From 07d938fade94a35ac0506c935cf1bc1d130c7676 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Fri, 3 Oct 2025 09:52:04 -0600 Subject: [PATCH 01/13] initial configuration --- terraform/services/config/README.md | 73 +++++++++++++++++++ terraform/services/config/main.tf | 35 +++++++++ terraform/services/config/tofu.tf | 46 ++++++++++++ .../config/values/cdap-non-prod.sopsw.yaml | 20 +++++ .../config/values/cdap-prod.sopsw.yaml | 20 +++++ 5 files changed, 194 insertions(+) create mode 100644 terraform/services/config/README.md create mode 100644 terraform/services/config/main.tf create mode 100644 terraform/services/config/tofu.tf create mode 100644 terraform/services/config/values/cdap-non-prod.sopsw.yaml create mode 100644 terraform/services/config/values/cdap-prod.sopsw.yaml diff --git a/terraform/services/config/README.md b/terraform/services/config/README.md new file mode 100644 index 00000000..957cd6fa --- /dev/null +++ b/terraform/services/config/README.md @@ -0,0 +1,73 @@ +# AB2D Config Root Module + +This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store. +The _parent environment_ specific configuration values are located in the `values` directory. + +***NOTE*** At the time of this writing, neither this nor the upstream `sops` child module has sufficient documentation. However, this will change as the upstream sops module is accepted into CDAP's trunk and PLT-1099 is completed. + + + +## Providers + +No providers. + + +## Requirements + +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | ~> 5 | + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [parent\_env](#input\_parent\_env) | The parent environment of the current solution. Will correspond with `terraform.workspace`".
Necessary on `tofu init` and `tofu workspace select` \_only\_. In all other situations, parent env
will be divined from `terraform.workspace`. | `string` | `null` | no | +| [region](#input\_region) | n/a | `string` | `"us-east-1"` | no | +| [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no | + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [platform](#module\_platform) | github.com/CMSgov/cdap//terraform/modules/platform | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 | +| [sops](#module\_sops) | github.com/CMSgov/cdap//terraform/modules/sops | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 | + + +## Resources + +No resources. + + +## Outputs + +| Name | Description | +|------|-------------| +| [edit](#output\_edit) | n/a | + diff --git a/terraform/services/config/main.tf b/terraform/services/config/main.tf new file mode 100644 index 00000000..95c48539 --- /dev/null +++ b/terraform/services/config/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +module "platform" { + source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66" + providers = { aws = aws, aws.secondary = aws.secondary } + + app = local.app + env = local.env + root_module = "https://github.com/CMSgov/ab2d/tree/main/ops/services/10-config" + service = local.service +} + +locals { + default_tags = module.platform.default_tags + env = terraform.workspace + service = "config" +} + +module "sops" { + source = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66" + + platform = module.platform +} + + +output "edit" { + value = module.sops.sopsw +} diff --git a/terraform/services/config/tofu.tf b/terraform/services/config/tofu.tf new file mode 100644 index 00000000..501fcfb1 --- /dev/null +++ b/terraform/services/config/tofu.tf @@ -0,0 +1,46 @@ +# This root tofu.tf is symlink'd to by all per-env Terraservices. Changes to this tofu.tf apply to +# _all_ Terraservices, so be careful! + +locals { + app = "cdap" + state_bucket = "cdap-mgmt-s3.tfbackend" +} + +variable "region" { + default = "us-east-1" + nullable = false + type = string +} + +variable "secondary_region" { + default = "us-west-2" + nullable = false + type = string +} + +provider "aws" { + region = var.region + default_tags { + tags = local.default_tags + } +} + +provider "aws" { + alias = "secondary" + + region = var.secondary_region + default_tags { + tags = local.default_tags + } +} + +terraform { + backend "s3" { + bucket = local.state_bucket + key = "ops/services/${local.service}/tofu.tfstate" + region = var.region + encrypt = true + kms_key_id = "alias/cdap-mgmt" + use_lockfile = true + } +} diff --git a/terraform/services/config/values/cdap-non-prod.sopsw.yaml b/terraform/services/config/values/cdap-non-prod.sopsw.yaml new file mode 100644 index 00000000..d2ed4317 --- /dev/null +++ b/terraform/services/config/values/cdap-non-prod.sopsw.yaml @@ -0,0 +1,20 @@ +/cdap/account/security_events_slack_renotify_after_days: 30 +/cdap/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM +/cdap/sensitive/account/security_events_slack_webhook_url: https://hooks.slack.com/services/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 +/cdap/sensitive/bucket-access-logs-bucket: +/cdap/sensitive/mgmt-vpc/cidr: +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: +sops: + kms: + - arn: arn:aws:kms:us-east-1:202533514245:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca + created_at: "2025-07-17T18:19:00Z" + aws_profile: "" + - arn: arn:aws:kms:us-east-1:202533514245:alias/cdap-mgmt + created_at: "2025-07-17T18:19:00Z" + aws_profile: "" + encrypted_regex: sensitive + mac_only_encrypted: true + version: 3.10.2 + diff --git a/terraform/services/config/values/cdap-prod.sopsw.yaml b/terraform/services/config/values/cdap-prod.sopsw.yaml new file mode 100644 index 00000000..2e73379b --- /dev/null +++ b/terraform/services/config/values/cdap-prod.sopsw.yaml @@ -0,0 +1,20 @@ +/cdap/account/security_events_slack_renotify_after_days: 30 +/cdap/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM +/cdap/sensitive/account/security_events_slack_webhook_url: https://hooks.slack.com/services/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 +/cdap/sensitive/bucket-access-logs-bucket: bucket-access-logs-20250411172631068600000001 +/cdap/sensitive/mgmt-vpc/cidr: 10.128.178.0/23 +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: 13.217.185.142 +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: 3.226.187.84 +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: 52.55.143.28 +sops: + kms: + - arn: arn:aws:kms:us-east-1:202533514245:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca + created_at: "2025-07-17T18:19:00Z" + aws_profile: "" + - arn: arn:aws:kms:us-east-1:202533514245:alias/cdap-mgmt + created_at: "2025-07-17T18:19:00Z" + aws_profile: "" + encrypted_regex: sensitive + mac_only_encrypted: true + version: 3.10.2 + From 9dc25651f52808db0060d42a8b4985ae3f19face Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Fri, 3 Oct 2025 11:51:09 -0600 Subject: [PATCH 02/13] created test and prod yaml files, generated readme --- terraform/services/config/README.md | 53 ++++--------------- terraform/services/config/main.tf | 2 +- terraform/services/config/tofu.tf | 2 +- .../config/values/cdap-non-prod.sopsw.yaml | 20 ------- .../config/values/cdap-prod.sopsw.yaml | 23 ++++---- .../config/values/cdap-test.sopsw.yaml | 16 ++++++ 6 files changed, 38 insertions(+), 78 deletions(-) delete mode 100644 terraform/services/config/values/cdap-non-prod.sopsw.yaml create mode 100644 terraform/services/config/values/cdap-test.sopsw.yaml diff --git a/terraform/services/config/README.md b/terraform/services/config/README.md index 957cd6fa..810c156c 100644 --- a/terraform/services/config/README.md +++ b/terraform/services/config/README.md @@ -1,49 +1,19 @@ -# AB2D Config Root Module +# CDAP Config Root Module This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store. The _parent environment_ specific configuration values are located in the `values` directory. -***NOTE*** At the time of this writing, neither this nor the upstream `sops` child module has sufficient documentation. However, this will change as the upstream sops module is accepted into CDAP's trunk and PLT-1099 is completed. - - -## Providers - -No providers. - - ## Requirements | Name | Version | |------|---------| | [aws](#requirement\_aws) | ~> 5 | - -## Inputs +## Providers -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [parent\_env](#input\_parent\_env) | The parent environment of the current solution. Will correspond with `terraform.workspace`".
