Merge branch 'develop' into feature/tgw

silinternational · Feb 21, 2024 · 65da0ac · 65da0ac
2 parents 836b44d + 72dcd31
commit 65da0ac
Show file tree

Hide file tree

Showing 29 changed files with 131 additions and 58 deletions.
diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
@@ -50,7 +50,7 @@ services:
       PMA_PASSWORD: broker
 
   db-ssp:
-    image: silintl/mariadb:latest
+    image: mariadb:10
     ports:
       - "3306"
     environment:

diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md
@@ -16,7 +16,6 @@ ssl certificate, core application load balancer, and a CloudWatch log group
  - `app_name` - Name of application, ex: Doorman, IdP, etc.
  - `app_env` - Name of environment, ex: prod, test, etc.
  - `aws_instance` - A map containing keys for `instance_type`, `volume_size`, `instance_count`
- - `aws_region` - A string with region to deploy in, example: `us-east-1`
  - `aws_zones` - A list of availability zones to distribute instances across, example: `["us-east-1a", "us-east-1b", "us-east-1c"]`
  - `cert_domain_name` - Domain name for certificate, example: `*.mydomain.com`
  - `ecs_cluster_name` - ECS cluster name for registering instances
@@ -58,7 +57,6 @@ module "cluster" {
   app_name                = var.app_name
   app_env                 = var.app_env
   aws_instance            = var.aws_instance
-  aws_region              = var.aws_region
   aws_zones               = var.aws_zones
   cert_domain_name        = var.cert_domain_name
   ecs_cluster_name        = data.terraform_remote_state.core.ecs_cluster_name

diff --git a/terraform/031-email-service/README.md b/terraform/031-email-service/README.md
@@ -11,7 +11,6 @@ This module is used to create an ECS service running email-service.
 ## Required Inputs
 
  - `app_env` - Application environment
- - `aws_region` - AWS region
  - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `db_name` - Name of MySQL database for email-service
@@ -64,7 +63,6 @@ module "email" {
   source                    = "github.com/silinternational/idp-in-a-box//terraform/031-email-service"
   app_env                   = var.app_env
   app_name                  = var.app_name
-  aws_region                = var.aws_region`
   cloudflare_domain         = var.cloudflare_domain
   cloudwatch_log_group_name = var.cloudwatch_log_group_name
   cpu_api                   = var.cpu_api

diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf
@@ -1,3 +1,8 @@
+locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
+}
+
 /*
  * Create target group for ALB
  */
@@ -54,7 +59,7 @@ resource "random_id" "access_token_idsync" {
  * Create role for access to SES
  */
 resource "aws_iam_role" "ses" {
-  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}"
+  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -100,13 +105,13 @@ resource "aws_iam_role_policy" "ses" {
  * Create ECS services
  */
 locals {
-  subdomain_with_region = "${var.subdomain}-${var.aws_region}"
+  subdomain_with_region = "${var.subdomain}-${local.aws_region}"
 
   task_def_api = templatefile("${path.module}/task-definition-api.json", {
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     cpu_api                   = var.cpu_api
     db_name                   = var.db_name
@@ -148,7 +153,7 @@ locals {
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     cpu_cron                  = var.cpu_cron
     db_name                   = var.db_name
@@ -195,3 +200,11 @@ resource "cloudflare_record" "emaildns" {
 data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
+
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf
@@ -8,7 +8,9 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "WARNING: This is not used. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "cloudflare_domain" {

diff --git a/terraform/032-db-backup/README.md b/terraform/032-db-backup/README.md
@@ -10,7 +10,6 @@ This module is used to run mysqldump and backup files to S3
 ## Required Inputs
 
  - `app_env` - Application environment
- - `aws_region` - AWS region
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `docker_image` - The docker image to use for this
  - `ecs_cluster_id` - ID for ECS Cluster
@@ -44,7 +43,6 @@ module "dbbackup" {
   source                    = "github.com/silinternational/idp-in-a-box//terraform/032-db-backup"
   app_env                   = var.app_env
   app_name                  = var.app_name
-  aws_region                = var.aws_region`
   cloudwatch_log_group_name = var.cloudwatch_log_group_name
   cpu                       = var.cpu
   cron_schedule             = var.cron_schedule

diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf
@@ -1,3 +1,8 @@
+locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
+}
+
 /*
  * Create S3 bucket for storing backups
  */
@@ -82,7 +87,7 @@ locals {
   task_def_backup = templatefile("${path.module}/task-definition.json", {
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     aws_access_key            = aws_iam_access_key.backup.id
     aws_secret_key            = aws_iam_access_key.backup.secret
@@ -183,3 +188,10 @@ resource "aws_cloudwatch_event_target" "backup_event_target" {
   }
 }
 
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/032-db-backup/vars.tf b/terraform/032-db-backup/vars.tf
@@ -8,7 +8,9 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "This is not used. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "backup_user_name" {

diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md
@@ -11,7 +11,6 @@ This module is used to create an ECS service running id-broker.
 
