform/shared/outputs.tf | 0 web/deploy/terraform/shared/vairables.tf | 5 ++++ .../terraform/shared/variables_state.tf | 23 +++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 web/deploy/terraform/shared/main.tf create mode 100644 web/deploy/terraform/shared/outputs.tf create mode 100644 web/deploy/terraform/shared/vairables.tf create mode 100644 web/deploy/terraform/shared/variables_state.tf diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf new file mode 100644 index 00000000..615491d1 --- /dev/null +++ b/web/deploy/terraform/shared/main.tf @@ -0,0 +1,23 @@ +terraform { + required_version = ">= 1.8.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + backend "s3" { + bucket = "${var.state_bucket_name}-${var.environment}" + key = var.state_backend_key + region = var.state_storage_region + dynamodb_table = "${var.state_table_name}-${var.environment}" + encrypt = true + } +} + +module "networking" { + source = "../modules/networking/" + environment = var.environment +} diff --git a/web/deploy/terraform/shared/outputs.tf b/web/deploy/terraform/shared/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/shared/vairables.tf b/web/deploy/terraform/shared/vairables.tf new file mode 100644 index 00000000..62bad9f4 --- /dev/null +++ b/web/deploy/terraform/shared/vairables.tf @@ -0,0 +1,5 @@ +variable "environment" { + description = "The name of the environment. Usually `shared`, `stage`, or `prod`." + default = "shared" + type = string +} diff --git a/web/deploy/terraform/shared/variables_state.tf b/web/deploy/terraform/shared/variables_state.tf new file mode 100644 index 00000000..7993c2ab --- /dev/null +++ b/web/deploy/terraform/shared/variables_state.tf @@ -0,0 +1,23 @@ +variable "state_storage_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "state_bucket_name" { + description = "The name of the S3 bucket to store Terraform state." + type = string + default = "osm-terraform-state-storage" +} + +variable "state_table_name" { + description = "The name of the DynamoDB table for Terraform state locks." + type = string + default = "terraform-state-locks" +} + +variable "state_backend_key" { + description = "Path to the state file inside the S3 Bucket" + type = string + default = "terraform.tfstate" +} From 898d04be70a6b4ab76cd648a5f1fbb07f0f09c36 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 30 Sep 2024 14:10:46 -0700 Subject: [PATCH 26/59] Fix typo --- web/deploy/terraform/shared/{vairables.tf => variables.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename web/deploy/terraform/shared/{vairables.tf => variables.tf} (100%) diff --git a/web/deploy/terraform/shared/vairables.tf b/web/deploy/terraform/shared/variables.tf similarity index 100% rename from web/deploy/terraform/shared/vairables.tf rename to web/deploy/terraform/shared/variables.tf From ce6440de1ba564d78eab53889c174dfd8312622a Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 1 Oct 2024 00:10:17 -0700 Subject: [PATCH 27/59] Add ECR configuration --- web/deploy/terraform/modules/ecr/main.tf | 27 +++++++++++++++++++ web/deploy/terraform/modules/ecr/outputs.tf | 0 web/deploy/terraform/modules/ecr/variables.tf | 16 +++++++++++ web/deploy/terraform/shared/main.tf | 5 ++++ 4 files changed, 48 insertions(+) create mode 100644 web/deploy/terraform/modules/ecr/main.tf create mode 100644 web/deploy/terraform/modules/ecr/outputs.tf create mode 100644 web/deploy/terraform/modules/ecr/variables.tf diff --git a/web/deploy/terraform/modules/ecr/main.tf b/web/deploy/terraform/modules/ecr/main.tf new file mode 100644 index 00000000..31c5b46e --- /dev/null +++ b/web/deploy/terraform/modules/ecr/main.tf @@ -0,0 +1,27 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = var.region +} + +resource "aws_ecr_repository" "ecr_repository" { + name = "${var.ecr_name}-${var.environment}" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + + encryption_configuration { + encryption_type = "AES256" + } +} diff --git a/web/deploy/terraform/modules/ecr/outputs.tf b/web/deploy/terraform/modules/ecr/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/modules/ecr/variables.tf b/web/deploy/terraform/modules/ecr/variables.tf new file mode 100644 index 00000000..201c4474 --- /dev/null +++ b/web/deploy/terraform/modules/ecr/variables.tf @@ -0,0 +1,16 @@ +variable "environment" { + description = "The name of the environment. Usually `shared`, `stage`, or `prod`." + type = string +} + +variable "region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "ecr_name" { + description = "The name of the ECR repository" + default = "osm-ecr" + type = string +} diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf index 615491d1..bdc99d4d 100644 --- a/web/deploy/terraform/shared/main.tf +++ b/web/deploy/terraform/shared/main.tf @@ -21,3 +21,8 @@ module "networking" { source = "../modules/networking/" environment = var.environment } + +module "ecr" { + source = "../modules/ecr/" + environment = var.environment +} From d941f0a6f109c962c03ebef7b1ce05d00b43f9dc Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 1 Oct 2024 00:41:39 -0700 Subject: [PATCH 28/59] Add `arn` output --- web/deploy/terraform/modules/ecr/main.tf | 2 +- web/deploy/terraform/modules/ecr/outputs.tf | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/web/deploy/terraform/modules/ecr/main.tf b/web/deploy/terraform/modules/ecr/main.tf index 31c5b46e..61f16323 100644 --- a/web/deploy/terraform/modules/ecr/main.tf +++ b/web/deploy/terraform/modules/ecr/main.tf @@ -13,7 +13,7 @@ provider "aws" { region = var.region } -resource "aws_ecr_repository" "ecr_repository" { +resource "aws_ecr_repository" "main" { name = "${var.ecr_name}-${var.environment}" image_tag_mutability = "IMMUTABLE" diff --git a/web/deploy/terraform/modules/ecr/outputs.tf b/web/deploy/terraform/modules/ecr/outputs.tf index e69de29b..df5705a5 100644 --- a/web/deploy/terraform/modules/ecr/outputs.tf +++ b/web/deploy/terraform/modules/ecr/outputs.tf @@ -0,0 +1,3 @@ +output "arn" { + value = aws_ecr_repository.main.arn +} From 253b92dd4be2ffd47ad884f7e447af6ba157b7e5 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 1 Oct 2024 22:30:22 -0700 Subject: [PATCH 29/59] Use separate ECRs for API and dashboard --- web/deploy/terraform/shared/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf index bdc99d4d..3e006ebf 100644 --- a/web/deploy/terraform/shared/main.tf +++ b/web/deploy/terraform/shared/main.tf @@ -22,7 +22,14 @@ module "networking" { environment = var.environment } -module "ecr" { +module "ecr_api" { source = "../modules/ecr/" environment = var.environment + ecr_name = "api" +} + +module "ecr_dashboard" { + source = "../modules/ecr/" + environment = var.environment + ecr_name = "dashboard" } From bc82e12c20ba4e286300353e2cb187bef8ec3063 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 1 Oct 2024 02:09:05 -0700 Subject: [PATCH 30/59] Add basic IAM roles and infrastructure to be used by github actions The IAM roles might need to be modified before this PR is merged --- web/deploy/terraform/modules/ecr/main.tf | 20 +++++++++++++++++ .../modules/ecr/policies/assume-role.json | 14 ++++++++++++ .../ecr/policies/gha-policy.json.tftpl | 22 +++++++++++++++++++ web/deploy/terraform/modules/ecr/variables.tf | 12 ++++++++++ 4 files changed, 68 insertions(+) create mode 100644 web/deploy/terraform/modules/ecr/policies/assume-role.json create mode 100644 web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl diff --git a/web/deploy/terraform/modules/ecr/main.tf b/web/deploy/terraform/modules/ecr/main.tf index 61f16323..56b532e0 100644 --- a/web/deploy/terraform/modules/ecr/main.tf +++ b/web/deploy/terraform/modules/ecr/main.tf @@ -25,3 +25,23 @@ resource "aws_ecr_repository" "main" { encryption_type = "AES256" } } + +resource "aws_iam_policy" "cd" { + name = "${var.cd_iam_policy_name}-${var.environment}" + policy = templatefile( + "${path.module}/policies/gha-policy.json.tftpl", + { + resource = aws_ecr_repository.main.arn + }, + ) +} + +resource "aws_iam_role" "cd" { + name = "${var.cd_iam_role_policy_name}-${var.environment}" + assume_role_policy = file("${path.module}/policies/assume-role.json") +} + +resource "aws_iam_role_policy_attachment" "cd" { + role = aws_iam_role.cd.name + policy_arn = aws_iam_policy.cd.arn +} diff --git a/web/deploy/terraform/modules/ecr/policies/assume-role.json b/web/deploy/terraform/modules/ecr/policies/assume-role.json new file mode 100644 index 00000000..67d5848a --- /dev/null +++ b/web/deploy/terraform/modules/ecr/policies/assume-role.