Necessary on `tofu init` and `tofu workspace select` \_only\_. In all other situations, parent env
will be divined from `terraform.workspace`. | `string` | `null` | no | -| [region](#input\_region) | n/a | `string` | `"us-east-1"` | no | -| [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no | +No providers. - ## Modules | Name | Source | Version | @@ -51,20 +21,17 @@ No providers. | [platform](#module\_platform) | github.com/CMSgov/cdap//terraform/modules/platform | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 | | [sops](#module\_sops) | github.com/CMSgov/cdap//terraform/modules/sops | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 | - ## Resources No resources. - +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [region](#input\_region) | n/a | `string` | `"us-east-1"` | no | +| [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no | + ## Outputs | Name | Description | diff --git a/terraform/services/config/main.tf b/terraform/services/config/main.tf index 95c48539..6d02d655 100644 --- a/terraform/services/config/main.tf +++ b/terraform/services/config/main.tf @@ -13,7 +13,7 @@ module "platform" { app = local.app env = local.env - root_module = "https://github.com/CMSgov/ab2d/tree/main/ops/services/10-config" + root_module = "https://github.com/CMSgov/cdap/tree/terraform/services/config" service = local.service } diff --git a/terraform/services/config/tofu.tf b/terraform/services/config/tofu.tf index 501fcfb1..2385e73f 100644 --- a/terraform/services/config/tofu.tf +++ b/terraform/services/config/tofu.tf @@ -37,7 +37,7 @@ provider "aws" { terraform { backend "s3" { bucket = local.state_bucket - key = "ops/services/${local.service}/tofu.tfstate" + key = "config/terraform.tfstate" region = var.region encrypt = true kms_key_id = "alias/cdap-mgmt" diff --git a/terraform/services/config/values/cdap-non-prod.sopsw.yaml b/terraform/services/config/values/cdap-non-prod.sopsw.yaml deleted file mode 100644 index d2ed4317..00000000 --- a/terraform/services/config/values/cdap-non-prod.sopsw.yaml +++ /dev/null @@ -1,20 +0,0 @@ -/cdap/account/security_events_slack_renotify_after_days: 30 -/cdap/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM -/cdap/sensitive/account/security_events_slack_webhook_url: https://hooks.slack.com/services/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 -/cdap/sensitive/bucket-access-logs-bucket: -/cdap/sensitive/mgmt-vpc/cidr: -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: -sops: - kms: - - arn: arn:aws:kms:us-east-1:202533514245:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca - created_at: "2025-07-17T18:19:00Z" - aws_profile: "" - - arn: arn:aws:kms:us-east-1:202533514245:alias/cdap-mgmt - created_at: "2025-07-17T18:19:00Z" - aws_profile: "" - encrypted_regex: sensitive - mac_only_encrypted: true - version: 3.10.2 - diff --git a/terraform/services/config/values/cdap-prod.sopsw.yaml b/terraform/services/config/values/cdap-prod.sopsw.yaml index 2e73379b..aa3f4b26 100644 --- a/terraform/services/config/values/cdap-prod.sopsw.yaml +++ b/terraform/services/config/values/cdap-prod.sopsw.yaml @@ -1,20 +1,17 @@ /cdap/account/security_events_slack_renotify_after_days: 30 /cdap/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM -/cdap/sensitive/account/security_events_slack_webhook_url: https://hooks.slack.com/services/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 -/cdap/sensitive/bucket-access-logs-bucket: bucket-access-logs-20250411172631068600000001 -/cdap/sensitive/mgmt-vpc/cidr: 10.128.178.0/23 -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: 13.217.185.142 -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: 3.226.187.84 -/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: 52.55.143.28 +/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:z9MLEAlb76u6MZ+GWcWcfnRtax1J677k47tabDmwCqAGN7H2BrmTnkIs1fAhl9dShaL5qZrq78s0sY9b2hCAGIWWaUenVbGGpWBuZvh7rw==,iv:kbgCH76ryIbnU40SWd/Wgg+hULSgGsTO4LLWIPoDE68=,tag:NmwrTB/oVI0WEhL9R5eV2g==,type:str] +/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:TjwtktvWlh7Gt7JrTuxZganUT3AotzmEAeYKkpn5GutLcIT1/KSpTV1kjMxV,iv:fSMld0pXjqKabcq+8CK7kG018tspwVAS30ngYFepJKw=,tag:dMsUtxHVSpiHb9U+ebUbNg==,type:str] +/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:uNKE6Nckt24ZWHDHEWjU,iv:yVvl1HbK7ljy6lgZdGUkfi0CeIHPnd2uof9tVB1z008=,tag:9tQ1atj1Vwkgw6j1FQ8p5w==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: ENC[AES256_GCM,data:FlVrW4HMpGxShfezY7k=,iv:5pZNFGbdfyrGCti7cL/7pfm4S3i5VpnESEO5Rglqw7E=,tag:NZIPNuaSZD/NSD6Q2sE2PQ==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: ENC[AES256_GCM,data:N1zEW1bym0cRrT5b,iv:+i6TbqeQLVdZRGUb/O0FUDSEXHsuxxW8hEJbQJYy8gU=,tag:dypP4NS1W0h0c+SeMmuI+g==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: ENC[AES256_GCM,data:dE2gJAAstO0VcCol,iv:C5g6vtQbu6AQUmtobCrnZmFcBc4Pn6EZmex1YhQqXA8=,tag:gsAznB9ygxhNdpK73HbAwQ==,type:str] sops: kms: - - arn: arn:aws:kms:us-east-1:202533514245:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca - created_at: "2025-07-17T18:19:00Z" - aws_profile: "" - - arn: arn:aws:kms:us-east-1:202533514245:alias/cdap-mgmt - created_at: "2025-07-17T18:19:00Z" + - arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca + created_at: "2025-10-03T17:27:53Z" + enc: AQICAHiXhc+HhELIyRKOpc5vBWQJB9/2XFW+CxWFIfUyci0r/wGkXSt3AG0b8bCJ0pVuEmyuAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+S5DlWnhTDkMvmOxAgEQgDvMXlly/I5Vb2ah1KX2fSbY3mMOxA92rK4MU/rsyUN2oR8WXebzzW+ooNY1pEdGE4FMUmLUrU5qbcUoPg== aws_profile: "" encrypted_regex: sensitive mac_only_encrypted: true - version: 3.10.2 - + version: 3.11.0 diff --git a/terraform/services/config/values/cdap-test.sopsw.yaml b/terraform/services/config/values/cdap-test.sopsw.yaml new file mode 100644 index 00000000..6fbc46f2 --- /dev/null +++ b/terraform/services/config/values/cdap-test.sopsw.yaml @@ -0,0 +1,16 @@ +/cdap/account/security_events_slack_renotify_after_days: 30 +/cdap/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM +/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:J70QSI23I0d1OnvD+n2ncd/ii0XiZ3NRcQqVwCLCBd7UxRIKgJ1YWqCZ9xV2Y8s/4fy+hi8iVvIkd0WdnC1Q9Adwh2rvRKKWM6lS59EYlA==,iv:/ZIY4WGOsxo2pR/t2FYADYcUeEq5eutP43KkNeTa3q0=,tag:HYuxPAStpJZ0t39j/xHLYg==,type:str] +/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:I8m2zMO44IB1FnAuK08G99390eF5NjLcKTVvY4T5oD2O6/Apt3oSV3GAUldn,iv:DQUyoHG1Gplx4YuogWcG9kZnK3XTZXC+N5Ayzyb6LDM=,tag:wQpSTHVaItOGb3PC6tHw/w==,type:str] +/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:bKqvpJcIqTqG9DkzO1/T,iv:ul/XIzIZ3BnERohYmuM7fWXWTYI0b45T4F2lUFHkvIw=,tag:LEpy1QiHUoGlTg+mKUaQtg==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: ENC[AES256_GCM,data:dAMCs1t1aqfpzibaswE=,iv:g6q2MfSpDZeaSSkpkdwZhGD0ZCdlvrJpHoGVTD1+FfU=,tag:7Z5gSQuDlI0wjBiafCJmDA==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: ENC[AES256_GCM,data:tfr8BWh6eKGNsUkx,iv:oAHGGbq9ttxnJ99I70Z7IXIgKRSPkvqIkAmVOyBzWus=,tag:iZ1A8L7mUQLJvJ6uWsoF6A==,type:str] +/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: ENC[AES256_GCM,data:nIVBfKDdYIzOObjj,iv:5E2wwUCOtBtmjpAnWOBZxUJVIqci3o2ncBNQmzEOEPM=,tag:bygAmJUYfbP4tLcFRu94XQ==,type:str] +sops: + kms: + - arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca + created_at: "2025-10-03T17:38:55Z" + enc: AQICAHiXhc+HhELIyRKOpc5vBWQJB9/2XFW+CxWFIfUyci0r/wGgF/ZOMV/LMrvJSRhtedM1AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM8xXrZN9mTFGkvKjtAgEQgDsOpxt5mGlXEpdiTlnAjnt/AcOMpA8coSH4NHWfC2Tsw/VES55XVAaWQYXuOOdKnIJznMlUqzqBVrfvTw== + aws_profile: "" + encrypted_regex: sensitive + version: 3.11.0 From b2be03cf84f7adf36a24937d2c4ca9dc4a6829d0 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Fri, 3 Oct 2025 12:00:25 -0600 Subject: [PATCH 03/13] add usage to readme --- terraform/services/config/README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/terraform/services/config/README.md b/terraform/services/config/README.md index 810c156c..6a29fd18 100644 --- a/terraform/services/config/README.md +++ b/terraform/services/config/README.md @@ -3,6 +3,29 @@ This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store. The _parent environment_ specific configuration values are located in the `values` directory. +Usage: +```hcl +# declare the `db` module, defining the desired input variables +module "db" { + source = "github.com/CMSgov/cdap//terraform/modules/aurora" + + backup_retention_period = module.platform.is_ephemeral_env ? 