  - `app_env` - Application environment
  - `app_name` - Application name
- - `aws_region` - AWS region
  - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `db_name` - Name of MySQL database for id-broker
@@ -145,7 +144,6 @@ module "broker" {
   source                           = "github.com/silinternational/idp-in-a-box//terraform/040-id-broker"
   app_env                          = var.app_env
   app_name                         = var.app_name
-  aws_region                       = var.aws_region
   cloudflare_domain                = var.cloudflare_domain
   cloudwatch_log_group_name        = var.cloudwatch_log_group_name
   contingent_user_duration         = var.contingent_user_duration

diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf
@@ -1,3 +1,8 @@
+locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
+}
+
 /*
  * Create target group for ALB
  */
@@ -71,7 +76,7 @@ locals {
     random_id.access_token_idsync.hex
   ])
 
-  subdomain_with_region = "${var.subdomain}-${var.aws_region}"
+  subdomain_with_region = "${var.subdomain}-${local.aws_region}"
 
   task_def = templatefile("${path.module}/task-definition.json", {
     api_access_keys                            = local.api_access_keys
@@ -80,7 +85,7 @@ locals {
     abandoned_user_deactivate_instructions_url = var.abandoned_user_deactivate_instructions_url
     app_env                                    = var.app_env
     app_name                                   = var.app_name
-    aws_region                                 = var.aws_region
+    aws_region                                 = local.aws_region
     cloudwatch_log_group_name                  = var.cloudwatch_log_group_name
     contingent_user_duration                   = var.contingent_user_duration
     cpu                                        = var.cpu
@@ -210,7 +215,7 @@ locals {
     abandoned_user_deactivate_instructions_url = var.abandoned_user_deactivate_instructions_url
     app_env                                    = var.app_env
     app_name                                   = var.app_name
-    aws_region                                 = var.aws_region
+    aws_region                                 = local.aws_region
     cloudwatch_log_group_name                  = var.cloudwatch_log_group_name
     cpu                                        = var.cpu_cron
     contingent_user_duration                   = var.contingent_user_duration
@@ -320,7 +325,7 @@ locals {
  * Create role for scheduled running of cron task definitions.
  */
 resource "aws_iam_role" "ecs_events" {
-  name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}"
+  name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
 
   assume_role_policy = jsonencode(
     {
@@ -414,3 +419,12 @@ resource "cloudflare_record" "brokerdns" {
 data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
+
+
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf
@@ -25,7 +25,9 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "This is deprecated. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "cloudflare_domain" {

diff --git a/terraform/041-id-broker-search-lambda/README.md b/terraform/041-id-broker-search-lambda/README.md
@@ -20,7 +20,7 @@ This module is used to create a lambda function for calling id-broker's search a
 
  - `app_name` - Default: `idp-id-broker-search`
  - `function_name` - Default: `idp-id-broker-search`
- - `lambda_runtime` - AWS Lambda runtime environment, default: `provided.al2`
+ - `lambda_runtime` - AWS Lambda runtime environment, either `provided.al2` or `go1.x`. `go1.x` is deprecated but remains the default for backward compatibility
  - `memory_size` - Default: `128`
  - `timeout` - Default: `5`
  - `function_zip_name` - Key to file in S3 for function zip file, Default: `idp-id-broker-search.zip`

diff --git a/terraform/041-id-broker-search-lambda/vars.tf b/terraform/041-id-broker-search-lambda/vars.tf
@@ -23,16 +23,16 @@ variable "function_zip_name" {
 }
 
 variable "function_name" {
-  default = "bootstrap"
+  default = "idp-id-broker-search"
 }
 
 variable "idp_name" {
   type = string
 }
 
 variable "lambda_runtime" {
-  description = "AWS Lambda runtime environment"
-  default     = "provided.al2"
+  description = "AWS Lambda runtime environment, either `provided.al2` or `go1.x`. `go1.x` is deprecated"
+  default     = "go1.x"
   type        = string
 }
 

diff --git a/terraform/050-pw-manager/README.md b/terraform/050-pw-manager/README.md
@@ -13,7 +13,6 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl
 
