From b7edbf0d883f5445297abd24f7bc80b53d69714a Mon Sep 17 00:00:00 2001 From: Mike Pond <32133001+P0NDER0SA@users.noreply.github.com> Date: Thu, 17 Oct 2024 15:22:33 -0400 Subject: [PATCH] STAGING Manifests Secret Variables to Terraform AWS Secret Manager (#1593) * [review] Adding All Secret Variables from Encrypted .env file in manifests for staging AWS Secrets Manager * removing a couple of non secret service ids and adding some necessary files for this to even run :p * creating the db connectivity strings using outputs and inputs from rds to manifests secrets. * finishing up staging work * formatting * adding manifest_secrets to plan * adding manifest_secrets to apply (and removing the unecessary bump and tag * turning off a particular checkov check for cycled secrets and building the redis string secrets from AWS outputs [review] * marking variables as sensitive in hcl file * formatting * formatting --------- Co-authored-by: Ben Larabie --- .github/workflows/merge_to_main_staging.yml | 36 +- .github/workflows/terragrunt_plan_staging.yml | 37 ++ aws/.checkov.yml | 3 +- aws/manifest_secrets/secrets.tf | 377 ++++++++++++++++++ aws/manifest_secrets/variables.tf | 15 + env/.terraform.lock.hcl | 71 ++++ env/dev_config.tfvars | 44 +- env/production_config.tfvars | 30 +- env/staging/common/.terraform.lock.hcl | 150 +++++++ .../manifest_secrets/.terraform.lock.hcl | 71 ++++ env/staging/manifest_secrets/terragrunt.hcl | 26 ++ env/staging/rds/.terraform.lock.hcl | 90 +++++ env/staging_config.tfvars | 44 +- env/terragrunt.hcl | 171 ++++++++ 14 files changed, 1094 insertions(+), 71 deletions(-) create mode 100644 aws/manifest_secrets/secrets.tf create mode 100644 aws/manifest_secrets/variables.tf create mode 100644 env/.terraform.lock.hcl create mode 100644 env/staging/common/.terraform.lock.hcl create mode 100644 env/staging/manifest_secrets/.terraform.lock.hcl create mode 100644 env/staging/manifest_secrets/terragrunt.hcl create mode 100644 env/staging/rds/.terraform.lock.hcl diff --git a/.github/workflows/merge_to_main_staging.yml b/.github/workflows/merge_to_main_staging.yml index cf4d43dec..3dbb62b2d 100644 --- a/.github/workflows/merge_to_main_staging.yml +++ b/.github/workflows/merge_to_main_staging.yml @@ -760,20 +760,34 @@ jobs: cd env/${{env.ENVIRONMENT}}/newrelic terragrunt apply --terragrunt-non-interactive -auto-approve - bump-version-and-push-tag: + terragrunt-apply-manifest_secrets: if: | - always() && - github.event_name != 'workflow_dispatch' && - !contains(needs.*.result, 'failure') && - !contains(needs.*.result, 'cancelled') - runs-on: ubuntu-latest - needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-dns,terragrunt-apply-ses_validation_dns_entries,terragrunt-apply-cloudfront,terragrunt-apply-eks,terragrunt-apply-elasticache,terragrunt-apply-rds,terragrunt-apply-lambda-api,terragrunt-apply-lambda-admin-pr,terragrunt-apply-performance-test,terragrunt-apply-heartbeat,terragrunt-apply-database-tools,terragrunt-apply-quicksight,terragrunt-apply-lambda-google-cidr,terragrunt-apply-ses_to_sqs_email_callbacks,terragrunt-apply-sns_to_sqs_sms_callbacks,terragrunt-apply-pinpoint_to_sqs_sms_callbacks,terragrunt-apply-system_status,terragrunt-apply-ses_receiving_emails,terragrunt-apply-system_status_static_site,terragrunt-apply-newrelic] + always() && + !contains(needs.*.result, 'failure') && + !contains(needs.*.result, 'cancelled') + needs: [terragrunt-apply-rds] + runs-on: ubuntu-latest + steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: bump-version-and-push-tag - uses: mathieudutour/github-tag-action@bcb832838e1612ff92089d914bccc0fd39458223 # v4.6 + - name: setup-terraform + uses: ./.github/actions/setup-terraform with: - github_token: ${{ secrets.GITHUB_TOKEN }} - release_branches: main + role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply + role_session_name: NotifyTerraformApply + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + sudo mkdir -p aws + cd aws + op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars + + - name: terragrunt apply manifest_secrets + run: | + cd env/${{env.ENVIRONMENT}}/manifest_secrets + terragrunt apply --terragrunt-non-interactive -auto-approve + diff --git a/.github/workflows/terragrunt_plan_staging.yml b/.github/workflows/terragrunt_plan_staging.yml index 0725a361d..432d731eb 100644 --- a/.github/workflows/terragrunt_plan_staging.yml +++ b/.github/workflows/terragrunt_plan_staging.yml @@ -46,6 +46,7 @@ jobs: system_status: ${{ steps.filter.outputs.system_status }} system_status_static_site: ${{ steps.filter.outputs.system_status_static_site }} newrelic: ${{ steps.filter.outputs.newrelic }} + manifest_secrets: ${{ steps.filter.outputs.manifest_secrets }} steps: - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 @@ -120,6 +121,9 @@ jobs: newrelic: - 'aws/newrelic/**' - 'env/${{env.ENVIRONMENT}}/newrelic/**' + manifest_secrets: + - 'aws/manifest_secrets/**' + - 'env/${{env.ENVIRONMENT}}/manifest_secrets/**' terragrunt-plan-common: runs-on: ubuntu-latest @@ -876,3 +880,36 @@ jobs: terragrunt: "true" terraform-init: | -upgrade + + terragrunt-plan-manifest_secrets: + if: | + always() && + !contains(needs.*.result, 'failure') && + !contains(needs.