diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 1148ac47..1bfb1326 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -109,12 +109,12 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - name: Terraform apply - if: github.ref == 'refs/heads/production' - run: terraform apply prod.plan - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # - name: Terraform apply + # if: github.ref == 'refs/heads/production' + # run: terraform apply prod.plan + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - if: ${{ always() }} run: rm prod.plan || true diff --git a/infrastructure/api_gateway_alarms.tf b/infrastructure/api_gateway_alarms.tf deleted file mode 100644 index 2c04484e..00000000 --- a/infrastructure/api_gateway_alarms.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "aws_cloudwatch_metric_alarm" "api_error_rate" { - alarm_name = "${var.log_metric_api_error_rate}-alarm" - alarm_description = "The percentage of API calls returning a 5xx error exceeds 5%" - metric_name = "5XXError" - alarm_actions = [aws_sns_topic.alarms.arn] - comparison_operator = "GreaterThanOrEqualToThreshold" - period = 60 - evaluation_periods = 2 - threshold = 0.05 - statistic = "Average" - unit = "Count" - treat_missing_data = "notBreaching" - namespace = var.log_metric_namespace - - tags = { - Project = var.project - Stage = var.stage - Severity = var.severity_medium - } -} diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf deleted file mode 100644 index 798e51c8..00000000 --- a/infrastructure/cloudtrail.tf +++ /dev/null @@ -1,141 +0,0 @@ - -resource "aws_cloudtrail" "all-events" { - name = var.cloudtrail_name - s3_bucket_name = var.cloudtrail_bucket_name - kms_key_id = aws_kms_key.key.arn - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}" - tags = { - Project = var.project - Stage = var.stage - } - event_selector { - read_write_type = "All" - include_management_events = true - data_resource { - type = "AWS::S3::Object" - values = ["arn:aws:s3"] - } - data_resource { - type = "AWS::Lambda::Function" - values = ["arn:aws:lambda"] - } - } - enable_log_file_validation = true - is_multi_region_trail = true -} - -resource "aws_s3_bucket" "cloudtrail_bucket" { - bucket = var.cloudtrail_bucket_name - force_destroy = true - tags = { - Project = var.project - Stage = var.stage - } -} - -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = var.cloudtrail_log_group_name - retention_in_days = 3653 - kms_key_id = aws_kms_key.key.arn - tags = { - Project = var.project - Stage = var.stage - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" { - bucket = aws_s3_bucket.cloudtrail_bucket.id - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} - -resource "aws_s3_bucket_versioning" "cloudtrail_bucket" { - bucket = aws_s3_bucket.cloudtrail_bucket.id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_logging" "cloudtrail_bucket" { - bucket = aws_s3_bucket.cloudtrail_bucket.id - target_bucket = aws_s3_bucket.logging_bucket.id - target_prefix = "cloudtrail_bucket/" -} - -resource "aws_s3_bucket_policy" "cloudtrail_bucket" { - bucket = aws_s3_bucket.cloudtrail_bucket.id - policy = data.template_file.cloudtrail_bucket_policy.rendered -} - -resource "aws_iam_role" "cloudtrail_role" { - name = var.cloudtrail_role_name - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - Service : [ - "cloudtrail.amazonaws.com" - ] - }, - Effect : "Allow", - Sid : "CloudTrailServiceRole" - } - ] - }) - tags = { - Project = var.project - Stage = var.stage - } -} - -data "template_file" "cloudtrail_bucket_policy" { - template = file("cloudtrail_bucket_policy.tpl") - vars = { - bucketName = var.cloudtrail_bucket_name - accountId = data.aws_caller_identity.current.account_id - } -} - -# Attach policies to the IAM role allowing access to the S3 bucket and Cloudwatch -resource "aws_iam_role_policy" "cloudtrail_s3_policy" { - name_prefix = "crossfeed-cloudtrail-s3-${var.stage}" - role = aws_iam_role.cloudtrail_role.id - policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Action = [ - "s3:PutObject", - "s3:GetBucketAcl", - "s3:ListBucket" - ], - Effect = "Allow", - Resource = [ - aws_s3_bucket.cloudtrail_bucket.arn, - "${aws_s3_bucket.cloudtrail_bucket.arn}/*" - ] - }] - }) -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" { - name_prefix = "crossfeed-cloudtrail-cloudwatch-${var.stage}" - role = aws_iam_role.cloudtrail_role.id - policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Action = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - Effect = "Allow", - Resource = "arn:aws:logs:*" - }] - }) -} diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl deleted file mode 100644 index 5067a5c4..00000000 --- a/infrastructure/cloudtrail_bucket_policy.