Merge branch 'master' into chore/db-reencryption

uc-cdis · Oct 14, 2024 · c9dcc74 · c9dcc74
2 parents f839ed3 + 2ee97ec
commit c9dcc74
Show file tree

Hide file tree

Showing 36 changed files with 1,614 additions and 237 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-04-15T11:22:55Z",
+  "generated_at": "2024-09-24T15:47:09Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -299,7 +299,7 @@
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 99,
+        "line_number": 135,
         "type": "Secret Keyword"
       }
     ],

diff --git a/tf_files/aws/aurora_db/root.tf b/tf_files/aws/aurora_db/root.tf
@@ -23,7 +23,7 @@ module "secrets_manager" {
     username = local.database_username
     password = local.database_password
   })
-  secret_name = "${var.vpc_name}-${var.service}-creds"
+  secret_name = "${var.namespace}-${var.service}-creds"
 
   depends_on = [ null_resource.user_setup ]
 }

diff --git a/tf_files/aws/commons/es.tf b/tf_files/aws/commons/es.tf
@@ -11,6 +11,45 @@ module "commons_vpc_es" {
   es_version              = var.es_version
   es_linked_role          = var.es_linked_role
   es_name                 = var.es_name
+  role_arn                = var.deploy_es_role ? aws_iam_role.esproxy-role[0].arn : ""
   depends_on              = [module.cdis_vpc.vpc_id, module.cdis_vpc.vpc_peering_id]
 }
 
+
+resource "aws_iam_role" "esproxy-role" {
+  count = var.deploy_es_role ? 1 : 0
+  name = "${var.vpc_name}-esproxy-sa"
+  description = "Role for ES proxy service account for ${var.vpc_name}"
+  assume_role_policy = <<EDOC
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "${module.eks[0].cluster_oidc_provider_arn}"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "ForAllValues:StringLike": {
+                    "${module.eks[0].oidc_provider_arn}:sub": [
+                        "system:serviceaccount:*:esproxy-sa"
+                    ],
+                    "${module.eks[0].oidc_provider_arn}:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+EDOC
+
+  path = "/gen3-service/"
+}
diff --git a/tf_files/aws/commons/kube.tf b/tf_files/aws/commons/kube.tf
@@ -19,7 +19,7 @@ resource "aws_db_instance" "db_fence" {
   db_subnet_group_name        = aws_db_subnet_group.private_group.id
   vpc_security_group_ids      = [module.cdis_vpc.security_group_local_id]
   allow_major_version_upgrade = var.fence_allow_major_version_upgrade
-  final_snapshot_identifier   = "${replace(var.vpc_name,"_", "-")}-fencedb"
+  final_snapshot_identifier   = "${replace(var.vpc_name, "_", "-")}-fencedb"
   maintenance_window          = var.fence_maintenance_window
   backup_retention_period     = var.fence_backup_retention_period
   backup_window               = var.fence_backup_window
@@ -29,9 +29,9 @@ resource "aws_db_instance" "db_fence" {
   max_allocated_storage       = var.fence_max_allocated_storage
 
   tags = {
-    Environment               = var.vpc_name
-    Organization              = var.organization_name
-  } 
+    Environment  = var.vpc_name
+    Organization = var.organization_name
+  }
 
   lifecycle {
     prevent_destroy = true
@@ -56,7 +56,7 @@ resource "aws_db_instance" "db_sheepdog" {
   db_subnet_group_name        = aws_db_subnet_group.private_group.id
   vpc_security_group_ids      = [module.cdis_vpc.security_group_local_id]
   allow_major_version_upgrade = var.sheepdog_allow_major_version_upgrade
-  final_snapshot_identifier   = "${replace(var.vpc_name,"_", "-")}-sheepdogdb"
+  final_snapshot_identifier   = "${replace(var.vpc_name, "_", "-")}-sheepdogdb"
   maintenance_window          = var.sheepdog_maintenance_window
   backup_retention_period     = var.sheepdog_backup_retention_period
   backup_window               = var.sheepdog_backup_window
@@ -66,8 +66,8 @@ resource "aws_db_instance" "db_sheepdog" {
   max_allocated_storage       = var.sheepdog_max_allocated_storage
 
