update setup to use a module for state and oidc management additions

.github/workflows/deployment.yaml

@@ -23,7 +23,7 @@ env:
   aws_region: us-east-1
   environment: ${{ github.event.inputs.environment }}
   owner: "skylight"
-  project: "dibbs-ce"
+  project: "dibbs"
 
 jobs:
   terraform:

terraform/implementation/ecs/deploy.sh

@@ -94,8 +94,8 @@ if [ "$CI" = false ]; then
     fi
 
     if ! grep -q "project" "$ENVIRONMENT.tfvars"; then
-        read -p "What is this project called? ( default=dibbs-ce ): " project_choice
-        project_choice=${project_choice:-dibbs-ce}
+        read -p "What is this project called? ( default=dibbs ): " project_choice
+        project_choice=${project_choice:-dibbs}
         echo "project = \"$project_choice\"" >> "$ENVIRONMENT.tfvars"
     fi
 

terraform/implementation/ecs/main.tf

@@ -35,5 +35,5 @@ module "ecs" {
   # internal       = false
 
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
-  # ecr_viewer_app_env = "test"
+  ecr_viewer_app_env = "test"
 }

terraform/implementation/setup/backend.tf

@@ -1,3 +1,19 @@
 terraform {
   backend "s3" {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "=5.70.0"
+    }
+  }
+}
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      owner       = "skylight"
+      environment = "tfstate"
+      project     = "dibbs"
+    }
+  }
 }

terraform/implementation/setup/main.tf

@@ -1,14 +1,15 @@
-# Credentials should be provided by using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
-provider "aws" {
+resource "random_string" "setup" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+module "tfstate" {
+  source = "../../modules/tfstate"
+  identifier = random_string.setup.result
+  owner = var.owner
+  project = var.project
   region = var.region
-  default_tags {
-    tags = {
-      owner     = var.owner
-      workspace = terraform.workspace
-      project   = var.project
-      id        = random_string.setup.result
-    }
-  }
 }
 
 # GitHub OIDC for prod
@@ -26,79 +27,19 @@ module "oidc" {
   # This variable must match the name of the terraform workspace that you'll be using for your ECS module call in the /ecs module
   workspace = "prod"
 
-  state_bucket_arn   = aws_s3_bucket.tfstate.arn
-  dynamodb_table_arn = aws_dynamodb_table.tfstate_lock.arn
-}
-
-resource "random_string" "setup" {
-  length  = 8
-  special = false
-  upper   = false
-}
-
-resource "aws_s3_bucket" "tfstate" {
-  bucket = "${var.project}-tfstate-${var.owner}-${random_string.setup.result}"
-
-  force_destroy = true
-}
-
-resource "aws_s3_bucket_public_access_block" "default" {
-  bucket = aws_s3_bucket.tfstate.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
-# trivy:ignore:AVD-AWS-0132
-resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
-  bucket = aws_s3_bucket.tfstate.bucket
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
-    }
-  }
-}
-
-resource "aws_s3_bucket_versioning" "default" {
-  bucket = aws_s3_bucket.tfstate.id
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-# Create a DynamoDB table for locking the state file
-resource "aws_dynamodb_table" "tfstate_lock" {
-  name         = "${var.project}-tfstate-lock-${var.owner}-${random_string.setup.result}"
-  hash_key     = "LockID"
-  billing_mode = "PAY_PER_REQUEST"
-
-  attribute {
-    name = "LockID"
-    type = "S"
-  }
+  # state_bucket_arn   = module.tfstate.aws_s3_bucket.tfstate.arn
+  state_bucket_arn   = module.tfstate.state_bucket.arn
+  # dynamodb_table_arn = aws_dynamodb_table.tfstate_lock.arn
+  dynamodb_table_arn = module.tfstate.dynamodb_table.arn
 }
 
 resource "local_file" "setup_env" {
   content  = <<-EOT
     WORKSPACE="${terraform.workspace}"
-    BUCKET="${aws_s3_bucket.tfstate.bucket}"
-    DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
+    BUCKET="${module.tfstate.state_bucket.bucket}"
+    DYNAMODB_TABLE="${module.tfstate.dynamodb_table.arn}"
     REGION="${var.region}"
     TERRAFORM_ROLE="${module.oidc.role.arn}"
   EOT
   filename = ".env"
-}
-
-resource "local_file" "ecs_env" {
-  content  = <<-EOT
-    BUCKET="${aws_s3_bucket.tfstate.bucket}"
-    DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
-    REGION="${var.region}"
-    TERRAFORM_ROLE="${module.oidc.role.arn}"
-  EOT
-  filename = "../ecs/.env"
-}
+}