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AWSCloudTrailAclCheck20121017", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": ["s3:GetBucketAcl"], - "Resource": ["arn:aws:s3:::${bucketName}"] - }, - { - "Sid": "AWSCloudTrailWrite20121017", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": ["s3:PutObject"], - "Resource": [ - "arn:aws:s3:::${bucketName}/AWSLogs/${accountId}", - "arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*" - ], - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - }, - { - "Sid": "RequireSSLRequests", - "Action": "s3:*", - "Effect": "Deny", - "Principal": "*", - "Resource": [ - "arn:aws:s3:::${bucketName}", - "arn:aws:s3:::${bucketName}/*" - ], - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - } - } - ] -} diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf deleted file mode 100644 index c6677e3e..00000000 --- a/infrastructure/cloudwatch.tf +++ /dev/null @@ -1,90 +0,0 @@ -resource "aws_s3_bucket" "cloudwatch_bucket" { - bucket = var.cloudwatch_bucket_name - tags = { - Project = var.project - Stage = var.stage - } -} - -# TODO: update retention_in_days based on developing requirements -resource "aws_cloudwatch_log_group" "cloudwatch_bucket" { - name = var.cloudwatch_log_group_name - retention_in_days = 365 - kms_key_id = aws_kms_key.key.arn - tags = { - Project = var.project - Stage = var.stage - } -} - -resource "aws_s3_bucket_policy" "cloudwatch_bucket" { - bucket = aws_s3_bucket.cloudwatch_bucket.id - policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Sid" : "AWSLogDeliveryGetBucketACL", - "Effect" : "Allow", - "Principal" : { - "Service" : "logs.amazonaws.com" - }, - "Action" : "s3:GetBucketAcl", - "Resource" : aws_s3_bucket.cloudwatch_bucket.arn - }, - { - "Sid" : "AWSLogDeliveryWrite", - "Effect" : "Allow", - "Principal" : { - "Service" : "logs.amazonaws.com" - }, - "Action" : "s3:PutObject", - "Resource" : [ - aws_s3_bucket.cloudwatch_bucket.arn, - "${aws_s3_bucket.cloudwatch_bucket.arn}/*" - ], - "Condition" : { - "StringEquals" : { - "s3:x-amz-acl" : "bucket-owner-full-control" - } - } - }, - { - "Sid" : "RequireSSLRequests", - "Action" : "s3:*", - "Effect" : "Deny", - "Principal" : "*", - "Resource" : [ - aws_s3_bucket.cloudwatch_bucket.arn, - "${aws_s3_bucket.cloudwatch_bucket.arn}/*" - ], - "Condition" : { - "Bool" : { - "aws:SecureTransport" : "false" - } - } - } - ] - }) -} - -resource "aws_s3_bucket_logging" "cloudwatch_bucket" { - bucket = aws_s3_bucket.cloudwatch_bucket.id - target_bucket = aws_s3_bucket.logging_bucket.id - target_prefix = "cloudwatch_bucket/" -} - -resource "aws_s3_bucket_versioning" "cloudwatch_bucket" { - bucket = aws_s3_bucket.cloudwatch_bucket.id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "cloudwatch_bucket" { - bucket = aws_s3_bucket.cloudwatch_bucket.id - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} diff --git a/infrastructure/database.tf b/infrastructure/database.tf deleted file mode 100644 index c0a1b8ac..00000000 --- a/infrastructure/database.tf +++ /dev/null @@ -1,392 +0,0 @@ -data "aws_ssm_parameter" "db_password" { name = var.ssm_db_password } -data "aws_ssm_parameter" "db_username" { name = var.ssm_db_username } - -resource "aws_db_subnet_group" "default" { - name = var.db_group_name - subnet_ids = [aws_subnet.db_1.id, aws_subnet.db_2.id] - - tags = { - Project = var.project - } -} - -resource "aws_db_parameter_group" "default" { - name = "crossfeed-${var.stage}-postgres15" - family = "postgres15" - - parameter { - name = "rds.force_ssl" - value = "0" - } - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_db_instance" "db" { - identifier = var.db_name - instance_class = var.db_instance_class - allocated_storage = 1000 - max_allocated_storage = 10000 - storage_type = "gp2" - engine = "postgres" - engine_version = "15.5" - allow_major_version_upgrade = false - skip_final_snapshot = true - availability_zone = data.aws_availability_zones.available.names[0] - multi_az = false - backup_retention_period = 35 - storage_encrypted = true - iam_database_authentication_enabled = true - enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] - - // database information - db_name = var.db_table_name - username = data.aws_ssm_parameter.db_username.value - password = data.aws_ssm_parameter.db_password.value - port = var.db_port - - db_subnet_group_name = aws_db_subnet_group.default.name - parameter_group_name = aws_db_parameter_group.default.name - - vpc_security_group_ids = [aws_security_group.allow_internal.id] - - tags = { - Project = "Crossfeed" - } -} - -data "aws_ami" "ubuntu" { - - most_recent = true - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - - # Canonical - owners = ["099720109477"] -} - -# DB Accessor EC2 -resource "aws_instance" "db_accessor" { - count = var.create_db_accessor_instance ? 1 : 0 - ami = data.aws_ami.ubuntu.id - instance_type = var.db_accessor_instance_class - associate_public_ip_address = false - - tags = { - Name = "${var.project}-${var.stage}-db-accessor" - Project = var.project - Stage = var.stage - } - - root_block_device { - volume_size = 1000 - } - - vpc_security_group_ids = [aws_security_group.allow_internal.id] - subnet_id = aws_subnet.backend.id - - iam_instance_profile = aws_iam_instance_profile.db_accessor.id - user_data = file("./ssm-agent-install.sh") - - lifecycle { - # prevent_destroy = true - ignore_changes = [ami] - } -} - -resource "aws_iam_role" "db_accessor" { - name = "crossfeed-db-accessor-${var.stage}" - assume_role_policy = <