   tags = {
-    Environment               = var.vpc_name
-    Organization              = var.organization_name
+    Environment  = var.vpc_name
+    Organization = var.organization_name
   }
 
   lifecycle {
@@ -93,7 +93,7 @@ resource "aws_db_instance" "db_indexd" {
   db_subnet_group_name        = aws_db_subnet_group.private_group.id
   vpc_security_group_ids      = [module.cdis_vpc.security_group_local_id]
   allow_major_version_upgrade = var.indexd_allow_major_version_upgrade
-  final_snapshot_identifier   = "${replace(var.vpc_name,"_", "-")}-indexddb"
+  final_snapshot_identifier   = "${replace(var.vpc_name, "_", "-")}-indexddb"
   maintenance_window          = var.indexd_maintenance_window
   backup_retention_period     = var.indexd_backup_retention_period
   backup_window               = var.indexd_backup_window
@@ -103,8 +103,8 @@ resource "aws_db_instance" "db_indexd" {
   max_allocated_storage       = var.indexd_max_allocated_storage
 
   tags = {
-    Environment               = var.vpc_name
-    Organization              = var.organization_name
+    Environment  = var.vpc_name
+    Organization = var.organization_name
   }
 
   lifecycle {
@@ -118,7 +118,7 @@ resource "aws_db_instance" "db_indexd" {
 # and https://www.postgresql.org/docs/9.6/static/runtime-config-query.html#RUNTIME-CONFIG-QUERY-ENABLE
 # for detail parameter descriptions
 locals {
-  pg_family_version = replace( var.engine_version ,"/\\.[0-9]/", "" )
+  pg_family_version = replace(var.engine_version, "/\\.[0-9]/", "")
 }
 
 resource "aws_db_parameter_group" "rds-cdis-pg" {
@@ -164,38 +164,38 @@ resource "aws_db_parameter_group" "rds-cdis-pg" {
   }
 
   lifecycle {
-    ignore_changes  = all
+    ignore_changes = all
   }
 }
 
 resource "aws_kms_key" "kube_key" {
-  description                 = "encryption/decryption key for kubernete"
-  enable_key_rotation         = true
+  description         = "encryption/decryption key for kubernete"
+  enable_key_rotation = true
 
   tags = {
-    Environment               = var.vpc_name
-    Organization              = var.organization_name
+    Environment  = var.vpc_name
+    Organization = var.organization_name
   }
 }
 
 resource "aws_kms_alias" "kube_key" {
-  name                        = "alias/${var.vpc_name}-k8s"
-  target_key_id               = aws_kms_key.kube_key.key_id
+  name          = "alias/${var.vpc_name}-k8s"
+  target_key_id = aws_kms_key.kube_key.key_id
 }
 
 resource "aws_key_pair" "automation_dev" {
-  key_name                    = "${var.vpc_name}_automation_dev"
-  public_key                  = var.kube_ssh_key
+  key_name   = "${var.vpc_name}_automation_dev"
+  public_key = var.kube_ssh_key
 }
 
 resource "aws_s3_bucket" "kube_bucket" {
   # S3 buckets are in a global namespace, so dns style naming
-  bucket                      = "kube-${replace(var.vpc_name,"_", "-")}-gen3"
+  bucket = "kube-${replace(var.vpc_name, "_", "-")}-gen3"
 
   tags = {
-    Name                      = "kube-${replace(var.vpc_name,"_", "-")}-gen3"
-    Environment               = var.vpc_name
-    Organization              = var.organization_name
+    Name         = "kube-${replace(var.vpc_name, "_", "-")}-gen3"
+    Environment  = var.vpc_name
+    Organization = var.organization_name
   }
 
   lifecycle {
@@ -212,6 +212,10 @@ resource "aws_s3_bucket" "kube_bucket" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "kube_bucket" {
   bucket = aws_s3_bucket.kube_bucket.bucket
 
