uc-cdis · emalinowski · Aug 19, 2024 · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-04-15T11:22:55Z",
+  "generated_at": "2024-06-17T13:53:26Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -299,7 +299,7 @@
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 99,
+        "line_number": 129,
         "type": "Secret Keyword"
       }
     ],

diff --git a/tf_files/aws/aurora_db/root.tf b/tf_files/aws/aurora_db/root.tf
@@ -23,7 +23,7 @@ module "secrets_manager" {
     username = local.database_username
     password = local.database_password
   })
-  secret_name = "${var.vpc_name}-${var.service}-creds"
+  secret_name = "${var.namespace}-${var.service}-creds"
 
   depends_on = [ null_resource.user_setup ]
 }

diff --git a/tf_files/aws/commons/es.tf b/tf_files/aws/commons/es.tf
@@ -11,6 +11,45 @@ module "commons_vpc_es" {
   es_version              = var.es_version
   es_linked_role          = var.es_linked_role
   es_name                 = var.es_name
+  role_arn                = var.deploy_es_role ? aws_iam_role.esproxy-role[0].arn : ""
   depends_on              = [module.cdis_vpc.vpc_id, module.cdis_vpc.vpc_peering_id]
 }
 
+
+resource "aws_iam_role" "esproxy-role" {
+  count = var.deploy_es_role ? 1 : 0
+  name = "${var.vpc_name}-esproxy-sa"
+  description = "Role for ES proxy service account for ${var.vpc_name}"
+  assume_role_policy = <<EDOC
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:${module.eks[0].oidc_provider_arn}"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "ForAllValues:StringLike": {
+                    "${module.eks[0].oidc_provider_arn}:sub": [
+                        "system:serviceaccount:*:esproxy-sa"
+                    ],
+                    "${module.eks[0].oidc_provider_arn}:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+EDOC
+
+  path = "/gen3-service/"
+}
diff --git a/tf_files/aws/commons/outputs.tf b/tf_files/aws/commons/outputs.tf
@@ -55,6 +55,24 @@ output "config_map_aws_auth" {
   sensitive = true
 }
 
+output "eks_cluster_name" {
+  value = module.eks[0].cluster_name
+}
+
+output "eks_cluster_endpoint" {
+  value = module.eks[0].cluster_endpoint
+  sensitive = true
+}
+
+output "eks_cluster_ca_cert" {
+  value = module.eks[0].cluster_certificate_authority_data
+  sensitive   = true
+}
+
+output "eks_oidc_arn" {
+  value = module.eks[0].oidc_provider_arn
+}
+
 output "cluster_oidc_provider_url" {
   value = module.eks[0].cluster_oidc_provider_url
 }
@@ -67,7 +85,6 @@ output "opensearch_cluster_arn" {
   value = module.commons_vpc_es[0].es_arn
 }
 
-
 ##
 # aws_rds_aurora_cluster
 ##
@@ -93,3 +110,7 @@ output "aurora_cluster_master_password" {
   value       = one(module.aurora[*].aurora_cluster_master_password)
   sensitive   = true
 }
+
+output "es_endpoint" {
+  value       = module.commons_vpc_es[0].es_endpoint
+}
diff --git a/tf_files/aws/commons/variables.tf b/tf_files/aws/commons/variables.tf
@@ -1043,3 +1043,7 @@ variable "commons_log_retention" {
 variable "enable_vpc_endpoints" {
   default = true
 }
+
+variable "deploy_es_role" {
+  default = false
+}
diff --git a/tf_files/aws/modules/commons-vpc-es/cloud.tf b/tf_files/aws/modules/commons-vpc-es/cloud.tf
@@ -57,10 +57,9 @@ CONFIG
 }
 
 
-resource "aws_elasticsearch_domain" "gen3_metadata" {
-  domain_name           = var.es_name != "" ? var.es_name : "${var.vpc_name}-gen3-metadata"
-  elasticsearch_version = var.es_version
-  access_policies       = <<CONFIG
+locals {
+  es_policy  = var.role_arn == "" ? local.policy1 : local.policy2
+  policy1 = <<POLICY1
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -76,7 +75,31 @@ resource "aws_elasticsearch_domain" "gen3_metadata" {
         }
     ]
 }
-CONFIG
+POLICY1
+  policy2 = <<POLICY2
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "es:*",
+            "Principal": {
+              "AWS": [
+                "${data.aws_iam_user.es_user.arn}",
+                "${var.role_arn}"
+              ]
+            },
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
+POLICY2
+}
+
+resource "aws_elasticsearch_domain" "gen3_metadata" {
+  domain_name           = var.es_name != "" ? var.es_name : "${var.vpc_name}-gen3-metadata"
+  elasticsearch_version = var.es_version
+  access_policies       = local.es_policy
 
   encrypt_at_rest {
     # For small instance type like t2.medium, encryption is not available

diff --git a/tf_files/aws/modules/commons-vpc-es/variables.tf b/tf_files/aws/modules/commons-vpc-es/variables.tf
@@ -31,10 +31,15 @@ variable "organization_name" {
 