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole" + ], + "Principal" : { + "Service" : "ec2.amazonaws.com" + } + } + ] +} diff --git a/web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl new file mode 100644 index 00000000..e3c459bf --- /dev/null +++ b/web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl @@ -0,0 +1,22 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:BatchGetImage" + ], + "Resource": "${resource}" + }, + { + "Effect": "Allow", + "Action": "ecr:GetAuthorizationToken", + "Resource": "*" + } + ] +} diff --git a/web/deploy/terraform/modules/ecr/variables.tf b/web/deploy/terraform/modules/ecr/variables.tf index 201c4474..76a4d41c 100644 --- a/web/deploy/terraform/modules/ecr/variables.tf +++ b/web/deploy/terraform/modules/ecr/variables.tf @@ -14,3 +14,15 @@ variable "ecr_name" { default = "osm-ecr" type = string } + +variable "cd_iam_policy_name" { + description = "The name of the IAM policy for continuous deployment to ECR" + default = "GitHubActions-ECR" + type = string +} + +variable "cd_iam_role_policy_name" { + description = "The name of the IAM role policy for continuous deployment to ECR" + default = "github-actions-role" + type = string +} From 6c05b464464e7a018a3fb833558423ca90723be6 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 1 Oct 2024 23:39:10 -0700 Subject: [PATCH 31/59] Make IAM module --- web/deploy/terraform/modules/ecr/main.tf | 22 +++--------- web/deploy/terraform/modules/ecr/variables.tf | 12 ------- web/deploy/terraform/modules/iam/main.tf | 34 +++++++++++++++++++ web/deploy/terraform/modules/iam/outputs.tf | 0 .../{ecr => iam}/policies/assume-role.json | 0 .../policies/gha-policy.json.tftpl | 0 web/deploy/terraform/modules/iam/variables.tf | 27 +++++++++++++++ 7 files changed, 65 insertions(+), 30 deletions(-) create mode 100644 web/deploy/terraform/modules/iam/main.tf create mode 100644 web/deploy/terraform/modules/iam/outputs.tf rename web/deploy/terraform/modules/{ecr => iam}/policies/assume-role.json (100%) rename web/deploy/terraform/modules/{ecr => iam}/policies/gha-policy.json.tftpl (100%) create mode 100644 web/deploy/terraform/modules/iam/variables.tf diff --git a/web/deploy/terraform/modules/ecr/main.tf b/web/deploy/terraform/modules/ecr/main.tf index 56b532e0..61e69956 100644 --- a/web/deploy/terraform/modules/ecr/main.tf +++ b/web/deploy/terraform/modules/ecr/main.tf @@ -26,22 +26,8 @@ resource "aws_ecr_repository" "main" { } } -resource "aws_iam_policy" "cd" { - name = "${var.cd_iam_policy_name}-${var.environment}" - policy = templatefile( - "${path.module}/policies/gha-policy.json.tftpl", - { - resource = aws_ecr_repository.main.arn - }, - ) -} - -resource "aws_iam_role" "cd" { - name = "${var.cd_iam_role_policy_name}-${var.environment}" - assume_role_policy = file("${path.module}/policies/assume-role.json") -} - -resource "aws_iam_role_policy_attachment" "cd" { - role = aws_iam_role.cd.name - policy_arn = aws_iam_policy.cd.arn +module "iam_role_and_policy" { + source = "../iam/" + environment = var.environment + cd_iam_policy_resource = aws_ecr_repository.main.arn } diff --git a/web/deploy/terraform/modules/ecr/variables.tf b/web/deploy/terraform/modules/ecr/variables.tf index 76a4d41c..201c4474 100644 --- a/web/deploy/terraform/modules/ecr/variables.tf +++ b/web/deploy/terraform/modules/ecr/variables.tf @@ -14,15 +14,3 @@ variable "ecr_name" { default = "osm-ecr" type = string } - -variable "cd_iam_policy_name" { - description = "The name of the IAM policy for continuous deployment to ECR" - default = "GitHubActions-ECR" - type = string -} - -variable "cd_iam_role_policy_name" { - description = "The name of the IAM role policy for continuous deployment to ECR" - default = "github-actions-role" - type = string -} diff --git a/web/deploy/terraform/modules/iam/main.tf b/web/deploy/terraform/modules/iam/main.tf new file mode 100644 index 00000000..a9c3e15b --- /dev/null +++ b/web/deploy/terraform/modules/iam/main.tf @@ -0,0 +1,34 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = var.region +} + +resource "aws_iam_policy" "cd" { + name = "${var.cd_iam_policy_name}-${var.environment}" + policy = templatefile( + "${path.module}/policies/gha-policy.json.tftpl", + { + resource = var.cd_iam_policy_resource + }, + ) +} + +resource "aws_iam_role" "cd" { + name = "${var.cd_iam_role_policy_name}-${var.environment}" + assume_role_policy = file("${path.module}/policies/assume-role.json") +} + +resource "aws_iam_role_policy_attachment" "cd" { + role = aws_iam_role.cd.name + policy_arn = aws_iam_policy.cd.arn +} diff --git a/web/deploy/terraform/modules/iam/outputs.tf b/web/deploy/terraform/modules/iam/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/modules/ecr/policies/assume-role.json b/web/deploy/terraform/modules/iam/policies/assume-role.json similarity index 100% rename from web/deploy/terraform/modules/ecr/policies/assume-role.json rename to web/deploy/terraform/modules/iam/policies/assume-role.json diff --git a/web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl similarity index 100% rename from web/deploy/terraform/modules/ecr/policies/gha-policy.json.tftpl rename to web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl diff --git a/web/deploy/terraform/modules/iam/variables.tf b/web/deploy/terraform/modules/iam/variables.tf new file mode 100644 index 00000000..0aab18e0 --- /dev/null +++ b/web/deploy/terraform/modules/iam/variables.tf @@ -0,0 +1,27 @@ +variable "environment" { + description = "The name of the environment. Usually `shared`, `stage`, or `prod`." + type = string +} + +variable "region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "cd_iam_policy_name" { + description = "The name of the IAM policy for continuous deployment to ECR" + default = "GitHubActions-ECR" + type = string +} + +variable "cd_iam_policy_resource" { + description = "The arn of the resource to which the IAM policy is applied" + type = string +} + +variable "cd_iam_role_policy_name" { + description = "The name of the IAM role policy for continuous deployment to ECR" + default = "github-actions-role" + type = string +} From 80f91e6905486a52d3adc89bb02cbf324a5c9077 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:50:34 -0700 Subject: [PATCH 32/59] Move creation of policy to shared config --- web/deploy/terraform/modules/ecr/main.tf | 6 ------ web/deploy/terraform/modules/iam/main.tf | 2 +- .../terraform/modules/iam/policies/gha-policy.json.tftpl | 2 +- web/deploy/terraform/modules/iam/variables.tf | 4 ++-- web/deploy/terraform/shared/main.tf | 6 ++++++ 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/web/deploy/terraform/modules/ecr/main.tf b/web/deploy/terraform/modules/ecr/main.tf index 61e69956..61f16323 100644 --- a/web/deploy/terraform/modules/ecr/main.tf +++ b/web/deploy/terraform/modules/ecr/main.tf @@ -25,9 +25,3 @@ resource "aws_ecr_repository" "main" { encryption_type = "AES256" } } - -module "iam_role_and_policy" { - source = "../iam/" - environment = var.environment - cd_iam_policy_resource = aws_ecr_repository.main.arn -} diff --git a/web/deploy/terraform/modules/iam/main.tf b/web/deploy/terraform/modules/iam/main.tf index a9c3e15b..62f63f74 100644 --- a/web/deploy/terraform/modules/iam/main.tf +++ b/web/deploy/terraform/modules/iam/main.tf @@ -18,7 +18,7 @@ resource "aws_iam_policy" "cd" { policy = templatefile( "${path.module}/policies/gha-policy.json.tftpl", { - resource = var.cd_iam_policy_resource + resources = jsonencode(var.cd_iam_policy_resources) }, ) } diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index e3c459bf..9c754800 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -11,7 +11,7 @@ "ecr:PutImage", "ecr:BatchGetImage" ], - "Resource": "${resource}" + "Resource": ${resources} }, { "Effect": "Allow", diff --git a/web/deploy/terraform/modules/iam/variables.tf b/web/deploy/terraform/modules/iam/variables.tf index 0aab18e0..35c1e5db 100644 --- a/web/deploy/terraform/modules/iam/variables.tf +++ b/web/deploy/terraform/modules/iam/variables.tf @@ -15,9 +15,9 @@ variable "cd_iam_policy_name" { type = string } -variable "cd_iam_policy_resource" { +variable "cd_iam_policy_resources" { description = "The arn of the resource to which the IAM policy is applied" - type = string + type = list(string) } variable "cd_iam_role_policy_name" { diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf index 3e006ebf..5595b025 100644 --- a/web/deploy/terraform/shared/main.tf +++ b/web/deploy/terraform/shared/main.tf @@ -33,3 +33,9 @@ module "ecr_dashboard" { environment = var.environment ecr_name = "dashboard" } + +module "iam_role_and_policy" { + source = "../modules/iam/" + environment = var.environment + cd_iam_policy_resources = [module.ecr_api.arn, module.ecr_dashboard.arn] +} From ac74d52072a4235f6e43dea3af03fc123e692f6a Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:22:03 -0700 Subject: [PATCH 33/59] Add conditions to assume-role iam policy More changes will be required --- .../modules/iam/policies/assume-role.json | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/web/deploy/terraform/modules/iam/policies/assume-role.json b/web/deploy/terraform/modules/iam/policies/assume-role.json index 67d5848a..6a62d5db 100644 --- a/web/deploy/terraform/modules/iam/policies/assume-role.json +++ b/web/deploy/terraform/modules/iam/policies/assume-role.json @@ -3,11 +3,20 @@ "Statement": [ { "Effect": "Allow", - "Action": [ - "sts:AssumeRole" - ], - "Principal" : { - "Service" : "ec2.amazonaws.com" + "Principal": { + "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringLike": { + "token.actions.githubusercontent.com:sub": [ + "repo:nimh-dsst/osm:*", + "repo:smokestacklightnin/osm:*" + ] + }, + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + } } } ] From 8dbf9e84386327b9b006b6a80680dcae9202f224 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:38:57 -0700 Subject: [PATCH 34/59] Add s3 actions to github iam policy --- .../modules/iam/policies/gha-policy.json.tftpl | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index 9c754800..d9118509 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -9,8 +9,15 @@ "ecr:InitiateLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", - "ecr:BatchGetImage" - ], + "ecr:BatchGetImage", + "s3:GetBucketEncryption", + "s3:GetBucketTagging", + "s3:PutBucketTagging", + "s3:GetObject", + "s3:PutObject", + "s3:ListObjectsV2", + "s3:ListBuckets", + ], "Resource": ${resources} }, { From 5eeaaa8349ba377a8a89dddbec3745c3f4eb1e02 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:51:08 -0700 Subject: [PATCH 35/59] Add