1 : 7 + deletion_protection = !module.platform.is_ephemeral_env + password = module.platform.ssm.core.database_password.value + username = module.platform.ssm.core.database_user.value + platform = module.platform + +} + +# use the `db` module's output to write parameter to SSM parameter store: +resource "aws_ssm_parameter" "writer_endpoint" { + name = "/cdap/writer_endpoint" + value = "${module.db.aurora_cluster.endpoint}:${module.db.aurora_cluster.port}" +type = "String" +} +``` + + ## Requirements From 92f0df9afbe51af3eaed54983f8a8430faa41bfd Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Mon, 6 Oct 2025 08:14:34 -0600 Subject: [PATCH 04/13] PR feedback --- terraform/services/config/tofu.tf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/terraform/services/config/tofu.tf b/terraform/services/config/tofu.tf index 2385e73f..14c844ad 100644 --- a/terraform/services/config/tofu.tf +++ b/terraform/services/config/tofu.tf @@ -1,8 +1,5 @@ -# This root tofu.tf is symlink'd to by all per-env Terraservices. Changes to this tofu.tf apply to -# _all_ Terraservices, so be careful! - locals { - app = "cdap" + app = "cdap" state_bucket = "cdap-mgmt-s3.tfbackend" } @@ -37,7 +34,7 @@ provider "aws" { terraform { backend "s3" { bucket = local.state_bucket - key = "config/terraform.tfstate" + key = "config/terraform.tfstate" region = var.region encrypt = true kms_key_id = "alias/cdap-mgmt" From 4bb8ee4df64fcb41138b8a5c58b64c21c1a22c2e Mon Sep 17 00:00:00 2001 From: jscott-nava Date: Mon, 6 Oct 2025 07:34:49 -0700 Subject: [PATCH 05/13] [PLT-1108] Updating web module README sample usage commit hashes refs. (#319) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/PLT-1108 ## 🛠 Changes This PR updates the web module README sample usage section with commit hashes instead of branch references now that the branch has been merged. ## ℹ️ Context The CDAP web module contains a sample usage snippet in the README that contains three references to the branch in which changes were being made. Since that branch has now been merged to main these references should now be updated to the commit hash of that merge. ## 🧪 Validation This is a README update that does not require validation. --- terraform/modules/web/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/web/README.md b/terraform/modules/web/README.md index 7b0b51dc..00d868a7 100644 --- a/terraform/modules/web/README.md +++ b/terraform/modules/web/README.md @@ -4,7 +4,7 @@ This module creates a CloudFront distribution and origin access control intended ``` module "platform" { - source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=ff2ef53" + source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=" providers = { aws = aws, aws.secondary = aws.secondary } app = "bcda" @@ -14,7 +14,7 @@ module "platform" { } module web_acl { - source = "github.com/CMSgov/cdap//terraform/modules/firewall?ref=jscott/PLT-1108" + source = "github.com/CMSgov/cdap//terraform/modules/firewall?ref=" app = module.platform.app content_type = "APPLICATION_JSON" @@ -24,7 +24,7 @@ module web_acl { } module origin_bucket { - source = "github.com/CMSgov/cdap//terraform/modules/bucket?ref=jscott/PLT-1108" + source = "github.com/CMSgov/cdap//terraform/modules/bucket?ref=" app = module.platform.app env = module.platform.env @@ -32,7 +32,7 @@ module origin_bucket { } module logging_bucket { - source = "github.com/CMSgov/cdap//terraform/modules/bucket?ref=jscott/PLT-1108" + source = "github.com/CMSgov/cdap//terraform/modules/bucket?ref=" app = module.platform.app env = module.platform.env From 0532b390c9a359d240bfc5c5cf5d1dd96ddd1c4c Mon Sep 17 00:00:00 2001 From: Julia Reynolds Date: Tue, 7 Oct 2025 07:39:56 -0600 Subject: [PATCH 06/13] [PLT-1299]. Cluster changes for ecs service module (#316) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/PLT-1299 ## 🛠 Changes Expanded platform variable and edited readme ## ℹ️ Context These changes are for the ecs service module. ## 🧪 Validation