  - `alb_dns_name` - DNS name for application load balancer
  - `alb_https_listener_arn` - ARN for ALB HTTPS listener
- - `alerts_email` - Email address to send alerts/notifications to
  - `api_subdomain` - Subdomain for pw manager api
  - `app_env` - Application environment
  - `app_name` - Application name
@@ -26,7 +25,6 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl
  - `auth_saml_spCertificate` - Public cert contents for this SP
  - `auth_saml_spPrivateKey` - Private cert contents for this SP
  - `auth_saml_ssoUrl` - SSO url for IdP
- - `aws_region` - AWS region
  - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `cpu` - Amount of CPU to allocate to API container
@@ -59,13 +57,15 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl
 
 ## Optional Inputs
 
- - `code_length` - Number of digits in reset code. Default: `6`
+ - `alerts_email` - Email address to send alerts/notifications. Must be specified if `alerts_email_enabled` is `"true"`. Default: `""`
+ - `alerts_email_enabled` - Enable or disabled alert notification emails. Default: `"true"`
+ - `code_length` - Number of digits in reset code. Default: `"6"`
  - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true`
  - `extra_hosts` - Extra hosts for the API task definition, e.g. "\["hostname":"host.example.com","ipAddress":"192.168.1.1"\]"
- - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `true`
- - `password_rule_maxlength` - Maximum password length. Default: `255`
- - `password_rule_minlength` - Minimum password length. Default: `10`
- - `password_rule_minscore` - Minimum password score. Default: `3`
+ - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `"true"`
+ - `password_rule_maxlength` - Maximum password length. Default: `"255"`
+ - `password_rule_minlength` - Minimum password length. Default: `"10"`
+ - `password_rule_minscore` - Minimum password score. Default: `"3"`
  - `sentry_dsn` - Sentry DSN for error logging and alerting. Obtain from Sentry dashboard: Settings - Projects - (project) - Client Keys
  - `support_feedback` - Email address for end user feedback, displayed on PW UI.
  - `support_phone` - Phone number for end user support, displayed on PW UI.
@@ -97,7 +97,6 @@ module "pwmanager" {
   auth_saml_spPrivateKey              = var.auth_saml_spPrivateKey
   auth_saml_ssoUrl                    = var.auth_saml_ssoUrl
   cd_user_username                    = data.terraform_remote_state.core.cduser_username
-  aws_region                          = var.aws_region
   cloudflare_domain                   = var.cloudflare_domain
   cloudwatch_log_group_name           = var.cloudwatch_log_group_name
   code_length                         = var.code_length

diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf
@@ -1,5 +1,6 @@
-
 locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
   ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}"
 }
 
@@ -56,14 +57,15 @@ resource "random_id" "access_token_hash" {
  * Create ECS service for API
  */
 locals {
-  api_subdomain_with_region = "${var.api_subdomain}-${var.aws_region}"
+  api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}"
 
   task_def = templatefile("${path.module}/task-definition-api.json", {
     access_token_hash                   = random_id.access_token_hash.hex
     alerts_email                        = var.alerts_email
+    alerts_email_enabled                = var.alerts_email_enabled
     app_env                             = var.app_env
     app_name                            = var.app_name
-    aws_region                          = var.aws_region
+    aws_region                          = local.aws_region
     cloudwatch_log_group_name           = var.cloudwatch_log_group_name
     auth_saml_checkResponseSigning      = var.auth_saml_checkResponseSigning
     auth_saml_entityId                  = var.auth_saml_entityId
@@ -151,3 +153,10 @@ data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
 
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json
@@ -31,7 +31,7 @@
       },
       {
         "name": "ALERTS_EMAIL_ENABLED",
-        "value": "true"
+        "value": "${alerts_email_enabled}"
       },
       {
         "name": "APP_ENV",

diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf
@@ -7,7 +7,15 @@ variable "alb_https_listener_arn" {
 }
 
 variable "alerts_email" {
-  type = string
+  description = "Email to which to send error alerts"
+  type        = string
+  default     = ""
+}
+
+variable "alerts_email_enabled" {
+  description = "Set to true to disable email alerts. Must be a string for insertion into task definition."
+  type        = string
+  default     = "true"
 }
 
 variable "api_subdomain" {
@@ -69,7 +77,9 @@ variable "auth_saml_ssoUrl" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "This is not used. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "cd_user_username" {