dynamodb permissions --- .../modules/iam/policies/gha-policy.json.tftpl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index d9118509..7e6b5f6d 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -17,6 +17,16 @@ "s3:PutObject", "s3:ListObjectsV2", "s3:ListBuckets", + "dynamodb:CreateTable", + "dynamodb:DeleteTable", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:UpdateTable", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:Query", + "dynamodb:Scan" ], "Resource": ${resources} }, From 1f09d57e844639b639bc59aa19ac57ba399bf1b6 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:50:40 -0700 Subject: [PATCH 36/59] Add temporary admin privileges to IAM role IMPORTANT: These roles must be restricted asap --- .../policies/gha-policy-nonadmin.json.tftpl | 39 +++++++++++++++++++ .../iam/policies/gha-policy.json.tftpl | 27 ++----------- 2 files changed, 43 insertions(+), 23 deletions(-) create mode 100644 web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl new file mode 100644 index 00000000..7e6b5f6d --- /dev/null +++ b/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl @@ -0,0 +1,39 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:BatchGetImage", + "s3:GetBucketEncryption", + "s3:GetBucketTagging", + "s3:PutBucketTagging", + "s3:GetObject", + "s3:PutObject", + "s3:ListObjectsV2", + "s3:ListBuckets", + "dynamodb:CreateTable", + "dynamodb:DeleteTable", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:UpdateTable", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Resource": ${resources} + }, + { + "Effect": "Allow", + "Action": "ecr:GetAuthorizationToken", + "Resource": "*" + } + ] +} diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index 7e6b5f6d..36a45c2f 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -4,29 +4,10 @@ { "Effect": "Allow", "Action": [ - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - "ecr:BatchGetImage", - "s3:GetBucketEncryption", - "s3:GetBucketTagging", - "s3:PutBucketTagging", - "s3:GetObject", - "s3:PutObject", - "s3:ListObjectsV2", - "s3:ListBuckets", - "dynamodb:CreateTable", - "dynamodb:DeleteTable", - "dynamodb:DescribeTable", - "dynamodb:ListTables", - "dynamodb:UpdateTable", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:Query", - "dynamodb:Scan" + "ec2:*", + "ecr:*", + "s3:*", + "dynamodb:*", ], "Resource": ${resources} }, From 9405fac9dfc9bdba0284c8f6fb13182cba2af233 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:56:08 -0700 Subject: [PATCH 37/59] Fix JSON typo --- web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index 36a45c2f..a8328ac6 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -7,7 +7,7 @@ "ec2:*", "ecr:*", "s3:*", - "dynamodb:*", + "dynamodb:*" ], "Resource": ${resources} }, From de73f65b202fc1a237f3191d7377b588a081f4cf Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:51:21 -0700 Subject: [PATCH 38/59] Move deployment logic to deployment module --- web/deploy/terraform/{staging => modules/deployment}/main.tf | 0 web/deploy/terraform/{staging => modules/deployment}/outputs.tf | 0 web/deploy/terraform/{staging => modules/deployment}/variables.tf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename web/deploy/terraform/{staging => modules/deployment}/main.tf (100%) rename web/deploy/terraform/{staging => modules/deployment}/outputs.tf (100%) rename web/deploy/terraform/{staging => modules/deployment}/variables.tf (100%) diff --git a/web/deploy/terraform/staging/main.tf b/web/deploy/terraform/modules/deployment/main.tf similarity index 100% rename from web/deploy/terraform/staging/main.tf rename to web/deploy/terraform/modules/deployment/main.tf diff --git a/web/deploy/terraform/staging/outputs.tf b/web/deploy/terraform/modules/deployment/outputs.tf similarity index 100% rename from web/deploy/terraform/staging/outputs.tf rename to web/deploy/terraform/modules/deployment/outputs.tf diff --git a/web/deploy/terraform/staging/variables.tf b/web/deploy/terraform/modules/deployment/variables.tf similarity index 100% rename from web/deploy/terraform/staging/variables.tf rename to web/deploy/terraform/modules/deployment/variables.tf From 4443225209d7508475cc1a6ca2a23afcd5d38406 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:51:56 -0700 Subject: [PATCH 39/59] Bump terraform/opentofu version --- web/deploy/terraform/modules/deployment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/deploy/terraform/modules/deployment/main.tf b/web/deploy/terraform/modules/deployment/main.tf index a16b3c88..684d14cf 100644 --- a/web/deploy/terraform/modules/deployment/main.tf +++ b/web/deploy/terraform/modules/deployment/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0.0, < 2.0.0" + required_version = ">= 1.8.0, < 2.0.0" required_providers { aws = { From 0f51fb1aa2ce602eb30b4ed57316dc88515a15aa Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:32:28 -0700 Subject: [PATCH 40/59] Move configurable options to variables --- .../terraform/modules/deployment/main.tf | 23 ++++++------ .../terraform/modules/deployment/variables.tf | 35 +++++++++++++++++++ .../modules/deployment/variables_state.tf | 23 ++++++++++++ 3 files changed, 70 insertions(+), 11 deletions(-) create mode 100644 web/deploy/terraform/modules/deployment/variables_state.tf diff --git a/web/deploy/terraform/modules/deployment/main.tf b/web/deploy/terraform/modules/deployment/main.tf index 684d14cf..549dfd1c 100644 --- a/web/deploy/terraform/modules/deployment/main.tf +++ b/web/deploy/terraform/modules/deployment/main.tf @@ -10,15 +10,16 @@ terraform { } provider "aws" { - region = "us-east-1" + region = var.region } terraform { backend "s3" { - bucket = "osm-terraform-storage" - key = "terraform/staging-state/terraform.tfstate" - region = "us-east-1" - dynamodb_table = "terraform-locks" + bucket = "${var.state_bucket_name}-${var.environment}" + key = var.state_backend_key + region = var.state_storage_region + dynamodb_table = "${var.state_table_name}-${var.environment}" + encrypt = true } } @@ -32,16 +33,16 @@ resource "aws_instance" "staging" { ami = module.shared_resources.ami_id instance_type = var.instance_type subnet_id = module.shared_resources.subnet_id - key_name = "dsst2023" + key_name = var.ec2_key_name vpc_security_group_ids = [module.shared_resources.security_group_id] associate_public_ip_address = true root_block_device { - volume_size = 30 - volume_type = "gp2" # General Purpose SSD (can be "gp2", "gp3", "io1", "io2", etc.) + volume_size = var.ec2_root_block_device_size + volume_type = var.ec2_root_block_device_type } tags = { - Name = "staging-instance" + Name = var.environment } user_data = <<-EOF @@ -58,10 +59,10 @@ resource "aws_instance" "staging" { } resource "aws_eip" "staging" { - domain = "vpc" + domain = var.eip_domain tags = { - Name = "staging-elastic-ip" + Name = var.environment } } diff --git a/web/deploy/terraform/modules/deployment/variables.tf b/web/deploy/terraform/modules/deployment/variables.tf index a6692d82..9fad2582 100644 --- a/web/deploy/terraform/modules/deployment/variables.tf +++ b/web/deploy/terraform/modules/deployment/variables.tf @@ -1,5 +1,40 @@ +variable "region" { + description = "The AWS region used by the deployment" + type = string + default = "us-east-1" +} + +variable "environment" { + description = "The name of the development environment. Usually `stage` or `prod`." + type = string +} + variable "instance_type" { description = "EC2 instance type" default = "t3.large" type = string } + +variable "ec2_key_name" { + description = "Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource." + default = "dsst2023" + type = string +} + +variable "ec2_root_block_device_size" { + description = "Size of the volume in gibibytes (GiB)." + default = 30 + type = number +} + +variable "ec2_root_block_device_type" { + description = "Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1." + default = "gp2" + type = string +} + +variable "eip_domain" { + description = "Indicates if this EIP is for use in VPC" + default = "vpc" + type = string +} diff --git a/web/deploy/terraform/modules/deployment/variables_state.tf b/web/deploy/terraform/modules/deployment/variables_state.tf new file mode 100644 index 00000000..55f44c87 --- /dev/null +++ b/web/deploy/terraform/modules/deployment/variables_state.tf @@ -0,0 +1,23 @@ +variable "state_bucket_name" { + description = "The name of the S3 bucket to store Terraform state. Must be globally unique." + type = string + default = "osm-terraform-state-storage" +} + +variable "state_table_name" { + description = "The name of the DynamoDB table. Must be unique in this AWS account." + type = string + default = "terraform-state-locks" +} + +variable "state_storage_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "state_backend_key" { + description = "Path to the state file inside the S3 Bucket" + type = string + default = "terraform.tfstate" +} From 28cc1f6939d570f9a2306b027548abc81afe029e Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:37:42 -0700 Subject: [PATCH 41/59] Move script to separate file --- web/deploy/terraform/modules/deployment/main.tf | 12 +----------- .../modules/deployment/scripts/install-docker.sh | 9 +++++++++ 2 files changed, 10 insertions(+), 11 deletions(-) create mode 100644 web/deploy/terraform/modules/deployment/scripts/install-docker.sh diff --git a/web/deploy/terraform/modules/deployment/main.tf b/web/deploy/terraform/modules/deployment/main.tf index 549dfd1c..73697101 100644 --- a/web/deploy/terraform/modules/deployment/main.tf +++ b/web/deploy/terraform/modules/deployment/main.tf @@ -45,17 +45,7 @@ resource "aws_instance" "staging" { Name = var.environment } - user_data = <<-EOF - #!