Tofu Plan Output ``` OpenTofu will perform the following actions: # aws_ecs_service.worker will be updated in-place ~ resource "aws_ecs_service" "worker" { id = "arn:aws:ecs:us-east-1:***:service/ab2d-test-worker/ab2d-test-worker" name = "ab2d-test-worker" tags = {} ~ task_definition = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply) # (17 unchanged attributes hidden) # (3 unchanged blocks hidden) } # aws_ecs_task_definition.worker must be replaced -/+ resource "aws_ecs_task_definition" "worker" { ~ arn = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply) ~ arn_without_revision = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker" -> (known after apply) ~ container_definitions = jsonencode( ~ [ ~ { ~ environment = [ # (12 unchanged elements hidden) { name = "AWS_SQS_URL" value = "https://sqs.us-east-1.amazonaws.com/***/ab2d-test-events" }, ~ { name = "IMAGE_VERSION" ~ value = "ab2d-worker-1626-merge-682775a" -> "ab2d-worker-1626-merge-37a4551" }, { name = "MICROSERVICES_URL" value = "http://internal-ab2d-test-microservices-87290984.us-east-1.elb.amazonaws.com/" }, # (1 unchanged element hidden) ] ~ image = "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-682775a" -> "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-37a4551" name = "worker" - portMappings = [] - systemControls = [] - volumesFrom = [] # (5 unchanged attributes hidden) }, ] # forces replacement ) ~ enable_fault_injection = false -> (known after apply) ~ id = "ab2d-test-worker" -> (known after apply) ~ revision = 227 -> (known after apply) - tags = {} -> null # (10 unchanged attributes hidden) - volume { - configure_at_launch = false -> null - name = "efs" -> null - efs_volume_configuration { - file_system_id = "fs-06898a9a35a2a8959" -> null - root_directory = "/" -> null - transit_encryption = "ENABLED" -> null - transit_encryption_port = 0 -> null - authorization_config { - access_point_id = "fsap-09a16152758024a89" -> null } } } - volume { - configure_at_launch = false -> null - name = "newrelic_logs" -> null } - volume { - configure_at_launch = false -> null - name = "tmp" -> null } - volume { - configure_at_launch = false -> null - name = "var_logs" -> null } + volume { + configure_at_launch = (known after apply) + name = "efs" + efs_volume_configuration { + file_system_id = "fs-06898a9a35a2a8959" + root_directory = "/" + transit_encryption = "ENABLED" + transit_encryption_port = 0 + authorization_config { + access_point_id = "fsap-09a16152758024a89" } } } + volume { + configure_at_launch = (known after apply) + name = "newrelic_logs" } + volume { + configure_at_launch = (known after apply) + name = "tmp" } + volume { + configure_at_launch = (known after apply) + name = "var_logs" } } Plan: 1 to add, 1 to change, 1 to destroy. ``` --- terraform/modules/cluster/README.md | 9 --------- terraform/modules/cluster/variables.tf | 10 +++++++++- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/terraform/modules/cluster/README.md b/terraform/modules/cluster/README.md index d8efc51b..05133f20 100644 --- a/terraform/modules/cluster/README.md +++ b/terraform/modules/cluster/README.md @@ -21,15 +21,6 @@ module "cluster" { platform = module.platform } -resource "aws_ecs_service" "contracts" { - name = "${local.service_prefix}-contracts" - cluster = module.cluster.this.id - task_definition = aws_ecs_task_definition.contracts.arn - desired_count = 1 - launch_type = "FARGATE" - platform_version = "1.4.0" - propagate_tags = "SERVICE" -} ``` diff --git a/terraform/modules/cluster/variables.tf b/terraform/modules/cluster/variables.tf index 4a9f0a6a..c73dd82d 100644 --- a/terraform/modules/cluster/variables.tf +++ b/terraform/modules/cluster/variables.tf @@ -1,6 +1,14 @@ variable "platform" { description = "Object that describes standardized platform values." - type = any + type = object({ + app = string, + env = string, + kms_alias_primary = object({ + target_key_arn = string, + }), + service = string, + is_ephemeral_env = string + }) } variable "cluster_name_override" { From 152d2b84757d01ce513cf321e537fcd02dac20b4 Mon Sep 17 00:00:00 2001 From: Julia Reynolds Date: Tue, 7 Oct 2025 07:48:31 -0600 Subject: [PATCH 07/13] [PLT-1371] added workflows to dependabot (#323) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/PLT-1371 ## 🛠 Changes Add coverage for workflows in the .cdap dependabot configuration, including terraform. ## ℹ️ Context Changes are for extended scan coverage by dependabot. ## 🧪 Validation see checks --------- Co-authored-by: Sean Fern --- .github/dependabot.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 75488873..5edc36c4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,7 @@ version: 2 updates: - package-ecosystem: github-actions - directory: /actions/aws-params-env-action/ + directory: / schedule: interval: daily # Security updates only @@ -13,3 +13,9 @@ updates: interval: daily # Security updates only open-pull-requests-limit: 0 + + - package-ecosystem: terraform # Works for both Terraform and OpenTofu + directory: / + schedule: + interval: daily + open-pull-requests-limit: 0 From e58fd49c2d802fa9607bf169be2f07f70f420974 Mon Sep 17 00:00:00 2001 From: Michael Valdes Date: Tue, 7 Oct 2025 10:49:12 -0400 Subject: [PATCH 08/13] BCDA-9395: use full service name for execution role (#325) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/BCDA-9395 ## 🛠 Changes Updated the name of the ecs service execution role to include the full service name (including app and env) to avoid name clashes between different apps and envs. ## ℹ️ Context ## 🧪 Validation --- terraform/modules/service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/service/main.tf b/terraform/modules/service/main.tf index 08a9b907..1db78af7 100644 --- a/terraform/modules/service/main.tf +++ b/terraform/modules/service/main.tf @@ -117,7 +117,7 @@ data "aws_iam_policy_document" "execution" { resource "aws_iam_role" "execution" { count = var.execution_role_arn != null ? 0 : 1 - name = "${local.service_name}-execution" + name = "${local.service_name_full}-execution" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ From f80877bfc27a212acfe81a0663a57ea7dd938b76 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Tue, 7 Oct 2025 13:42:49 -0600 Subject: [PATCH 09/13] added github workflow --- .github/workflows/tf-sops.yml | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/tf-sops.yml diff --git a/.github/workflows/tf-sops.yml b/.github/workflows/tf-sops.yml new file mode 100644 index 00000000..5089f296 --- /dev/null +++ b/.github/workflows/tf-sops.yml @@ -0,0 +1,59 @@ +name: tf-sops +run-name: tf-sops ${{ (inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule') && 'apply' || 'plan' }} + +on: + push: + paths: + - .github/workflows/tf-sops.yml + - terraform/services/sops/** + schedule: + - cron: "12 14 * * 1-5" + workflow_dispatch: + inputs: + apply: + required: false + type: boolean + description: "Apply the terraform?" + +env: + TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + +defaults: + run: + working-directory: ./terraform/services/sops + +jobs: + check-fmt: + runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} + steps: + - uses: actions/checkout@v4 + - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 + - run: tofu fmt -check -diff -recursive . + + plan-apply: + needs: check-fmt + permissions: + contents: read + id-token: write + runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} + strategy: + fail-fast: false + matrix: + app: [bcda] + env: [test, prod] + steps: + - uses: actions/checkout@v4 + - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions + aws-region: ${{ vars.AWS_REGION }} + - run: tofu init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend + - run: tofu plan -out=tf.plan + env: + TF_VAR_app: ${{ matrix.app }} + TF_VAR_env: ${{ matrix.env }} + - if: inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule' + run: tofu apply -auto-approve tf.plan From 012b65f73fe24cbe40978934181ee979daca6087 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Tue, 7 Oct 2025 14:36:23 -0600 Subject: [PATCH 10/13] corrected service name --- .github/workflows/tf-sops.