+  lifecycle {
+    ignore_changes = all
+  }
+
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256"
@@ -233,7 +237,7 @@ resource "aws_s3_bucket_public_access_block" "kube_bucket_privacy" {
 #   modify the permissions there as necessary.  Ugh.
 data "aws_iam_policy_document" "configbucket_reader" {
   statement {
-    actions = ["s3:Get*","s3:List*"]
+    actions   = ["s3:Get*", "s3:List*"]
     effect    = "Allow"
     resources = ["arn:aws:s3:::${var.users_bucket_name}", "arn:aws:s3:::${var.users_bucket_name}/${var.config_folder}/*", "arn:aws:s3:::qualys-agentpackage", "arn:aws:s3:::qualys-agentpackage/*"]
   }

diff --git a/tf_files/aws/commons/outputs.tf b/tf_files/aws/commons/outputs.tf
@@ -46,13 +46,43 @@ output "data-bucket_name" {
 }
 
 output "kubeconfig" {
-  value = module.eks[0].kubeconfig
-  sensitive   = true  
+  value     = module.eks[0].kubeconfig
+  sensitive = true
 }
 
 output "config_map_aws_auth" {
-  value = module.eks[0].config_map_aws_auth
-  sensitive   = true  
+  value     = module.eks[0].config_map_aws_auth
+  sensitive = true
+}
+
+output "eks_cluster_name" {
+  value = module.eks[0].cluster_name
+}
+
+output "eks_cluster_endpoint" {
+  value = module.eks[0].cluster_endpoint
+  sensitive = true
+}
+
+output "eks_cluster_ca_cert" {
+  value = module.eks[0].cluster_certificate_authority_data
+  sensitive   = true
+}
+
+output "eks_oidc_arn" {
+  value = module.eks[0].oidc_provider_arn
+}
+
+output "cluster_oidc_provider_url" {
+  value = module.eks[0].cluster_oidc_provider_url
+}
+
+output "cluster_oidc_provider_arn" {
+  value = module.eks[0].cluster_oidc_provider_arn
+}
+
+output "opensearch_cluster_arn" {
+  value = module.commons_vpc_es[0].es_arn
 }
 
 ##
@@ -80,3 +110,7 @@ output "aurora_cluster_master_password" {
   value       = one(module.aurora[*].aurora_cluster_master_password)
   sensitive   = true
 }
+
+output "es_endpoint" {
+  value       = module.commons_vpc_es[0].es_endpoint
+}
diff --git a/tf_files/aws/commons/variables.tf b/tf_files/aws/commons/variables.tf
@@ -339,6 +339,7 @@ variable "ha-squid_bootstrap_script" {
 }
 
 variable "ha-squid_extra_vars" {
+  type    = list(string)
   description = "additional variables to pass along with the bootstrapscript"
   default     = ["squid_image=master"]
 }
@@ -1043,3 +1044,7 @@ variable "commons_log_retention" {
 variable "enable_vpc_endpoints" {
   default = true
 }
+
+variable "deploy_es_role" {
+  default = false
+}
diff --git a/tf_files/aws/eks/outputs.tf b/tf_files/aws/eks/outputs.tf
@@ -5,3 +5,11 @@ output "kubeconfig" {
 output "config_map_aws_auth" {
   value = module.eks[0].config_map_aws_auth
 }
+
+output "cluster_oidc_provider_url" {
+  value = module.eks[0].cluster_oidc_provider_url
+}
+
+output "cluster_oidc_provider_arn" {
+  value = module.eks[0].cluster_oidc_provider_arn
+}