/bin/bash - apt-get update -y - apt install -y curl - apt-get install -y docker.io - curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose - chmod a+x /usr/local/bin/docker-compose - systemctl restart sshd - systemctl start docker - systemctl enable docker - EOF + user_data = file("${path.module}/scripts/install-docker.sh") } resource "aws_eip" "staging" { diff --git a/web/deploy/terraform/modules/deployment/scripts/install-docker.sh b/web/deploy/terraform/modules/deployment/scripts/install-docker.sh new file mode 100644 index 00000000..afd07760 --- /dev/null +++ b/web/deploy/terraform/modules/deployment/scripts/install-docker.sh @@ -0,0 +1,9 @@ +#!/bin/bash +apt-get update -y +apt install -y curl +apt-get install -y docker.io +curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose +chmod a+x /usr/local/bin/docker-compose +systemctl restart sshd +systemctl start docker +systemctl enable docker From 8c014d4f564eab40ab9b7e164ed88dc6ba412b21 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:26:12 -0700 Subject: [PATCH 42/59] Correctly use shared resources --- .../terraform/modules/deployment/outputs.tf | 35 ------------------- web/deploy/terraform/modules/ec2/data.tf | 18 ++++++++++ .../modules/{deployment => ec2}/main.tf | 21 +++++------ web/deploy/terraform/modules/ec2/outputs.tf | 11 ++++++ .../scripts/install-docker.sh | 0 .../modules/{deployment => ec2}/variables.tf | 6 ++++ .../{deployment => ec2}/variables_state.tf | 0 .../terraform/modules/networking/outputs.tf | 4 --- 8 files changed, 43 insertions(+), 52 deletions(-) delete mode 100644 web/deploy/terraform/modules/deployment/outputs.tf create mode 100644 web/deploy/terraform/modules/ec2/data.tf rename web/deploy/terraform/modules/{deployment => ec2}/main.tf (66%) create mode 100644 web/deploy/terraform/modules/ec2/outputs.tf rename web/deploy/terraform/modules/{deployment => ec2}/scripts/install-docker.sh (100%) rename web/deploy/terraform/modules/{deployment => ec2}/variables.tf (85%) rename web/deploy/terraform/modules/{deployment => ec2}/variables_state.tf (100%) diff --git a/web/deploy/terraform/modules/deployment/outputs.tf b/web/deploy/terraform/modules/deployment/outputs.tf deleted file mode 100644 index 74805845..00000000 --- a/web/deploy/terraform/modules/deployment/outputs.tf +++ /dev/null @@ -1,35 +0,0 @@ -output "vpc_id" { - value = module.shared_resources.vpc_id -} - -output "internet_gateway_id" { - value = module.shared_resources.internet_gateway_id -} - -output "route_table_id" { - value = module.shared_resources.route_table_id -} - -output "network_acl_id" { - value = module.shared_resources.aws_network_acl_id -} - -output "security_group_id" { - value = module.shared_resources.security_group_id -} - -output "subnet_id" { - value = module.shared_resources.subnet_id -} - -output "instance_id" { - value = aws_instance.staging.id -} - -output "public_dns" { - value = aws_eip.staging.public_dns -} - -output "public_ip" { - value = aws_eip.staging.public_ip -} diff --git a/web/deploy/terraform/modules/ec2/data.tf b/web/deploy/terraform/modules/ec2/data.tf new file mode 100644 index 00000000..904a0a8f --- /dev/null +++ b/web/deploy/terraform/modules/ec2/data.tf @@ -0,0 +1,18 @@ +data "aws_ami" "ubuntu" { + most_recent = true + owners = ["099720109477"] + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-${var.ubuntu_ami_release}-amd64-server-*"] + } +} + +data "terraform_remote_state" "shared" { + backend = "s3" + config = { + bucket = "${var.state_bucket_name}-shared" + key = var.state_backend_key + dynamodb_table = "${var.state_table_name}-shared" + region = var.state_storage_region + } +} diff --git a/web/deploy/terraform/modules/deployment/main.tf b/web/deploy/terraform/modules/ec2/main.tf similarity index 66% rename from web/deploy/terraform/modules/deployment/main.tf rename to web/deploy/terraform/modules/ec2/main.tf index 73697101..8cff2e52 100644 --- a/web/deploy/terraform/modules/deployment/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -23,18 +23,13 @@ terraform { } } - -module "shared_resources" { - source = "../modules/shared_resources" -} - # EC2 Instance -resource "aws_instance" "staging" { - ami = module.shared_resources.ami_id +resource "aws_instance" "deployment" { + ami = data.aws_ami.ubuntu.id instance_type = var.instance_type - subnet_id = module.shared_resources.subnet_id + subnet_id = data.terraform_remote_state.shared.outputs.subnet_id key_name = var.ec2_key_name - vpc_security_group_ids = [module.shared_resources.security_group_id] + vpc_security_group_ids = [data.terraform_remote_state.shared.outputs.security_group_id] associate_public_ip_address = true root_block_device { volume_size = var.ec2_root_block_device_size @@ -48,7 +43,7 @@ resource "aws_instance" "staging" { user_data = file("${path.module}/scripts/install-docker.sh") } -resource "aws_eip" "staging" { +resource "aws_eip" "deployment" { domain = var.eip_domain tags = { @@ -56,7 +51,7 @@ resource "aws_eip" "staging" { } } -resource "aws_eip_association" "staging" { - instance_id = aws_instance.staging.id - allocation_id = aws_eip.staging.id +resource "aws_eip_association" "deployment" { + instance_id = aws_instance.deployment.id + allocation_id = aws_eip.deployment.id } diff --git a/web/deploy/terraform/modules/ec2/outputs.tf b/web/deploy/terraform/modules/ec2/outputs.tf new file mode 100644 index 00000000..0d21ae69 --- /dev/null +++ b/web/deploy/terraform/modules/ec2/outputs.tf @@ -0,0 +1,11 @@ +output "instance_id" { + value = aws_instance.deployment.id +} + +output "public_dns" { + value = aws_eip.deployment.public_dns +} + +output "public_ip" { + value = aws_eip.deployment.public_ip +} diff --git a/web/deploy/terraform/modules/deployment/scripts/install-docker.sh b/web/deploy/terraform/modules/ec2/scripts/install-docker.sh similarity index 100% rename from web/deploy/terraform/modules/deployment/scripts/install-docker.sh rename to web/deploy/terraform/modules/ec2/scripts/install-docker.sh diff --git a/web/deploy/terraform/modules/deployment/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf similarity index 85% rename from web/deploy/terraform/modules/deployment/variables.tf rename to web/deploy/terraform/modules/ec2/variables.tf index 9fad2582..90ad3a4b 100644 --- a/web/deploy/terraform/modules/deployment/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -38,3 +38,9 @@ variable "eip_domain" { default = "vpc" type = string } + +variable "ubuntu_ami_release" { + description = "The release of Ubuntu to use for the EC2 AMI. E.g. 20.04, 22.04, 24.04" + default = "20.04" + type = string +} diff --git a/web/deploy/terraform/modules/deployment/variables_state.tf b/web/deploy/terraform/modules/ec2/variables_state.tf similarity index 100% rename from web/deploy/terraform/modules/deployment/variables_state.tf rename to web/deploy/terraform/modules/ec2/variables_state.tf diff --git a/web/deploy/terraform/modules/networking/outputs.tf b/web/deploy/terraform/modules/networking/outputs.tf index f8767826..0628f109 100644 --- a/web/deploy/terraform/modules/networking/outputs.tf +++ b/web/deploy/terraform/modules/networking/outputs.tf @@ -21,7 +21,3 @@ output "route_table_id" { output "aws_network_acl_id" { value = aws_network_acl.allow_all.id } - -# output "ami_id" { -# value = data.aws_ami.ubuntu.id -# } From 7c8a11ec131638df08f9bb1630acfc467e9ba680 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 00:31:51 -0700 Subject: [PATCH 43/59] Fix variables and outputs --- web/deploy/terraform/modules/ec2/main.tf | 10 -------- web/deploy/terraform/shared/outputs.tf | 7 ++++++ web/deploy/terraform/staging/main.tf | 24 +++++++++++++++++++ web/deploy/terraform/staging/outputs.tf | 0 web/deploy/terraform/staging/variables.tf | 11 +++++++++ .../terraform/staging/variables_state.tf | 23 ++++++++++++++++++ 6 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 web/deploy/terraform/staging/main.tf create mode 100644 web/deploy/terraform/staging/outputs.tf create mode 100644 web/deploy/terraform/staging/variables.tf create mode 100644 web/deploy/terraform/staging/variables_state.tf diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 8cff2e52..71579ac0 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -13,16 +13,6 @@ provider "aws" { region = var.region } -terraform { - backend "s3" { - bucket = "${var.state_bucket_name}-${var.environment}" - key = var.state_backend_key - region = var.state_storage_region - dynamodb_table = "${var.state_table_name}-${var.environment}" - encrypt = true - } -} - # EC2 Instance resource "aws_instance" "deployment" { ami = data.aws_ami.ubuntu.id diff --git a/web/deploy/terraform/shared/outputs.tf b/web/deploy/terraform/shared/outputs.tf index e69de29b..7d0c54b1 100644 --- a/web/deploy/terraform/shared/outputs.tf +++ b/web/deploy/terraform/shared/outputs.tf @@ -0,0 +1,7 @@ +output "subnet_id" { + value = module.networking.subnet_id +} + +output "security_group_id" { + value = module.networking.security_group_id +} diff --git a/web/deploy/terraform/staging/main.tf b/web/deploy/terraform/staging/main.tf new file mode 100644 index 00000000..afe22b53 --- /dev/null +++ b/web/deploy/terraform/staging/main.tf @@ -0,0 +1,24 @@ +terraform { + required_version = ">= 1.8.