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tf-sops.yml b/.github/workflows/tf-sops.yml index 5089f296..b0830bb5 100644 --- a/.github/workflows/tf-sops.yml +++ b/.github/workflows/tf-sops.yml @@ -5,7 +5,7 @@ on: push: paths: - .github/workflows/tf-sops.yml - - terraform/services/sops/** + - terraform/services/config/** schedule: - cron: "12 14 * * 1-5" workflow_dispatch: @@ -20,7 +20,7 @@ env: defaults: run: - working-directory: ./terraform/services/sops + working-directory: ./terraform/services/config jobs: check-fmt: @@ -40,7 +40,7 @@ jobs: strategy: fail-fast: false matrix: - app: [bcda] + app: [cdap] env: [test, prod] steps: - uses: actions/checkout@v4 From f5e130801b76e0229cd2335533955489d98ef21e Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Wed, 8 Oct 2025 10:26:19 -0600 Subject: [PATCH 11/13] include cdap mgmt --- .github/workflows/tf-sops.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tf-sops.yml b/.github/workflows/tf-sops.yml index b0830bb5..32ac9c7b 100644 --- a/.github/workflows/tf-sops.yml +++ b/.github/workflows/tf-sops.yml @@ -42,13 +42,16 @@ jobs: matrix: app: [cdap] env: [test, prod] + include: + - app: cdap + env: mgmt steps: - uses: actions/checkout@v4 - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions + role-to-assume: arn:aws:iam::${{ contains(fromJSON('["test", "prod"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions aws-region: ${{ vars.AWS_REGION }} - run: tofu init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend - run: tofu plan -out=tf.plan From c8924de7e9a43c1aa9036b5928f4a343f90fee06 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Wed, 8 Oct 2025 11:52:38 -0600 Subject: [PATCH 12/13] Adopting variable for env. --- terraform/services/config/main.tf | 4 ++-- terraform/services/config/variables.tf | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 terraform/services/config/variables.tf diff --git a/terraform/services/config/main.tf b/terraform/services/config/main.tf index 6d02d655..0ecb4abf 100644 --- a/terraform/services/config/main.tf +++ b/terraform/services/config/main.tf @@ -12,14 +12,14 @@ module "platform" { providers = { aws = aws, aws.secondary = aws.secondary } app = local.app - env = local.env + env = var.env root_module = "https://github.com/CMSgov/cdap/tree/terraform/services/config" service = local.service } locals { default_tags = module.platform.default_tags - env = terraform.workspace + app = "cdap" service = "config" } diff --git a/terraform/services/config/variables.tf b/terraform/services/config/variables.tf new file mode 100644 index 00000000..dba1f873 --- /dev/null +++ b/terraform/services/config/variables.tf @@ -0,0 +1,8 @@ +variable "env" { + description = "The application environment (test, prod)" + type = string + validation { + condition = contains(["test", "prod"], var.env) + error_message = "Valid value for env is test or prod." + } +} From 91e9822ee3bb3105b25d1f6423dabc0c9523b0a3 Mon Sep 17 00:00:00 2001 From: juliareynolds-nava Date: Wed, 8 Oct 2025 11:58:18 -0600 Subject: [PATCH 13/13] dupe variable for app --- terraform/services/config/main.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/terraform/services/config/main.tf b/terraform/services/config/main.tf index 0ecb4abf..f638f368 100644 --- a/terraform/services/config/main.tf +++ b/terraform/services/config/main.tf @@ -19,17 +19,15 @@ module "platform" { locals { default_tags = module.platform.default_tags - app = "cdap" + app = local.app service = "config" } module "sops" { - source = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66" - + source = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66" platform = module.platform } - output "edit" { value = module.sops.sopsw }