*.result, 'cancelled') + needs: [terragrunt-plan-rds] + runs-on: ubuntu-latest + env: + COMPONENT: "manifest_secrets" + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: ./.github/actions/setup-terraform + with: + role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-plan + role_session_name: NotifyTerraformPlan + - name: Install 1Pass CLI and Download TFVars + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + sudo mkdir -p aws && cd aws + op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars + - name: Terragrunt plan ${{env.COMPONENT}} + uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6 + with: + directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}" + comment-delete: "true" + comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}" + github-token: "${{ secrets.GITHUB_TOKEN }}" + terragrunt: "true" + terraform-init: | + -upgrade \ No newline at end of file diff --git a/aws/.checkov.yml b/aws/.checkov.yml index 00e503cfa..294275d1a 100644 --- a/aws/.checkov.yml +++ b/aws/.checkov.yml @@ -21,4 +21,5 @@ skip-check: - CKV_AWS_91 # TODO: Load balancer enable access logging - CKV2_AWS_8 # TODO: RDS investigate if Query Logging can be enabled - CKV2_AWS_27 # TODO: RDS investigate how to setup AWS Backup plan - - CKV_TF_1 # You cannot reference commit hashes on terraform registry. \ No newline at end of file + - CKV_TF_1 # You cannot reference commit hashes on terraform registry. + - CKV2_AWS_57 \ No newline at end of file diff --git a/aws/manifest_secrets/secrets.tf b/aws/manifest_secrets/secrets.tf new file mode 100644 index 000000000..d371ca6e2 --- /dev/null +++ b/aws/manifest_secrets/secrets.tf @@ -0,0 +1,377 @@ +resource "aws_secretsmanager_secret" "manifest_admin_client_secret" { + name = "MANIFEST_ADMIN_CLIENT_SECRET" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_admin_client_secret_version" { + secret_id = aws_secretsmanager_secret.manifest_admin_client_secret.id + secret_string = var.manifest_admin_client_secret +} + +resource "aws_secretsmanager_secret" "manifest_auth_tokens" { + name = "MANIFEST_AUTH_TOKENS" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_auth_tokens_version" { + secret_id = aws_secretsmanager_secret.manifest_auth_tokens.id + secret_string = var.manifest_auth_tokens +} + +resource "aws_secretsmanager_secret" "manifest_document_download_api_key" { + name = "MANIFEST_DOCUMENT_DOWNLOAD_API_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_document_download_api_key_version" { + secret_id = aws_secretsmanager_secret.manifest_document_download_api_key.id + secret_string = var.manifest_document_download_api_key +} + +resource "aws_secretsmanager_secret" "manifest_aws_route53_zone" { + name = "MANIFEST_AWS_ROUTE53_ZONE" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_route53_zone_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_route53_zone.id + secret_string = var.manifest_aws_route53_zone +} + +resource "aws_secretsmanager_secret" "manifest_aws_ses_access_key" { + name = "MANIFEST_AWS_SES_ACCESS_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_ses_access_key_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_ses_access_key.id + secret_string = var.manifest_aws_ses_access_key +} + +resource "aws_secretsmanager_secret" "manifest_aws_ses_secret_key" { + name = "MANIFEST_AWS_SES_SECRET_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_ses_secret_key_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_ses_secret_key.id + secret_string = var.manifest_aws_ses_secret_key +} + +resource "aws_secretsmanager_secret" "manifest_dangerous_salt" { + name = "MANIFEST_DANGEROUS_SALT" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_dangerous_salt_version" { + secret_id = aws_secretsmanager_secret.manifest_dangerous_salt.id + secret_string = var.manifest_dangerous_salt +} + +resource "aws_secretsmanager_secret" "manifest_debug_key" { + name = "MANIFEST_DEBUG_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_debug_key_version" { + secret_id = aws_secretsmanager_secret.manifest_debug_key.id + secret_string = var.manifest_debug_key +} + +resource "aws_secretsmanager_secret" "manifest_fresh_desk_product_id" { + name = "MANIFEST_FRESH_DESK_PRODUCT_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_fresh_desk_product_id_version" { + secret_id = aws_secretsmanager_secret.manifest_fresh_desk_product_id.id + secret_string = var.manifest_fresh_desk_product_id +} + +resource "aws_secretsmanager_secret" "manifest_fresh_desk_api_key" { + name = "MANIFEST_FRESH_DESK_API_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_fresh_desk_api_key_version" { + secret_id = aws_secretsmanager_secret.manifest_fresh_desk_api_key.id + secret_string = var.manifest_fresh_desk_api_key +} + +resource "aws_secretsmanager_secret" "manifest_gc_articles_api_auth_username" { + name = "MANIFEST_GC_ARTICLES_API_AUTH_USERNAME" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_gc_articles_api_auth_username_version" { + secret_id = aws_secretsmanager_secret.manifest_gc_articles_api_auth_username.id + secret_string = var.manifest_gc_articles_api_auth_username +} + +resource "aws_secretsmanager_secret" "manifest_gc_articles_api_auth_password" { + name = "MANIFEST_GC_ARTICLES_API_AUTH_PASSWORD" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_gc_articles_api_auth_password_version" { + secret_id = aws_secretsmanager_secret.manifest_gc_articles_api_auth_password.id + secret_string = var.manifest_gc_articles_api_auth_password +} + +resource "aws_secretsmanager_secret" "manifest_mixpanel_project_token" { + name = "MANIFEST_MIXPANEL_PROJECT_TOKEN" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_mixpanel_project_token_version" { + secret_id = aws_secretsmanager_secret.manifest_mixpanel_project_token.id + secret_string = var.manifest_mixpanel_project_token +} + +resource "aws_secretsmanager_secret" "manifest_new_relic_license_key" { + name = "MANIFEST_NEW_RELIC_LICENSE_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_new_relic_license_key_version" { + secret_id = aws_secretsmanager_secret.manifest_new_relic_license_key.id + secret_string = var.manifest_new_relic_license_key +} + +resource "aws_secretsmanager_secret" "manifest_crm_github_personal_access_token" { + name = "MANIFEST_CRM_GITHUB_PERSONAL_ACCESS_TOKEN" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_crm_github_personal_access_token_version" { + secret_id = aws_secretsmanager_secret.manifest_crm_github_personal_access_token.id + secret_string = var.manifest_crm_github_personal_access_token +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_username" { + name = "MANIFEST_SALESFORCE_USERNAME" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_username_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_username.id + secret_string = var.manifest_salesforce_username +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_password" { + name = "MANIFEST_SALESFORCE_PASSWORD" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_password_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_password.id + secret_string = var.manifest_salesforce_password +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_security_token" { + name = "MANIFEST_SALESFORCE_SECURITY_TOKEN" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_security_token_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_security_token.id + secret_string = var.manifest_salesforce_security_token +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_client_privatekey" { + name = "MANIFEST_SALESFORCE_CLIENT_PRIVATEKEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_client_privatekey_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_client_privatekey.id + secret_string = var.manifest_salesforce_client_privatekey +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_engagement_product_id" { + name = "MANIFEST_SALESFORCE_ENGAGEMENT_PRODUCT_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_engagement_product_id_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_engagement_product_id.id + secret_string = var.manifest_salesforce_engagement_product_id +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_engagement_record_type" { + name = "MANIFEST_SALESFORCE_ENGAGEMENT_RECORD_TYPE" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_engagement_record_type_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_engagement_record_type.id + secret_string = var.manifest_salesforce_engagement_record_type +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_engagement_standard_pricebook_id" { + name = "MANIFEST_SALESFORCE_ENGAGEMENT_STANDARD_PRICEBOOK_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_engagement_standard_pricebook_id_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_engagement_standard_pricebook_id.id + secret_string = var.manifest_salesforce_engagement_standard_pricebook_id +} + +resource "aws_secretsmanager_secret" "manifest_salesforce_generic_account_id" { + name = "MANIFEST_SALESFORCE_GENERIC_ACCOUNT_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_salesforce_generic_account_id_version" { + secret_id = aws_secretsmanager_secret.manifest_salesforce_generic_account_id.id + secret_string = var.manifest_salesforce_generic_account_id +} + +resource "aws_secretsmanager_secret" "manifest_secret_key" { + name = "MANIFEST_SECRET_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_secret_key_version" { + secret_id = aws_secretsmanager_secret.manifest_secret_key.id + secret_string = var.manifest_secret_key +} + +resource "aws_secretsmanager_secret" "manifest_sendgrid_api_key" { + name = "MANIFEST_SENDGRID_API_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_sendgrid_api_key_version" { + secret_id = aws_secretsmanager_secret.manifest_sendgrid_api_key.id + secret_string = var.manifest_sendgrid_api_key +} + +resource "aws_secretsmanager_secret" "manifest_waf_secret" { + name = "MANIFEST_WAF_SECRET" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_waf_secret_version" { + secret_id = aws_secretsmanager_secret.manifest_waf_secret.id + secret_string = var.manifest_waf_secret +} + +resource "aws_secretsmanager_secret" "manifest_zendesk_api_key" { + name = "MANIFEST_ZENDESK_API_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_zendesk_api_key_version" { + secret_id = aws_secretsmanager_secret.manifest_zendesk_api_key.id + secret_string = var.manifest_zendesk_api_key +} + +resource "aws_secretsmanager_secret" "manifest_zendesk_sell_api_key" { + name = "MANIFEST_ZENDESK_SELL_API_KEY" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_zendesk_sell_api_key_version" { + secret_id = aws_secretsmanager_secret.manifest_zendesk_sell_api_key.id + secret_string = var.manifest_zendesk_sell_api_key +} + +resource "aws_secretsmanager_secret" "manifest_sre_client_secret" { + name = "MANIFEST_SRE_CLIENT_SECRET" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_sre_client_secret_version" { + secret_id = aws_secretsmanager_secret.manifest_sre_client_secret.id + secret_string = var.manifest_sre_client_secret +} + +resource "aws_secretsmanager_secret" "manifest_cache_clear_client_secret" { + name = "MANIFEST_CACHE_CLEAR_CLIENT_SECRET" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_cache_clear_client_secret_version" { + secret_id = aws_secretsmanager_secret.manifest_cache_clear_client_secret.id + secret_string = var.manifest_cache_clear_client_secret +} + +resource "aws_secretsmanager_secret" "manifest_aws_pinpoint_sc_pool_id" { + name = "MANIFEST_AWS_PINPOINT_SC_POOL_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_pinpoint_sc_pool_id_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_pinpoint_sc_pool_id.id + secret_string = var.manifest_aws_pinpoint_sc_pool_id +} + +resource "aws_secretsmanager_secret" "manifest_aws_pinpoint_sc_template_ids" { + name = "MANIFEST_AWS_PINPOINT_SC_TEMPLATE_IDS" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_pinpoint_sc_template_ids_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_pinpoint_sc_template_ids.id + secret_string = var.manifest_aws_pinpoint_sc_template_ids +} + +resource "aws_secretsmanager_secret" "manifest_aws_pinpoint_default_pool_id" { + name = "MANIFEST_AWS_PINPOINT_DEFAULT_POOL_ID" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_aws_pinpoint_default_pool_id_version" { + secret_id = aws_secretsmanager_secret.manifest_aws_pinpoint_default_pool_id.id + secret_string = var.manifest_aws_pinpoint_default_pool_id +} + +resource "aws_secretsmanager_secret" "manifest_sqlalachemy_database_uri" { + name = "SQLALCHEMY_DATABASE_URI" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_sqlalachemy_database_uri" { + secret_id = aws_secretsmanager_secret.manifest_sqlalachemy_database_uri.id + secret_string = "postgresql://${var.app_db_user}:${var.app_db_user_password}@${var.database_read_write_proxy_endpoint}/${var.app_db_database_name}" +} + +resource "aws_secretsmanager_secret" "manifest_sqlalachemy_database_reader_uri" { + name = "SQLALCHEMY_DATABASE_READER_URI" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_sqlalachemy_database_reader_uri" { + secret_id = aws_secretsmanager_secret.manifest_sqlalachemy_database_reader_uri.id + secret_string = "postgresql://${var.app_db_user}:${var.app_db_user_password}@${var.database_read_only_proxy_endpoint}/${var.app_db_database_name}" +} + +resource "aws_secretsmanager_secret" "manifest_postgres_host" { + name = "MANIFEST_POSTGRES_HOST" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "manifest_postgres_host_version" { + secret_id = aws_secretsmanager_secret.manifest_postgres_host.id + secret_string = "notification-canada-ca-${var.env}-cluster.${var.postgres_rds_instance_id}.${var.region}.rds.amazonaws.com" +} + +resource "aws_secretsmanager_secret" "manifest_redis_publish_url" { + name = "MANIFEST_REDIS_PUBLISH_URL" +} + +resource "aws_secretsmanager_secret_version" "manifest_redis_publish_url" { + secret_id = aws_secretsmanager_secret.manifest_redis_publish_url.id + secret_string = "redis://notify-${var.env}-cluster-cache-az.${var.redis_cluster_security_group_id}.ng.0001.cac1.cache.amazonaws.com:6379" +} + +resource "aws_secretsmanager_secret" "manifest_redis_url" { + name = "MANIFEST_REDIS_URL" +} + +resource "aws_secretsmanager_secret_version" "manifest_redis_url" { + secret_id = aws_secretsmanager_secret.manifest_redis_url.id + secret_string = "redis://notify-${var.env}-cluster-cache-az.${var.redis_cluster_security_group_id}.ng.0001.cac1.cache.amazonaws.com:6379" +} diff --git a/aws/manifest_secrets/variables.tf b/aws/manifest_secrets/variables.tf new file mode 100644 index 000000000..740fd7f0b --- /dev/null +++ b/aws/manifest_secrets/variables.tf @@ -0,0 +1,15 @@ +variable "database_read_write_proxy_endpoint" { + type = string +} + +variable "database_read_only_proxy_endpoint" { + type = string +} + +variable "postgres_rds_instance_id" { + type = string +} + +variable "redis_cluster_security_group_id" { + type = string +} \ No newline at end of file diff --git a/env/.terraform.lock.hcl b/env/.terraform.lock.hcl new file mode 100644 index 000000000..a5abfe33a --- /dev/null +++ b/env/.terraform.lock.hcl @@ -0,0 +1,71 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.72.1" + constraints = "~> 5.66" + hashes = [ + "h1:ZpM0d+tK1vhOi6llGqex5PgzdlOURa543XU9uYvjA2E=", + "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", + "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", + "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", + "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", + "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", + "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", + "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", + "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", + "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", + "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", + "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", + "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", + "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.6" + constraints = "~> 4.0" + hashes = [ + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/newrelic/newrelic" { + version = "3.50.0" + constraints = "~> 3.3" + hashes = [ + "h1:nrL9NXs6RfxbKUrurpb9Y0xg75daJRUkTkeQfvNlfM8=", + "zh:07ee00ee12624dc745295ccf69dfa2c3826127986bd2a2e5998dd65c2a96a2a6", + "zh:2287d45d350a6537f473eb0f5cb9e3b7f0dcb84b6ca0afcd40868c073e336cb3", + "zh:27019b496f92bd12e0d33b7adab74d230e514bb7d1723ac997d450519101fe26", + "zh:35b2189d1550be323533dc240ec328280b36396827141b682732f6ec1227e139", + "zh:4482b545dfe5858793cf2540a5823e96e06b898211ab0461bc8a0552892522a9", + "zh:53f6dcfc48698c54d5776eb4b8fe22d270a84ff66175b5937e7918c25659420b", + "zh:64f648e45167cd98492133cc775376399d6dc603f6827c7483986bcd2b3e5e4d", + "zh:78a800c0366be0ae13f7b78b2906964cc74a9297878721436d2dd95c598a07a7", + "zh:9098091bff65d314c6be57aa817f2b7c81d0b19257f0b52a0f3807fa11567777", + "zh:a91eeb099e9283e3ae8e0153c135a325f45c35c7ce3fe9975c8fdff01443e799", + "zh:b3a94e1ba8794c052ef6ef3a5cb47fc18672cb8d21867c0061e5db5a971f51f0", + "zh:b4487bf36ede51d17fe32c28176b834d8f61c6f98f79eebd2de66a6128449029", + "zh:bfef2c443bd42589041c881d22e1988633ac73502fa09e7d2dfea31c8a0aa6d2", + "zh:cf203c35db230ccfe54101305a5cac12d36da53f29d9b33d766f618237a81038", + "zh:d1760cba5407e8bc49c3afd64f5697ca6df4c149b919933e66488d35a38af5b0", + "zh:f79fc47b0b26752ee6c1811f8f0a862f3b1b526b88a19016ff2ba29067db9500", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + "zh:fcabe32401a7740598289e566c34b4d6efa56a7bba584f84c93c598d10d273bc", + ] +} diff --git a/env/dev_config.tfvars b/env/dev_config.tfvars index ff8db9f22..7e023bda1 100644 --- a/env/dev_config.tfvars +++ b/env/dev_config.tfvars @@ -1,9 +1,9 @@ ## GENERAL -env = "dev" -account_budget_limit = 5000 -region = "ca-central-1" -billing_tag_value = "notification-canada-ca-dev" -billing_tag_key = "CostCenter" +env = "dev" +account_budget_limit = 5000 +region = "ca-central-1" +billing_tag_value = "notification-canada-ca-dev" +billing_tag_key = "CostCenter" ## EKS primary_worker_desired_size = 4 @@ -72,15 +72,15 @@ elasticache_node_number_cache_clusters = 3 elasticache_node_type = "cache.t3.micro" ## SLACK INTEGRATION -slack_channel_warning_topic = "notification-dev-ops" -slack_channel_critical_topic = "notification-dev-ops" -slack_channel_general_topic = "notification-dev-ops" +slack_channel_warning_topic = "notification-dev-ops" +slack_channel_critical_topic = "notification-dev-ops" +slack_channel_general_topic = "notification-dev-ops" ## MONITORING -athena_workgroup_name = "dev" -cloudwatch_opsgenie_alarm_webhook = "" -aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" -sentinel_layer_version = "166" +athena_workgroup_name = "dev" +cloudwatch_opsgenie_alarm_webhook = "" +aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" +sentinel_layer_version = "166" ## HEARTBEAT heartbeat_sms_number = "+16135550123" @@ -90,10 +90,10 @@ schedule_expression = "rate(1 minute)" google_cidr_schedule_expression = "rate(1 day)" ## RDS -rds_instance_count = 3 -rds_instance_type = "db.t3.medium" -rds_database_name = "NotificationCanadaCastaging" -rds_version = "15.5" +rds_instance_count = 3 +rds_instance_type = "db.t3.medium" +rds_database_name = "NotificationCanadaCastaging" +rds_version = "15.5" ## NOTIFY-API/CELERY RECREATE_MISSING_LAMBDA_PACKAGE = "false" @@ -107,12 +107,12 @@ sqs_region = "ca-central-1" gc_notify_service_email = "gc.notify.notification.gc@staging.notification.cdssandbox.xyz" ## PERF TEST -aws_pinpoint_region = "ca-central-1" -perf_test_phone_number = "16132532222" -perf_test_email = "success@simulator.amazonses.com" -perf_schedule_expression = "cron(0 0 * * ? *)" -perf_test_aws_s3_bucket = "notify-performance-test-results-dev" -perf_test_csv_directory_path = "/tmp/notify_performance_test" +aws_pinpoint_region = "ca-central-1" +perf_test_phone_number = "16132532222" +perf_test_email = "success@simulator.amazonses.com" +perf_schedule_expression = "cron(0 0 * * ? *)" +perf_test_aws_s3_bucket = "notify-performance-test-results-dev" +perf_test_csv_directory_path = "/tmp/notify_performance_test" ## SYSTEM STATUS system_status_api_url = "https://api.dev.notification.cdssandbox.xyz" diff --git a/env/production_config.tfvars b/env/production_config.tfvars index 7f1ea65f5..dfca9fcca 100644 --- a/env/production_config.tfvars +++ b/env/production_config.tfvars @@ -1,9 +1,9 @@ ## GENERAL -env = "production" -account_budget_limit = 15000 -region = "ca-central-1" -billing_tag_value = "notification-canada-ca-production" -billing_tag_key = "CostCenter" +env = "production" +account_budget_limit = 15000 +region = "ca-central-1" +billing_tag_value = "notification-canada-ca-production" +billing_tag_key = "CostCenter" ## EKS primary_worker_desired_size = 5 @@ -72,14 +72,14 @@ elasticache_node_number_cache_clusters = 3 elasticache_node_type = "cache.t3.micro" ## SLACK INTEGRATION -slack_channel_warning_topic = "notification-ops" -slack_channel_critical_topic = "notification-ops" -slack_channel_general_topic = "notification-ops" +slack_channel_warning_topic = "notification-ops" +slack_channel_critical_topic = "notification-ops" +slack_channel_general_topic = "notification-ops" ## MONITORING -athena_workgroup_name = "primary" -aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" -sentinel_layer_version = "166" +athena_workgroup_name = "primary" +aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" +sentinel_layer_version = "166" ## HEARTBEAT heartbeat_sms_number = "+16135550123" @@ -89,10 +89,10 @@ schedule_expression = "rate(1 minute)" google_cidr_schedule_expression = "rate(1 day)" ## RDS -rds_instance_count = 3 -rds_instance_type = "db.r6g.xlarge" -rds_database_name = "NotificationCanadaCaproduction" -rds_version = "15.5" +rds_instance_count = 3 +rds_instance_type = "db.r6g.xlarge" +rds_database_name = "NotificationCanadaCaproduction" +rds_version = "15.5" ## NOTIFY-API/CELERY RECREATE_MISSING_LAMBDA_PACKAGE = "false" diff --git a/env/staging/common/.terraform.lock.hcl b/env/staging/common/.terraform.lock.hcl new file mode 100644 index 000000000..f7b7eba5c --- /dev/null +++ b/env/staging/common/.terraform.lock.hcl @@ -0,0 +1,150 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/archive" { + version = "2.6.0" + hashes = [ + "h1:Ou6XKWvpo7IYgZnrFJs5MKzMqQMEYv8Z2iHSJ2mmnFw=", + "zh:29273484f7423b7c5b3f5df34ccfc53e52bb5e3d7f46a81b65908e7a8fd69072", + "zh:3cba58ec3aea5f301caf2acc31e184c55d994cc648126cac39c63ae509a14179", + "zh:55170cd17dbfdea842852c6ae2416d057fec631ba49f3bb6466a7268cd39130e", + "zh:7197db402ba35631930c3a4814520f0ebe980ae3acb7f8b5a6f70ec90dc4a388", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8bf7fe0915d7fb152a3a6b9162614d2ec82749a06dba13fab3f98d33c020ec4f", + "zh:8ce811844fd53adb0dabc9a541f8cb43aacfa7d8e39324e4bd3592b3428f5bfb", + "zh:bca795bca815b8ac90e3054c0a9ab1ccfb16eedbb3418f8ad473fc5ad6bf0ef7", + "zh:d9355a18df5a36cf19580748b23249de2eb445c231c36a353709f8f40a6c8432", + "zh:dc32cc32cfd8abf8752d34f2a783de0d3f7200c573b885ecb64ece5acea173b4", + "zh:ef498e20391bf7a280d0fd6fd6675621c85fbe4e92f0f517ae4394747db89bde", + "zh:f2bc5226c765b0c8055a7b6207d0fe1eb9484e3ec8880649d158827ac6ed3b22", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.72.1" + constraints = ">= 4.8.0, >= 4.9.0, ~> 5.66" + hashes = [ + "h1:ZpM0d+tK1vhOi6llGqex5PgzdlOURa543XU9uYvjA2E=", + "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", + "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", + "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", + "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", + "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", + "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", + "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", + "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", + "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", + "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", + "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", + "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", + "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.4" + constraints = ">= 1.0.0" + hashes = [ + "h1:U6W8rgrdmR2pZ2cicFoGOSQ4GXuIf/4EK7s0vTJN7is=", + "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", + "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", + "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", + "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", + "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", + "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", + "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", + "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", + "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", + "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.2" + constraints = ">= 1.0.0" + hashes = [ + "h1:p99F1AoV9z51aJ4EdItxz/vLwWIyhx/0Iw7L7sWSH1o=", + "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", + "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", + "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", + "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", + "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", + "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", + "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", + "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", + "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", + "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 2.0.0" + hashes = [ + "h1:nKUqWEza6Lcv3xRlzeiRQrHtqvzX1BhIzjaOVXRYQXQ=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.6" + constraints = "~> 4.0" + hashes = [ + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/newrelic/newrelic" { + version = "3.50.0" + constraints = "~> 3.3" + hashes = [ + "h1:nrL9NXs6RfxbKUrurpb9Y0xg75daJRUkTkeQfvNlfM8=", + "zh:07ee00ee12624dc745295ccf69dfa2c3826127986bd2a2e5998dd65c2a96a2a6", + "zh:2287d45d350a6537f473eb0f5cb9e3b7f0dcb84b6ca0afcd40868c073e336cb3", + "zh:27019b496f92bd12e0d33b7adab74d230e514bb7d1723ac997d450519101fe26", + "zh:35b2189d1550be323533dc240ec328280b36396827141b682732f6ec1227e139", + "zh:4482b545dfe5858793cf2540a5823e96e06b898211ab0461bc8a0552892522a9", + "zh:53f6dcfc48698c54d5776eb4b8fe22d270a84ff66175b5937e7918c25659420b", + "zh:64f648e45167cd98492133cc775376399d6dc603f6827c7483986bcd2b3e5e4d", + "zh:78a800c0366be0ae13f7b78b2906964cc74a9297878721436d2dd95c598a07a7", + "zh:9098091bff65d314c6be57aa817f2b7c81d0b19257f0b52a0f3807fa11567777", + "zh:a91eeb099e9283e3ae8e0153c135a325f45c35c7ce3fe9975c8fdff01443e799", + "zh:b3a94e1ba8794c052ef6ef3a5cb47fc18672cb8d21867c0061e5db5a971f51f0", + "zh:b4487bf36ede51d17fe32c28176b834d8f61c6f98f79eebd2de66a6128449029", + "zh:bfef2c443bd42589041c881d22e1988633ac73502fa09e7d2dfea31c8a0aa6d2", + "zh:cf203c35db230ccfe54101305a5cac12d36da53f29d9b33d766f618237a81038", + "zh:d1760cba5407e8bc49c3afd64f5697ca6df4c149b919933e66488d35a38af5b0", + "zh:f79fc47b0b26752ee6c1811f8f0a862f3b1b526b88a19016ff2ba29067db9500", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + "zh:fcabe32401a7740598289e566c34b4d6efa56a7bba584f84c93c598d10d273bc", + ] +} diff --git a/env/staging/manifest_secrets/.terraform.lock.hcl b/env/staging/manifest_secrets/.terraform.lock.hcl new file mode 100644 index 000000000..a5abfe33a --- /dev/null +++ b/env/staging/manifest_secrets/.terraform.lock.hcl @@ -0,0 +1,71 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.72.1" + constraints = "~> 5.66" + hashes = [ + "h1:ZpM0d+tK1vhOi6llGqex5PgzdlOURa543XU9uYvjA2E=", + "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", + "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", + "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", + "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", + "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", + "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", + "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", + "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", + "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", + "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", + "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", + "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", + "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.6" + constraints = "~> 4.0" + hashes = [ + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/newrelic/newrelic" { + version = "3.50.0" + constraints = "~> 3.3" + hashes = [ + "h1:nrL9NXs6RfxbKUrurpb9Y0xg75daJRUkTkeQfvNlfM8=", + "zh:07ee00ee12624dc745295ccf69dfa2c3826127986bd2a2e5998dd65c2a96a2a6", + "zh:2287d45d350a6537f473eb0f5cb9e3b7f0dcb84b6ca0afcd40868c073e336cb3", + "zh:27019b496f92bd12e0d33b7adab74d230e514bb7d1723ac997d450519101fe26", + "zh:35b2189d1550be323533dc240ec328280b36396827141b682732f6ec1227e139", + "zh:4482b545dfe5858793cf2540a5823e96e06b898211ab0461bc8a0552892522a9", + "zh:53f6dcfc48698c54d5776eb4b8fe22d270a84ff66175b5937e7918c25659420b", + "zh:64f648e45167cd98492133cc775376399d6dc603f6827c7483986bcd2b3e5e4d", + "zh:78a800c0366be0ae13f7b78b2906964cc74a9297878721436d2dd95c598a07a7", + "zh:9098091bff65d314c6be57aa817f2b7c81d0b19257f0b52a0f3807fa11567777", + "zh:a91eeb099e9283e3ae8e0153c135a325f45c35c7ce3fe9975c8fdff01443e799", + "zh:b3a94e1ba8794c052ef6ef3a5cb47fc18672cb8d21867c0061e5db5a971f51f0", + "zh:b4487bf36ede51d17fe32c28176b834d8f61c6f98f79eebd2de66a6128449029", + "zh:bfef2c443bd42589041c881d22e1988633ac73502fa09e7d2dfea31c8a0aa6d2", + "zh:cf203c35db230ccfe54101305a5cac12d36da53f29d9b33d766f618237a81038", + "zh:d1760cba5407e8bc49c3afd64f5697ca6df4c149b919933e66488d35a38af5b0", + "zh:f79fc47b0b26752ee6c1811f8f0a862f3b1b526b88a19016ff2ba29067db9500", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + "zh:fcabe32401a7740598289e566c34b4d6efa56a7bba584f84c93c598d10d273bc", + ] +} diff --git a/env/staging/manifest_secrets/terragrunt.hcl b/env/staging/manifest_secrets/terragrunt.hcl new file mode 100644 index 000000000..f71609190 --- /dev/null +++ b/env/staging/manifest_secrets/terragrunt.hcl @@ -0,0 +1,26 @@ +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/manifest_secrets?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//manifest_secrets"}" +} + +dependencies { + paths = ["../rds", "../elasticache"] +} + +dependency "rds" { + config_path = "../rds" +} + +dependency "elasticache" { + config_path = "../elasticache" +} + +include { + path = find_in_parent_folders() +} + +inputs = { + database_read_only_proxy_endpoint = dependency.rds.outputs.database_read_only_proxy_endpoint + database_read_write_proxy_endpoint = dependency.rds.outputs.database_read_write_proxy_endpoint + postgres_rds_instance_id = dependency.rds.outputs.rds_instance_id + redis_cluster_security_group_id = dependency.elasticache.outputs.redis_cluster_security_group_id +} diff --git a/env/staging/rds/.terraform.lock.hcl b/env/staging/rds/.terraform.lock.hcl new file mode 100644 index 000000000..8d37e9311 --- /dev/null +++ b/env/staging/rds/.terraform.lock.hcl @@ -0,0 +1,90 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.72.1" + constraints = ">= 3.38.0, ~> 5.66" + hashes = [ + "h1:ZpM0d+tK1vhOi6llGqex5PgzdlOURa543XU9uYvjA2E=", + "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", + "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", + "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", + "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", + "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", + "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", + "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", + "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", + "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", + "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", + "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", + "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", + "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + hashes = [ + "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.6" + constraints = "~> 4.0" + hashes = [ + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/newrelic/newrelic" { + version = "3.50.0" + constraints = "~> 3.3" + hashes = [ + "h1:nrL9NXs6RfxbKUrurpb9Y0xg75daJRUkTkeQfvNlfM8=", + "zh:07ee00ee12624dc745295ccf69dfa2c3826127986bd2a2e5998dd65c2a96a2a6", + "zh:2287d45d350a6537f473eb0f5cb9e3b7f0dcb84b6ca0afcd40868c073e336cb3", + "zh:27019b496f92bd12e0d33b7adab74d230e514bb7d1723ac997d450519101fe26", + "zh:35b2189d1550be323533dc240ec328280b36396827141b682732f6ec1227e139", + "zh:4482b545dfe5858793cf2540a5823e96e06b898211ab0461bc8a0552892522a9", + "zh:53f6dcfc48698c54d5776eb4b8fe22d270a84ff66175b5937e7918c25659420b", + "zh:64f648e45167cd98492133cc775376399d6dc603f6827c7483986bcd2b3e5e4d", + "zh:78a800c0366be0ae13f7b78b2906964cc74a9297878721436d2dd95c598a07a7", + "zh:9098091bff65d314c6be57aa817f2b7c81d0b19257f0b52a0f3807fa11567777", + "zh:a91eeb099e9283e3ae8e0153c135a325f45c35c7ce3fe9975c8fdff01443e799", + "zh:b3a94e1ba8794c052ef6ef3a5cb47fc18672cb8d21867c0061e5db5a971f51f0", + "zh:b4487bf36ede51d17fe32c28176b834d8f61c6f98f79eebd2de66a6128449029", + "zh:bfef2c443bd42589041c881d22e1988633ac73502fa09e7d2dfea31c8a0aa6d2", + "zh:cf203c35db230ccfe54101305a5cac12d36da53f29d9b33d766f618237a81038", + "zh:d1760cba5407e8bc49c3afd64f5697ca6df4c149b919933e66488d35a38af5b0", + "zh:f79fc47b0b26752ee6c1811f8f0a862f3b1b526b88a19016ff2ba29067db9500", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + "zh:fcabe32401a7740598289e566c34b4d6efa56a7bba584f84c93c598d10d273bc", + ] +} diff --git a/env/staging_config.tfvars b/env/staging_config.tfvars index 31be38f9b..caf79d3be 100644 --- a/env/staging_config.tfvars +++ b/env/staging_config.tfvars @@ -1,9 +1,9 @@ ## GENERAL -env = "staging" -account_budget_limit = 5000 -region = "ca-central-1" -billing_tag_value = "notification-canada-ca-staging" -billing_tag_key = "CostCenter" +env = "staging" +account_budget_limit = 5000 +region = "ca-central-1" +billing_tag_value = "notification-canada-ca-staging" +billing_tag_key = "CostCenter" ## EKS primary_worker_desired_size = 5 @@ -72,15 +72,15 @@ log_retention_period_days = 365 sensitive_log_retention_period_days = 14 ## SLACK INTEGRATION -slack_channel_warning_topic = "notification-staging-ops" -slack_channel_critical_topic = "notification-staging-ops" -slack_channel_general_topic = "notification-staging-ops" +slack_channel_warning_topic = "notification-staging-ops" +slack_channel_critical_topic = "notification-staging-ops" +slack_channel_general_topic = "notification-staging-ops" ## MONITORING -athena_workgroup_name = "primary" -cloudwatch_opsgenie_alarm_webhook = "" -aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" -sentinel_layer_version = "166" +athena_workgroup_name = "primary" +cloudwatch_opsgenie_alarm_webhook = "" +aws_config_recorder_name = "aws-controltower-BaselineConfigRecorder" +sentinel_layer_version = "166" ## HEARTBEAT heartbeat_sms_number = "+16135550123" @@ -90,10 +90,10 @@ schedule_expression = "rate(1 minute)" google_cidr_schedule_expression = "rate(1 day)" ## RDS -rds_instance_count = 3 -rds_instance_type = "db.r6g.xlarge" -rds_database_name = "NotificationCanadaCastaging" -rds_version = "15.5" +rds_instance_count = 3 +rds_instance_type = "db.r6g.xlarge" +rds_database_name = "NotificationCanadaCastaging" +rds_version = "15.5" ## NOTIFY-API/CELERY RECREATE_MISSING_LAMBDA_PACKAGE = "false" @@ -112,12 +112,12 @@ system_status_bucket_name = "notification-canada-ca-staging-system-status" system_status_admin_url = "https://staging.notification.cdssandbox.xyz" ## PERF TEST -aws_pinpoint_region = "ca-central-1" -perf_test_phone_number = "16132532222" -perf_test_email = "success@simulator.amazonses.com" -perf_schedule_expression = "cron(0 0 * * ? *)" -perf_test_aws_s3_bucket = "notify-performance-test-results-staging" -perf_test_csv_directory_path = "/tmp/notify_performance_test" +aws_pinpoint_region = "ca-central-1" +perf_test_phone_number = "16132532222" +perf_test_email = "success@simulator.amazonses.com" +perf_schedule_expression = "cron(0 0 * * ? *)" +perf_test_aws_s3_bucket = "notify-performance-test-results-staging" +perf_test_csv_directory_path = "/tmp/notify_performance_test" ## COMMON sns_monthly_spend_limit = 100 diff --git a/env/terragrunt.hcl b/env/terragrunt.hcl index ffe320ad6..d3f6ba69d 100644 --- a/env/terragrunt.hcl +++ b/env/terragrunt.hcl @@ -548,6 +548,11 @@ variable "app_db_user_password" { sensitive = true } +variable "app_db_database_name" { + type = string + sensitive = true +} + variable "dbtools_password" { type = string sensitive = true @@ -901,6 +906,172 @@ variable "ses_receiving_emails_docker_tag" { variable "pinpoint_to_sqs_sms_callbacks_docker_tag" { type = string } + +variable "manifest_admin_client_secret" { + type = string + sensitive = true +} + +variable "manifest_auth_tokens" { + type = string + sensitive = true +} + +variable "manifest_document_download_api_key" { + type = string + sensitive = true +} + +variable "manifest_aws_route53_zone" { + type = string + sensitive = true +} + +variable "manifest_aws_ses_access_key" { + type = string + sensitive = true +} + +variable "manifest_aws_ses_secret_key" { + type = string + sensitive = true +} + +variable "manifest_dangerous_salt" { + type = string + sensitive = true +} + +variable "manifest_debug_key" { + type = string + sensitive = true +} + +variable "manifest_fresh_desk_product_id" { + type = string + sensitive = true +} + +variable "manifest_fresh_desk_api_key" { + type = string + sensitive = true +} + +variable "manifest_gc_articles_api_auth_username" { + type = string + sensitive = true +} + +variable "manifest_gc_articles_api_auth_password" { + type = string + sensitive = true +} + +variable "manifest_mixpanel_project_token" { + type = string + sensitive = true +} + +variable "manifest_new_relic_license_key" { + type = string + sensitive = true +} + +variable "manifest_crm_github_personal_access_token" { + type = string + sensitive = true +} + +variable "manifest_salesforce_username" { + type = string + sensitive = true +} + +variable "manifest_salesforce_password" { + type = string + sensitive = true +} + +variable "manifest_salesforce_security_token" { + type = string + sensitive = true +} + +variable "manifest_salesforce_client_privatekey" { + type = string + sensitive = true +} + +variable "manifest_salesforce_engagement_product_id" { + type = string + sensitive = true +} + +variable "manifest_salesforce_engagement_record_type" { + type = string + sensitive = true +} + +variable "manifest_salesforce_engagement_standard_pricebook_id" { + type = string + sensitive = true +} + +variable "manifest_salesforce_generic_account_id" { + type = string + sensitive = true +} + +variable "manifest_secret_key" { + type = string + sensitive = true +} + +variable "manifest_sendgrid_api_key" { + type = string + sensitive = true +} + +variable "manifest_waf_secret" { + type = string + sensitive = true +} + +variable "manifest_zendesk_api_key" { + type = string + sensitive = true +} + +variable "manifest_zendesk_sell_api_key" { + type = string + sensitive = true +} + +variable "manifest_sre_client_secret" { + type = string + sensitive = true +} + +variable "manifest_cache_clear_client_secret" { + type = string + sensitive = true +} + +variable "manifest_aws_pinpoint_sc_pool_id" { + type = string + sensitive = true +} + +variable "manifest_aws_pinpoint_sc_template_ids" { + type = string + sensitive = true +} + +variable "manifest_aws_pinpoint_default_pool_id" { + type = string + sensitive = true +} + EOF }