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + backend "s3" { + bucket = "${var.state_bucket_name}-${var.environment}" + key = var.state_backend_key + region = var.state_storage_region + dynamodb_table = "${var.state_table_name}-${var.environment}" + encrypt = true + } +} + +module "ec2" { + source = "../modules/ec2/" + environment = var.environment + instance_type = var.instance_type +} diff --git a/web/deploy/terraform/staging/outputs.tf b/web/deploy/terraform/staging/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/staging/variables.tf b/web/deploy/terraform/staging/variables.tf new file mode 100644 index 00000000..2c1f3d0e --- /dev/null +++ b/web/deploy/terraform/staging/variables.tf @@ -0,0 +1,11 @@ +variable "environment" { + description = "The name of the environment. Usually `stage`." + default = "stage" + type = string +} + +variable "instance_type" { + description = "EC2 instance type" + default = "t2.nano" + type = string +} diff --git a/web/deploy/terraform/staging/variables_state.tf b/web/deploy/terraform/staging/variables_state.tf new file mode 100644 index 00000000..7993c2ab --- /dev/null +++ b/web/deploy/terraform/staging/variables_state.tf @@ -0,0 +1,23 @@ +variable "state_storage_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "state_bucket_name" { + description = "The name of the S3 bucket to store Terraform state." + type = string + default = "osm-terraform-state-storage" +} + +variable "state_table_name" { + description = "The name of the DynamoDB table for Terraform state locks." + type = string + default = "terraform-state-locks" +} + +variable "state_backend_key" { + description = "Path to the state file inside the S3 Bucket" + type = string + default = "terraform.tfstate" +} From 50a0c2c69f04a0d103aef6d82c2926816a5e21d3 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 02:03:41 -0700 Subject: [PATCH 44/59] Temporarily comment out eip configuration --- web/deploy/terraform/modules/ec2/main.tf | 24 +++++++++---------- web/deploy/terraform/modules/ec2/outputs.tf | 12 +++++----- web/deploy/terraform/modules/ec2/variables.tf | 10 ++++---- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 71579ac0..2934a3ea 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -33,15 +33,15 @@ resource "aws_instance" "deployment" { user_data = file("${path.module}/scripts/install-docker.sh") } -resource "aws_eip" "deployment" { - domain = var.eip_domain - - tags = { - Name = var.environment - } -} - -resource "aws_eip_association" "deployment" { - instance_id = aws_instance.deployment.id - allocation_id = aws_eip.deployment.id -} +# resource "aws_eip" "deployment" { +# domain = var.eip_domain + +# tags = { +# Name = var.environment +# } +# } + +# resource "aws_eip_association" "deployment" { +# instance_id = aws_instance.deployment.id +# allocation_id = aws_eip.deployment.id +# } diff --git a/web/deploy/terraform/modules/ec2/outputs.tf b/web/deploy/terraform/modules/ec2/outputs.tf index 0d21ae69..a321648a 100644 --- a/web/deploy/terraform/modules/ec2/outputs.tf +++ b/web/deploy/terraform/modules/ec2/outputs.tf @@ -2,10 +2,10 @@ output "instance_id" { value = aws_instance.deployment.id } -output "public_dns" { - value = aws_eip.deployment.public_dns -} +# output "public_dns" { +# value = aws_eip.deployment.public_dns +# } -output "public_ip" { - value = aws_eip.deployment.public_ip -} +# output "public_ip" { +# value = aws_eip.deployment.public_ip +# } diff --git a/web/deploy/terraform/modules/ec2/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf index 90ad3a4b..f9c31e65 100644 --- a/web/deploy/terraform/modules/ec2/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -33,11 +33,11 @@ variable "ec2_root_block_device_type" { type = string } -variable "eip_domain" { - description = "Indicates if this EIP is for use in VPC" - default = "vpc" - type = string -} +# variable "eip_domain" { +# description = "Indicates if this EIP is for use in VPC" +# default = "vpc" +# type = string +# } variable "ubuntu_ami_release" { description = "The release of Ubuntu to use for the EC2 AMI. E.g. 20.04, 22.04, 24.04" From 14a4a82d60c4e88963c6a890afe245c8693e8adf Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 02:20:17 -0700 Subject: [PATCH 45/59] Comment out `key_name` --- web/deploy/terraform/modules/ec2/main.tf | 8 ++++---- web/deploy/terraform/modules/ec2/variables.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 2934a3ea..8bfb3f6a 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -15,10 +15,10 @@ provider "aws" { # EC2 Instance resource "aws_instance" "deployment" { - ami = data.aws_ami.ubuntu.id - instance_type = var.instance_type - subnet_id = data.terraform_remote_state.shared.outputs.subnet_id - key_name = var.ec2_key_name + ami = data.aws_ami.ubuntu.id + instance_type = var.instance_type + subnet_id = data.terraform_remote_state.shared.outputs.subnet_id + # key_name = var.ec2_key_name vpc_security_group_ids = [data.terraform_remote_state.shared.outputs.security_group_id] associate_public_ip_address = true root_block_device { diff --git a/web/deploy/terraform/modules/ec2/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf index f9c31e65..f51289e3 100644 --- a/web/deploy/terraform/modules/ec2/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -15,11 +15,11 @@ variable "instance_type" { type = string } -variable "ec2_key_name" { - description = "Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource." - default = "dsst2023" - type = string -} +# variable "ec2_key_name" { +# description = "Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource." +# default = "dsst2023" +# type = string +# } variable "ec2_root_block_device_size" { description = "Size of the volume in gibibytes (GiB)." From 986f24046c5bdece9476e981078b9012788b6ed9 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 02:40:29 -0700 Subject: [PATCH 46/59] Create production deployment --- web/deploy/terraform/production/main.tf | 24 +++++++++++++++++++ web/deploy/terraform/production/outputs.tf | 0 web/deploy/terraform/production/variables.tf | 11 +++++++++ .../terraform/production/variables_state.tf | 23 ++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 web/deploy/terraform/production/main.tf create mode 100644 web/deploy/terraform/production/outputs.tf create mode 100644 web/deploy/terraform/production/variables.tf create mode 100644 web/deploy/terraform/production/variables_state.tf diff --git a/web/deploy/terraform/production/main.tf b/web/deploy/terraform/production/main.tf new file mode 100644 index 00000000..afe22b53 --- /dev/null +++ b/web/deploy/terraform/production/main.tf @@ -0,0 +1,24 @@ +terraform { + required_version = ">= 1.8.0, < 2.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + backend "s3" { + bucket = "${var.state_bucket_name}-${var.environment}" + key = var.state_backend_key + region = var.state_storage_region + dynamodb_table = "${var.state_table_name}-${var.environment}" + encrypt = true + } +} + +module "ec2" { + source = "../modules/ec2/" + environment = var.environment + instance_type = var.instance_type +} diff --git a/web/deploy/terraform/production/outputs.tf b/web/deploy/terraform/production/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/production/variables.tf b/web/deploy/terraform/production/variables.tf new file mode 100644 index 00000000..c0078208 --- /dev/null +++ b/web/deploy/terraform/production/variables.tf @@ -0,0 +1,11 @@ +variable "environment" { + description = "The name of the environment. Usually `prod`." + default = "prod" + type = string +} + +variable "instance_type" { + description = "EC2 instance type" + default = "t2.nano" + type = string +} diff --git a/web/deploy/terraform/production/variables_state.tf b/web/deploy/terraform/production/variables_state.tf new file mode 100644 index 00000000..7993c2ab --- /dev/null +++ b/web/deploy/terraform/production/variables_state.tf @@ -0,0 +1,23 @@ +variable "state_storage_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +variable "state_bucket_name" { + description = "The name of the S3 bucket to store Terraform state." + type = string + default = "osm-terraform-state-storage" +} + +variable "state_table_name" { + description = "The name of the DynamoDB table for Terraform state locks." + type = string + default = "terraform-state-locks" +} + +variable "state_backend_key" { + description = "Path to the state file inside the S3 Bucket" + type = string + default = "terraform.tfstate" +} From b1644a2c59449219160031c568e4126d3bc4598f Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 03:16:35 -0700 Subject: [PATCH 47/59] Remove debugging condition --- web/deploy/terraform/modules/iam/policies/assume-role.