 variable "es_version" {
   description = "What version to use when deploying ES"
-  default     = "6.8"
+  default     = "7.10"
 }
 
 variable "es_linked_role" {
   description = "Whether or no to deploy a linked roll for ES"
   default     = true
 }
+
+variable "role_arn" {
+  description = "The ARN of the role to use for ES"
+  default     = ""
+}
diff --git a/tf_files/aws/modules/eks/cloud.tf b/tf_files/aws/modules/eks/cloud.tf
@@ -641,7 +641,7 @@ CONFIGMAPAWSAUTH2
 # instead just publish output variables
 #
 resource "null_resource" "config_setup" {
-   count = var.ci_run ? 0 : 1
+   #count = var.ci_run ? 0 : 1
    triggers = {
     kubeconfig_change = sensitive(templatefile("${path.module}/kubeconfig.tpl", {vpc_name = var.vpc_name, eks_name = aws_eks_cluster.eks_cluster.id, eks_endpoint = aws_eks_cluster.eks_cluster.endpoint, eks_cert = aws_eks_cluster.eks_cluster.certificate_authority.0.data,}))
     configmap_change  = sensitive(local.config-map-aws-auth)

diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf
@@ -22,6 +22,9 @@ output "cluster_name" {
   value = aws_eks_cluster.eks_cluster.name
 }
 
+output "oidc_provider_arn" {
+  value = replace(aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
+
 output "cluster_oidc_provider_url" {
   value = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
 }

diff --git a/tf_files/aws/modules/generic-bucket/variables.tf b/tf_files/aws/modules/generic-bucket/variables.tf
@@ -15,6 +15,7 @@ variable "aes_encryption" {
 
 variable "kms_key_id" {
   description = "The KMS key to use for the bucket"
+  default= ""
 }
 
 variable "bucket_lifecycle_configuration" {

diff --git a/tf_files/aws/modules/sqs/cloud.tf b/tf_files/aws/modules/sqs/cloud.tf
@@ -1,9 +1,3 @@
-module "alarms-lambda" {
-  source                  = "../alarms-lambda"
-  vpc_name                = var.sqs_name
-  slack_webhook           = var.slack_webhook
-}
-
 resource "aws_sqs_queue" "generic_queue" {
   name                       = var.sqs_name
   # 5 min visilibity timeout; avoid consuming the same message twice
@@ -15,20 +9,3 @@ resource "aws_sqs_queue" "generic_queue" {
     description  = "Created by SQS module"
   }
 }
-
-resource "aws_cloudwatch_metric_alarm" "sqs_alarm" {
-  alarm_name                = "sqs_old_message_alarm-${var.sqs_name}"
-  comparison_operator       = "GreaterThanOrEqualToThreshold"
-  evaluation_periods        = "1"
-  metric_name               = "ApproximateAgeOfOldestMessage"
-  namespace                 = "AWS/SQS"
-  period                    = "120"
-  statistic                 = "Average"
-  threshold                 = "604800"
-  alarm_description         = "sqs queue has messages over a week old"
-  insufficient_data_actions = []
-  alarm_actions             = [module.alarms-lambda.sns-topic]
-  dimensions                = {
-   QueueName = var.sqs_name
-  }
-}
diff --git a/tf_files/aws/modules/upload-data-bucket/s3.tf b/tf_files/aws/modules/upload-data-bucket/s3.tf
@@ -19,7 +19,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket" {
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      sse_algorithm = "aws:kms"
     }
   }
 }
@@ -65,7 +65,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "log_bucket" {
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      sse_algorithm = "aws:kms"
     }
   }
 }

diff --git a/tf_files/gen3/aws-user-creds.tftpl b/tf_files/gen3/aws-user-creds.tftpl
@@ -0,0 +1,3 @@
+[default]
+aws_access_key_id=${access_key}
+aws_secret_access_key=${access_secret}
diff --git a/tf_files/gen3/data.tf b/tf_files/gen3/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/tf_files/gen3/db.tf b/tf_files/gen3/db.tf
@@ -0,0 +1,120 @@
+module "arborist-db" {
+  count                   = var.arborist_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "arborist"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "argo-db" {
+  count                   = var.argo_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "argo"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "audit-db" {
+  count                   = var.audit_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "audit"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "dicom-viewer-db" {
+  count                   = var.dicom-viewer_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "dicom"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "dicom-server-db" {
+  count                   = var.dicom-server_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "dicom-server"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "fence-db" {
+  count                   = var.fence_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "fence"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "indexd-db" {
+  count                   = var.indexd_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "indexd"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "metadata-db" {
+  count                   = var.metadata_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "metadata"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "requestor-db" {
+  count                   = var.requestor_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "requestor"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "sheepdog-db" {
+  count                   = var.sheepdog_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "sheepdog"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}
+
+module "wts-db" {
+  count                   = var.wts_enabled ? 1 : 0
+  source                  = "../aws/aurora_db"
+  vpc_name                = var.vpc_name
+  service                 = "wts"
+  admin_database_username = var.aurora_username
+  admin_database_password = var.aurora_password
+  namespace               = var.namespace
+  secrets_manager_enabled = true
+}