terraform/implementation/setup/setup.sh

@@ -2,6 +2,34 @@
 
 WORKSPACE=tfstate
 
+# write a function with aruments to set the backend
+set_backend () {
+    region=$(grep "region" "$WORKSPACE.tfvars" | cut -d'=' -f2 | tr -d ' "')
+    owner=$(grep "owner" "$WORKSPACE.tfvars" | cut -d'=' -f2 | tr -d ' "')
+    project=$(grep "project" "$WORKSPACE.tfvars" | cut -d'=' -f2 | tr -d ' "')
+cat > backend.tf <<EOF
+terraform {
+  backend "$1" {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "=5.70.0"
+    }
+  }
+}
+provider "aws" {
+  region = "$region"
+  default_tags {
+    tags = {
+      owner       = "$owner"
+      environment = "$WORKSPACE"
+      project     = "$project"
+    }
+  }
+}
+EOF
+}
+
 if [ -f .env ]; then
     export $(cat .env | xargs)
     USE_S3_BACKEND=true
@@ -41,7 +69,7 @@ fi
 
 if ! grep -q "project" "$WORKSPACE.tfvars"; then
     read -p "What is this project called? ( default=dibbs ): " project_choice
-    project_choice=${project_choice:-dibbs-ce}
+    project_choice=${project_choice:-dibbs}
     echo "project = \"$project_choice\"" >> "$WORKSPACE.tfvars"
 fi
 
@@ -72,9 +100,7 @@ if [ "$USE_S3_BACKEND" == "true" ]; then
         -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
         -backend-config "region=$REGION"
 else
-echo "terraform {
-  backend \"local\" {}
-}" > backend.tf
+    set_backend "local"
     terraform init -var-file="$WORKSPACE.tfvars"
 fi
 
@@ -92,13 +118,9 @@ terraform apply -var-file="$WORKSPACE.tfvars"
 if [ "$USE_S3_BACKEND" == "false" ]; then
     echo "Setting up your s3 terraform backend"
     if [ -f .env ]; then
-        export $(cat ../ecs/.env | xargs)
+        export $(cat .env | xargs)
     fi
-
-echo "terraform {
-  backend \"s3\" {}
-}" > backend.tf
-
+    set_backend "s3"
     terraform init \
         -var-file="$WORKSPACE.tfvars" \
         -migrate-state \

terraform/modules/oidc/_data.tf

@@ -194,7 +194,7 @@ data "aws_iam_policy_document" "request_tags_create_actions" {
     ]
     resources = [
       "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}",
-      "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*",      
+      "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc/${local.vpc_id}",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*",

terraform/modules/oidc/_variable.tf

@@ -2,24 +2,36 @@ variable "oidc_github_repo" {
   description = "The GitHub repository for OIDC"
   type        = string
   default     = ""
+  validation {
+    condition     = length(var.oidc_github_repo) == 0 || can(regex("^[a-zA-Z0-9-]+/[a-zA-Z0-9-]+$", var.oidc_github_repo))
+    error_message = "oidc_github_repo must be set with 'org/repo' format or blank"
+  }
 }
 
 variable "owner" {
   description = "The owner of the project"
   type        = string
   default     = "skylight"
+  validation {
+    condition     = can(regex("^[[:alnum:]]{1,8}$", var.owner))
+    error_message = "owner must be 8 characters or less, all lowerspace with no special characters or spaces"
+  }
 }
 
 variable "project" {
   description = "The name of the project"
   type        = string
-  default     = "dibbs-ce"
+  default     = "dibbs"
 }
 
 variable "region" {
   type        = string
   description = "The AWS region where resources are created"
   default     = ""
+    validation {
+    condition     = can(regex("^(us|eu|ap|sa|ca|cn|af|me|eu)-[[:alnum:]]{2,10}-[0-9]$", var.region))
+    error_message = "region must be a valid AWS region"
+  }
 }
 
 variable "workspace" {

terraform/modules/tfstate/_variable.tf

@@ -2,21 +2,33 @@ variable "owner" {
   description = "The owner of the project"
   type        = string
   default     = "skylight"
+  validation {
+    condition     = can(regex("^[[:alnum:]]{1,8}$", var.owner))
+    error_message = "owner must be 8 characters/numbers or less, all lowerspace with no special characters or spaces"
+  }
 }
 
 variable "project" {
   description = "The name of the project"
   type        = string
-  default     = "dibbs-ce"
+  default     = "dibbs"
 }
 
 variable "region" {
   type        = string
   description = "The AWS region where resources are created"
-  default     = "us-east-1"
+  default     = ""
+    validation {
+    condition     = can(regex("^(us)-[[:alnum:]]{2,10}-[0-9]$", var.region))
+    error_message = "region must be a valid AWS region"
+  }
 }
 
 variable "identifier" {
   type    = string
   default = ""
+  validation {
+    condition     = can(regex("^[[:alnum:]]{1,8}$", var.identifier))
+    error_message = "identifier must be 8 characters or less, all lowercase with no special characters or spaces"
+  }
 }