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/web/deploy/terraform/modules/iam/policies/assume-role.json b/web/deploy/terraform/modules/iam/policies/assume-role.json index 6a62d5db..e2ebcbaa 100644 --- a/web/deploy/terraform/modules/iam/policies/assume-role.json +++ b/web/deploy/terraform/modules/iam/policies/assume-role.json @@ -10,8 +10,7 @@ "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": [ - "repo:nimh-dsst/osm:*", - "repo:smokestacklightnin/osm:*" + "repo:nimh-dsst/osm:*" ] }, "StringEquals": { From 591dafac8b7fe871f695651dd97598efcb6bc7b7 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 03:28:42 -0700 Subject: [PATCH 48/59] Fix indentation --- .../modules/iam/policies/assume-role.json | 8 ++++---- .../policies/gha-policy-nonadmin.json.tftpl | 18 +++++++++--------- .../modules/iam/policies/gha-policy.json.tftpl | 8 ++++---- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/web/deploy/terraform/modules/iam/policies/assume-role.json b/web/deploy/terraform/modules/iam/policies/assume-role.json index e2ebcbaa..e1f1d1bf 100644 --- a/web/deploy/terraform/modules/iam/policies/assume-role.json +++ b/web/deploy/terraform/modules/iam/policies/assume-role.json @@ -3,15 +3,15 @@ "Statement": [ { "Effect": "Allow", - "Principal": { + "Principal": { "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { + "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": [ - "repo:nimh-dsst/osm:*" - ] + "repo:nimh-dsst/osm:*" + ] }, "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl index 7e6b5f6d..045d6912 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy-nonadmin.json.tftpl @@ -10,14 +10,14 @@ "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:BatchGetImage", - "s3:GetBucketEncryption", - "s3:GetBucketTagging", - "s3:PutBucketTagging", - "s3:GetObject", - "s3:PutObject", - "s3:ListObjectsV2", - "s3:ListBuckets", - "dynamodb:CreateTable", + "s3:GetBucketEncryption", + "s3:GetBucketTagging", + "s3:PutBucketTagging", + "s3:GetObject", + "s3:PutObject", + "s3:ListObjectsV2", + "s3:ListBuckets", + "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:DescribeTable", "dynamodb:ListTables", @@ -27,7 +27,7 @@ "dynamodb:DeleteItem", "dynamodb:Query", "dynamodb:Scan" - ], + ], "Resource": ${resources} }, { diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index a8328ac6..6756f3dd 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -4,11 +4,11 @@ { "Effect": "Allow", "Action": [ - "ec2:*", + "ec2:*", "ecr:*", - "s3:*", - "dynamodb:*" - ], + "s3:*", + "dynamodb:*" + ], "Resource": ${resources} }, { From 1eb2dbeff24f8cd2a2e3b83b3fa44eac71a6508f Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 13:07:51 -0700 Subject: [PATCH 49/59] Uncomment eip config --- web/deploy/terraform/modules/ec2/main.tf | 24 +++++++++---------- web/deploy/terraform/modules/ec2/outputs.tf | 12 +++++----- web/deploy/terraform/modules/ec2/variables.tf | 10 ++++---- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 8bfb3f6a..0e64fd32 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -33,15 +33,15 @@ resource "aws_instance" "deployment" { user_data = file("${path.module}/scripts/install-docker.sh") } -# resource "aws_eip" "deployment" { -# domain = var.eip_domain - -# tags = { -# Name = var.environment -# } -# } - -# resource "aws_eip_association" "deployment" { -# instance_id = aws_instance.deployment.id -# allocation_id = aws_eip.deployment.id -# } +resource "aws_eip" "deployment" { + domain = var.eip_domain + + tags = { + Name = var.environment + } +} + +resource "aws_eip_association" "deployment" { + instance_id = aws_instance.deployment.id + allocation_id = aws_eip.deployment.id +} diff --git a/web/deploy/terraform/modules/ec2/outputs.tf b/web/deploy/terraform/modules/ec2/outputs.tf index a321648a..0d21ae69 100644 --- a/web/deploy/terraform/modules/ec2/outputs.tf +++ b/web/deploy/terraform/modules/ec2/outputs.tf @@ -2,10 +2,10 @@ output "instance_id" { value = aws_instance.deployment.id } -# output "public_dns" { -# value = aws_eip.deployment.public_dns -# } +output "public_dns" { + value = aws_eip.deployment.public_dns +} -# output "public_ip" { -# value = aws_eip.deployment.public_ip -# } +output "public_ip" { + value = aws_eip.deployment.public_ip +} diff --git a/web/deploy/terraform/modules/ec2/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf index f51289e3..d7c03033 100644 --- a/web/deploy/terraform/modules/ec2/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -33,11 +33,11 @@ variable "ec2_root_block_device_type" { type = string } -# variable "eip_domain" { -# description = "Indicates if this EIP is for use in VPC" -# default = "vpc" -# type = string -# } +variable "eip_domain" { + description = "Indicates if this EIP is for use in VPC" + default = "vpc" + type = string +} variable "ubuntu_ami_release" { description = "The release of Ubuntu to use for the EC2 AMI. E.g. 20.04, 22.04, 24.04" From c3a06a1a15b594032526099008e55b05a6126e9a Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 16 Oct 2024 13:08:45 -0700 Subject: [PATCH 50/59] Uncomment key config --- web/deploy/terraform/modules/ec2/main.tf | 8 ++++---- web/deploy/terraform/modules/ec2/variables.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 0e64fd32..71579ac0 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -15,10 +15,10 @@ provider "aws" { # EC2 Instance resource "aws_instance" "deployment" { - ami = data.aws_ami.ubuntu.id - instance_type = var.instance_type - subnet_id = data.terraform_remote_state.shared.outputs.subnet_id - # key_name = var.ec2_key_name + ami = data.aws_ami.ubuntu.id + instance_type = var.instance_type + subnet_id = data.terraform_remote_state.shared.outputs.subnet_id + key_name = var.ec2_key_name vpc_security_group_ids = [data.terraform_remote_state.shared.outputs.security_group_id] associate_public_ip_address = true root_block_device { diff --git a/web/deploy/terraform/modules/ec2/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf index d7c03033..90ad3a4b 100644 --- a/web/deploy/terraform/modules/ec2/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -15,11 +15,11 @@ variable "instance_type" { type = string } -# variable "ec2_key_name" { -# description = "Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource." -# default = "dsst2023" -# type = string -# } +variable "ec2_key_name" { + description = "Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource." + default = "dsst2023" + type = string +} variable "ec2_root_block_device_size" { description = "Size of the volume in gibibytes (GiB)." From e22796345bccba04fd4c8a853363a4c805ff3259 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Wed, 23 Oct 2024 20:52:47 +0200 Subject: [PATCH 51/59] Use larger instance --- web/deploy/terraform/staging/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/deploy/terraform/staging/variables.tf b/web/deploy/terraform/staging/variables.tf index 2c1f3d0e..a97198da 100644 --- a/web/deploy/terraform/staging/variables.tf +++ b/web/deploy/terraform/staging/variables.tf @@ -6,6 +6,6 @@ variable "environment" { variable "instance_type" { description = "EC2 instance type" - default = "t2.nano" + default = "t3.large" type = string } From dbf803d713751be16b1d02dd0fa4b4dd3822fb46 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Wed, 23 Oct 2024 20:53:38 +0200 Subject: [PATCH 52/59] Build from local base image rather than from published image --- web/api/Dockerfile | 2 +- web/dashboard/Dockerfile | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/web/api/Dockerfile b/web/api/Dockerfile index 99ba9fb3..fe703eb7 100644 --- a/web/api/Dockerfile +++ b/web/api/Dockerfile @@ -1,3 +1,3 @@ -FROM nimhdsst/osm_base +FROM osm_base COPY ./web/api/main.py /app/app/main.py CMD ["fastapi", "run", "--host", "0.0.0.0", "--port", "80", "--root-path", "/api"] diff --git a/web/dashboard/Dockerfile b/web/dashboard/Dockerfile index a163aa6a..ebfbf1bb 100644 --- a/web/dashboard/Dockerfile +++ b/web/dashboard/Dockerfile @@ -1,5 +1,4 @@ - -FROM nimhdsst/osm_base +FROM osm_base COPY web/dashboard/ /app ENV LOCAL_DATA_PATH=/opt/data/matches.parquet CMD ["python", "app.py"] From 0c47f7d90860e44b1c59666676af8ae977f28cb0 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Wed, 23 Oct 2024 20:56:24 +0200 Subject: [PATCH 53/59] Add instance profile with ECR read permission to EC2 instance --- web/deploy/terraform/modules/ec2/main.tf | 1 + web/deploy/terraform/modules/iam/main.tf | 28 +++++++++++++++++++ web/deploy/terraform/modules/iam/outputs.tf | 3 ++ web/deploy/terraform/modules/iam/variables.tf | 12 ++++++++ web/deploy/terraform/shared/outputs.tf | 4 +++ 5 files changed, 48 insertions(+) diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 71579ac0..9905395e 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -21,6 +21,7 @@ resource "aws_instance" "deployment" { key_name = var.ec2_key_name vpc_security_group_ids = [data.terraform_remote_state.shared.outputs.security_group_id] associate_public_ip_address = true + iam_instance_profile = data.terraform_remote_state.shared.outputs.instance_profile_name root_block_device { volume_size = var.ec2_root_block_device_size volume_type = var.ec2_root_block_device_type diff --git a/web/deploy/terraform/modules/iam/main.tf b/web/deploy/terraform/modules/iam/main.tf index 62f63f74..928a0142 100644 --- a/web/deploy/terraform/modules/iam/main.tf +++ b/web/deploy/terraform/modules/iam/main.tf @@ -13,6 +13,34 @@ provider "aws" { region = var.region } +data "aws_iam_policy_document" "assume_role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "profile" { + name = "${var.instance_profile_role_name}-${var.environment}" + assume_role_policy = data.aws_iam_policy_document.assume_role.json +} + +resource "aws_iam_role_policy_attachment" "profile" { + role = aws_iam_role.profile.name + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" +} + +resource "aws_iam_instance_profile" "profile" { + name = "${var.instance_profile_name}-${var.environment}" + role = aws_iam_role.profile.name +} + resource "aws_iam_policy" "cd" { name = "${var.cd_iam_policy_name}-${var.environment}" policy = templatefile( diff --git a/web/deploy/terraform/modules/iam/outputs.tf b/web/deploy/terraform/modules/iam/outputs.tf index e69de29b..ff22712d 100644 --- a/web/deploy/terraform/modules/iam/outputs.tf +++ b/web/deploy/terraform/modules/iam/outputs.tf @@ -0,0 +1,3 @@ +output "instance_profile_name" { + value = aws_iam_instance_profile.profile.name +} diff --git a/web/deploy/terraform/modules/iam/variables.tf b/web/deploy/terraform/modules/iam/variables.tf index 35c1e5db..7cf2733e 100644 --- a/web/deploy/terraform/modules/iam/variables.tf +++ b/web/deploy/terraform/modules/iam/variables.tf @@ -9,6 +9,18 @@ variable "region" { type = string } +variable "instance_profile_name" { + description = "The name of the instance profile" + default = "osm-instance-profile" + type = string +} + +variable "instance_profile_role_name" { + description = "The name of the instance profile" + default = "osm-instance-profile-role" + type = string +} + variable "cd_iam_policy_name" { description = "The name of the IAM policy for continuous deployment to ECR" default = "GitHubActions-ECR" diff --git a/web/deploy/terraform/shared/outputs.tf b/web/deploy/terraform/shared/outputs.tf index 7d0c54b1..81832c89 100644 --- a/web/deploy/terraform/shared/outputs.tf +++ b/web/deploy/terraform/shared/outputs.tf @@ -5,3 +5,7 @@ output "subnet_id" { output "security_group_id" { value = module.networking.security_group_id } + +output "instance_profile_name" { + value = module.iam_role_and_policy.instance_profile_name +} From 711e871fcad08cdc726f29e9b855daed8b4099bc Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Wed, 23 Oct 2024 20:57:14 +0200 Subject: [PATCH 54/59] Use larger instance for production --- web/deploy/terraform/production/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/deploy/terraform/production/variables.tf b/web/deploy/terraform/production/variables.tf index c0078208..f675f09e 100644 --- a/web/deploy/terraform/production/variables.tf +++ b/web/deploy/terraform/production/variables.tf @@ -1,11 +1,11 @@ variable "environment" { - description = "The name of the environment. Usually `prod`." + description = "The name of the environment. Usually `prod`" default = "prod" type = string } variable "instance_type" { description = "EC2 instance type" - default = "t2.nano" + default = "t3.large" type = string } From 75705ec9bc8e186b78a4f432ce685d389ec72967 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Mon, 28 Oct 2024 10:00:48 +0100 Subject: [PATCH 55/59] Add new allowed subdomain --- web/dashboard/app.py | 1 + web/deploy/terraform/modules/state/main.tf | 20 -------------------- 2 files changed, 1 insertion(+), 20 deletions(-) diff --git a/web/dashboard/app.py b/web/dashboard/app.py index edbe50cc..0f6be1bb 100644 --- a/web/dashboard/app.py +++ b/web/dashboard/app.py @@ -134,6 +134,7 @@ def serve(self): allow_websocket_origin=[ "localhost:8501", "opensciencemetrics.org", + "dev.opensciencemetrics.org", ], static_dirs={ dir: str(Path(__file__).parent / dir) diff --git a/web/deploy/terraform/modules/state/main.tf b/web/deploy/terraform/modules/state/main.tf index 399590cc..e3f304b5 100644 --- a/web/deploy/terraform/modules/state/main.tf +++ b/web/deploy/terraform/modules/state/main.tf @@ -16,10 +16,6 @@ provider "aws" { resource "aws_s3_bucket" "tf_state" { bucket = "${var.bucket_name}-${var.environment}" - lifecycle { - prevent_destroy = true - } - tags = { Name = "${var.bucket_name}-${var.environment}" } @@ -40,10 +36,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { days = 365 } } - - lifecycle { - prevent_destroy = true - } } resource "aws_s3_bucket_versioning" "enabled" { @@ -52,10 +44,6 @@ resource "aws_s3_bucket_versioning" "enabled" { versioning_configuration { status = "Enabled" } - - lifecycle { - prevent_destroy = true - } } resource "aws_s3_bucket_server_side_encryption_configuration" "default" { @@ -66,10 +54,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { sse_algorithm = "AES256" } } - - lifecycle { - prevent_destroy = true - } } resource "aws_dynamodb_table" "tf_locks" { @@ -82,10 +66,6 @@ resource "aws_dynamodb_table" "tf_locks" { type = "S" } - lifecycle { - prevent_destroy = true - } - tags = { Name = "${var.bucket_name}-${var.environment}" } From 8fe2c467fb5c6232c830dadb382ffc712c22f7b4 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Mon, 28 Oct 2024 10:01:17 +0100 Subject: [PATCH 56/59] Change search filter expression --- osm/schemas/schema_helpers.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/osm/schemas/schema_helpers.py b/osm/schemas/schema_helpers.py index 5ea35f05..931099d5 100644 --- a/osm/schemas/schema_helpers.py +++ b/osm/schemas/schema_helpers.py @@ -176,10 +176,9 @@ def get_data_from_mongo(aggregation: list[dict] | None = None) -> Iterator[dict] aggregation = [ { "$match": { - "data_tags": "bulk_upload", - # "work.pmid": {"$regex":r"^2"}, - # "metrics.year": {"$gt": 2000}, - # "metrics.is_data_pred": {"$eq": True}, + "metrics_group": { + "$regex": "R" + } }, }, { From 3707aa8159832a979bad956ca4ef0d00665900bd Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Mon, 28 Oct 2024 10:02:09 +0100 Subject: [PATCH 57/59] Fix os.getenv call --- osm/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/osm/__init__.py b/osm/__init__.py index eee7f1d2..bb98193f 100644 --- a/osm/__init__.py +++ b/osm/__init__.py @@ -16,7 +16,7 @@ def get_version(): def generate_version_file(): import pkg_resources - if os.get("SETUPTOOLS_SCM_PRETEND_VERSION_FOR_OSM"): + if os.getenv("SETUPTOOLS_SCM_PRETEND_VERSION_FOR_OSM"): version = os.environ["SETUPTOOLS_SCM_PRETEND_VERSION_FOR_OSM"] else: version = pkg_resources.get_distribution("osm").version From 34bfa7c4536bc7111b4c0df69bc24fec06a8674d Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Mon, 28 Oct 2024 10:05:46 +0100 Subject: [PATCH 58/59] Add Terraform state files for state bootstrapping --- .../terraform/state/.terraform.lock.hcl | 20 +++++++++++++++++++ web/deploy/terraform/state/terraform.tfstate | 1 + 2 files changed, 21 insertions(+) create mode 100644 web/deploy/terraform/state/.terraform.lock.hcl create mode 100644 web/deploy/terraform/state/terraform.tfstate diff --git a/web/deploy/terraform/state/.terraform.lock.hcl b/web/deploy/terraform/state/.terraform.lock.hcl new file mode 100644 index 00000000..a69cf080 --- /dev/null +++ b/web/deploy/terraform/state/.terraform.lock.hcl @@ -0,0 +1,20 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/aws" { + version = "5.72.0" + constraints = "~> 5.0" + hashes = [ + "h1:jVAdHFoPW0MK+NCbOuXhFyW1d1z+p6sZIEVm9g50w+Q=", + "zh:2d44b2e09130c74cca01217a5fc77048ec59f92726d023e0e088419aaa7938cb", + "zh:38e7912b50ce524fc8eba4b61af8357cdf1031f7cb123655ae443bad13b16cb0", + "zh:4b80faec4c35c9abe8519124a3d6c39a1290ab78ea7cbb77edb9f21b8c42a12e", + "zh:5c678ca30e1e5eeff7aec6fcf63baec14cb3ea08e435b1646b96f46e4fab4c72", + "zh:608f381469d684d647de9d670d6c5e812f12903d52cfccb89463bbeec37990db", + "zh:64729c3c24e093488653e9aa2a34b6cd8740d9b4036af67a123a9ea9b127ba98", + "zh:6acb86202e22a814dc5fbd05ff177e617b5f56477fdff2dd617dd6332fa01bd9", + "zh:70a7b1c87763d27ddc2c83038ec6439c44acc014ea3b01440d904a46bb4564f7", + "zh:be716adb069a52ba578a0d1da4cee74cb20d50779f3fa807f717b81399de80f5", + "zh:e23f12028a99ab5afb97983b4863ef63d4908d4564c3c34b24b52081b51dde1d", + ] +} diff --git a/web/deploy/terraform/state/terraform.tfstate b/web/deploy/terraform/state/terraform.tfstate new file mode 100644 index 00000000..4cee88f6 --- /dev/null +++ b/web/deploy/terraform/state/terraform.tfstate @@ -0,0 +1 @@ +{"version":4,"terraform_version":"1.8.3","serial":17,"lineage":"42f82bf5-8bc1-2631-3209-afedb6e78b79","outputs":{},"resources":[{"module":"module.prod_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-prod","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-prod","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-prod","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-prod"},"tags_all":{"Name":"osm-terraform-state-storage-prod"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-prod","bucket":"osm-terraform-state-storage-prod","bucket_domain_name":"osm-terraform-state-storage-prod.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-prod.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-prod","lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-prod"},"tags_all":{"Name":"osm-terraform-state-storage-prod"},"timeouts":null,"versioning":[{"enabled":false,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_prod","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":null}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-shared","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-shared","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-shared","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-shared"},"tags_all":{"Name":"osm-terraform-state-storage-shared"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-shared","bucket":"osm-terraform-state-storage-shared","bucket_domain_name":"osm-terraform-state-storage-shared.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-shared.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-shared","lifecycle_rule":[{"abort_incomplete_multipart_upload_days":0,"enabled":true,"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"id":"tf_state_shared","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","tags":{},"transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-shared"},"tags_all":{"Name":"osm-terraform-state-storage-shared"},"timeouts":null,"versioning":[{"enabled":true,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_shared","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-stage","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-stage","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-stage","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-stage"},"tags_all":{"Name":"osm-terraform-state-storage-stage"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-stage","bucket":"osm-terraform-state-storage-stage","bucket_domain_name":"osm-terraform-state-storage-stage.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-stage.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-stage","lifecycle_rule":[{"abort_incomplete_multipart_upload_days":0,"enabled":true,"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"id":"tf_state_stage","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","tags":{},"transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-stage"},"tags_all":{"Name":"osm-terraform-state-storage-stage"},"timeouts":null,"versioning":[{"enabled":true,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_stage","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]}],"check_results":null} From 874576d06305154de763be45ca4db4cbcafa27a5 Mon Sep 17 00:00:00 2001 From: Marcelo Villa Date: Mon, 28 Oct 2024 12:40:51 +0100 Subject: [PATCH 59/59] Remove state and lock files --- .../terraform/state/.terraform.lock.hcl | 20 ------------------- web/deploy/terraform/state/terraform.tfstate | 1 - 2 files changed, 21 deletions(-) delete mode 100644 web/deploy/terraform/state/.terraform.lock.hcl delete mode 100644 web/deploy/terraform/state/terraform.tfstate diff --git a/web/deploy/terraform/state/.terraform.lock.hcl b/web/deploy/terraform/state/.terraform.lock.hcl deleted file mode 100644 index a69cf080..00000000 --- a/web/deploy/terraform/state/.terraform.lock.hcl +++ /dev/null @@ -1,20 +0,0 @@ -# This file is maintained automatically by "tofu init". -# Manual edits may be lost in future updates. - -provider "registry.opentofu.org/hashicorp/aws" { - version = "5.72.0" - constraints = "~> 5.0" - hashes = [ - "h1:jVAdHFoPW0MK+NCbOuXhFyW1d1z+p6sZIEVm9g50w+Q=", - "zh:2d44b2e09130c74cca01217a5fc77048ec59f92726d023e0e088419aaa7938cb", - "zh:38e7912b50ce524fc8eba4b61af8357cdf1031f7cb123655ae443bad13b16cb0", - "zh:4b80faec4c35c9abe8519124a3d6c39a1290ab78ea7cbb77edb9f21b8c42a12e", - "zh:5c678ca30e1e5eeff7aec6fcf63baec14cb3ea08e435b1646b96f46e4fab4c72", - "zh:608f381469d684d647de9d670d6c5e812f12903d52cfccb89463bbeec37990db", - "zh:64729c3c24e093488653e9aa2a34b6cd8740d9b4036af67a123a9ea9b127ba98", - "zh:6acb86202e22a814dc5fbd05ff177e617b5f56477fdff2dd617dd6332fa01bd9", - "zh:70a7b1c87763d27ddc2c83038ec6439c44acc014ea3b01440d904a46bb4564f7", - "zh:be716adb069a52ba578a0d1da4cee74cb20d50779f3fa807f717b81399de80f5", - "zh:e23f12028a99ab5afb97983b4863ef63d4908d4564c3c34b24b52081b51dde1d", - ] -} diff --git a/web/deploy/terraform/state/terraform.tfstate b/web/deploy/terraform/state/terraform.tfstate deleted file mode 100644 index 4cee88f6..00000000 --- a/web/deploy/terraform/state/terraform.tfstate +++ /dev/null @@ -1 +0,0 @@ -{"version":4,"terraform_version":"1.8.3","serial":17,"lineage":"42f82bf5-8bc1-2631-3209-afedb6e78b79","outputs":{},"resources":[{"module":"module.prod_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-prod","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-prod","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-prod","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-prod"},"tags_all":{"Name":"osm-terraform-state-storage-prod"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-prod","bucket":"osm-terraform-state-storage-prod","bucket_domain_name":"osm-terraform-state-storage-prod.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-prod.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-prod","lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-prod"},"tags_all":{"Name":"osm-terraform-state-storage-prod"},"timeouts":null,"versioning":[{"enabled":false,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_prod","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":null}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.prod_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.prod_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-prod","expected_bucket_owner":"","id":"osm-terraform-state-storage-prod","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.prod_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-shared","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-shared","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-shared","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-shared"},"tags_all":{"Name":"osm-terraform-state-storage-shared"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-shared","bucket":"osm-terraform-state-storage-shared","bucket_domain_name":"osm-terraform-state-storage-shared.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-shared.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-shared","lifecycle_rule":[{"abort_incomplete_multipart_upload_days":0,"enabled":true,"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"id":"tf_state_shared","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","tags":{},"transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-shared"},"tags_all":{"Name":"osm-terraform-state-storage-shared"},"timeouts":null,"versioning":[{"enabled":true,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_shared","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.shared_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.shared_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-shared","expected_bucket_owner":"","id":"osm-terraform-state-storage-shared","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.shared_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_dynamodb_table","name":"tf_locks","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":1,"attributes":{"arn":"arn:aws:dynamodb:us-east-1:507624629289:table/terraform-state-locks-stage","attribute":[{"name":"LockID","type":"S"}],"billing_mode":"PAY_PER_REQUEST","deletion_protection_enabled":false,"global_secondary_index":[],"hash_key":"LockID","id":"terraform-state-locks-stage","import_table":[],"local_secondary_index":[],"name":"terraform-state-locks-stage","on_demand_throughput":[],"point_in_time_recovery":[{"enabled":false}],"range_key":null,"read_capacity":0,"replica":[],"restore_date_time":null,"restore_source_name":null,"restore_source_table_arn":null,"restore_to_latest_time":null,"server_side_encryption":[],"stream_arn":"","stream_enabled":false,"stream_label":"","stream_view_type":"","table_class":"STANDARD","tags":{"Name":"osm-terraform-state-storage-stage"},"tags_all":{"Name":"osm-terraform-state-storage-stage"},"timeouts":null,"ttl":[{"attribute_name":"","enabled":false}],"write_capacity":0},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0="}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket","name":"tf_state","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"acceleration_status":"","acl":null,"arn":"arn:aws:s3:::osm-terraform-state-storage-stage","bucket":"osm-terraform-state-storage-stage","bucket_domain_name":"osm-terraform-state-storage-stage.s3.amazonaws.com","bucket_prefix":"","bucket_regional_domain_name":"osm-terraform-state-storage-stage.s3.us-east-1.amazonaws.com","cors_rule":[],"force_destroy":false,"grant":[{"id":"b6e96f153ed2059480e56f0ad36a4711f844b60e2866ec0ebef27a4c7103edc3","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"hosted_zone_id":"Z3AQBSTGFYJSTF","id":"osm-terraform-state-storage-stage","lifecycle_rule":[{"abort_incomplete_multipart_upload_days":0,"enabled":true,"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"id":"tf_state_stage","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","tags":{},"transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"logging":[],"object_lock_configuration":[],"object_lock_enabled":false,"policy":"","region":"us-east-1","replication_configuration":[],"request_payer":"BucketOwner","server_side_encryption_configuration":[{"rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]}],"tags":{"Name":"osm-terraform-state-storage-stage"},"tags_all":{"Name":"osm-terraform-state-storage-stage"},"timeouts":null,"versioning":[{"enabled":true,"mfa_delete":false}],"website":[],"website_domain":null,"website_endpoint":null},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_lifecycle_configuration","name":"tf_state","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","rule":[{"abort_incomplete_multipart_upload":[],"expiration":[{"date":"","days":365,"expired_object_delete_marker":false}],"filter":[{"and":[],"object_size_greater_than":"","object_size_less_than":"","prefix":"","tag":[]}],"id":"tf_state_stage","noncurrent_version_expiration":[],"noncurrent_version_transition":[],"prefix":"","status":"Enabled","transition":[{"date":"","days":30,"storage_class":"STANDARD_IA"}]}],"timeouts":null,"transition_default_minimum_object_size":"all_storage_classes_128K"},"sensitive_attributes":[],"private":"eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwfX0=","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_server_side_encryption_configuration","name":"default","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","rule":[{"apply_server_side_encryption_by_default":[{"kms_master_key_id":"","sse_algorithm":"AES256"}],"bucket_key_enabled":false}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]},{"module":"module.stage_state","mode":"managed","type":"aws_s3_bucket_versioning","name":"enabled","provider":"module.stage_state.provider[\"registry.opentofu.org/hashicorp/aws\"]","instances":[{"schema_version":0,"attributes":{"bucket":"osm-terraform-state-storage-stage","expected_bucket_owner":"","id":"osm-terraform-state-storage-stage","mfa":null,"versioning_configuration":[{"mfa_delete":"","status":"Enabled"}]},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["module.stage_state.aws_s3_bucket.tf_state"]}]}],"check_results":null}