From 42dfd1eed7f745cf26f78d1241c683d3764c67ef Mon Sep 17 00:00:00 2001 From: Devon <122382412+devon-sil@users.noreply.github.com> Date: Mon, 18 Dec 2023 16:13:23 -0500 Subject: [PATCH 1/9] db-ssp to use mariadb:10 directly --- docker-compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 8550ed61..cb806144 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -50,7 +50,7 @@ services: PMA_PASSWORD: broker db-ssp: - image: silintl/mariadb:latest + image: mariadb:10 ports: - "3306" environment: From c8b46e84945721fed90b618284561f20f968bac3 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 19 Dec 2023 13:50:54 -0700 Subject: [PATCH 2/9] remove ALERTS_EMAIL_ENABLED from idp-pw-api task definition --- docker-compose/docker-compose.yml | 1 - terraform/050-pw-manager/task-definition-api.json | 4 ---- 2 files changed, 5 deletions(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index cb806144..d2362e88 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -141,7 +141,6 @@ services: IDP_NAME: development COMPOSER_ALLOW_SUPERUSER: 1 COMPOSER_CACHE_DIR: /composer - ALERTS_EMAIL_ENABLED: "false" EMAIL_SERVICE_accessToken: abc123 EMAIL_SERVICE_assertValidIp: "false" EMAIL_SERVICE_baseUrl: http://email diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index 14e8fdd0..b34e309c 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -29,10 +29,6 @@ "name": "ALERTS_EMAIL", "value": "${alerts_email}" }, - { - "name": "ALERTS_EMAIL_ENABLED", - "value": "true" - }, { "name": "APP_ENV", "value": "${app_env}" From 02725966f1bb073d11bdcbd8db72c3a58ac0f31d Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 19 Dec 2023 13:53:24 -0700 Subject: [PATCH 3/9] add a default value to alerts_email --- terraform/050-pw-manager/vars.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index b04185ec..801fd462 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -7,7 +7,9 @@ variable "alb_https_listener_arn" { } variable "alerts_email" { - type = string + description = "Email to which to send error alerts. Omit to disable email alerts." + type = string + default = "" } variable "api_subdomain" { From 430d9095a4a31da5328063f226bec2fe62ba55a8 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:25:08 -0700 Subject: [PATCH 4/9] Revert "Change lambda runtime default to provided.al2" This reverts commit 3f2204db15c283b210525e15063f3aa8976a1fe3. --- terraform/041-id-broker-search-lambda/README.md | 2 +- terraform/041-id-broker-search-lambda/vars.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/041-id-broker-search-lambda/README.md b/terraform/041-id-broker-search-lambda/README.md index 0fbe87d3..73a3e6f9 100644 --- a/terraform/041-id-broker-search-lambda/README.md +++ b/terraform/041-id-broker-search-lambda/README.md @@ -20,7 +20,7 @@ This module is used to create a lambda function for calling id-broker's search a - `app_name` - Default: `idp-id-broker-search` - `function_name` - Default: `idp-id-broker-search` - - `lambda_runtime` - AWS Lambda runtime environment, default: `provided.al2` + - `lambda_runtime` - AWS Lambda runtime environment, either `provided.al2` or `go1.x`. `go1.x` is deprecated but remains the default for backward compatibility - `memory_size` - Default: `128` - `timeout` - Default: `5` - `function_zip_name` - Key to file in S3 for function zip file, Default: `idp-id-broker-search.zip` diff --git a/terraform/041-id-broker-search-lambda/vars.tf b/terraform/041-id-broker-search-lambda/vars.tf index 6be6a7af..7cf8bff1 100644 --- a/terraform/041-id-broker-search-lambda/vars.tf +++ b/terraform/041-id-broker-search-lambda/vars.tf @@ -23,7 +23,7 @@ variable "function_zip_name" { } variable "function_name" { - default = "bootstrap" + default = "idp-id-broker-search" } variable "idp_name" { @@ -31,8 +31,8 @@ variable "idp_name" { } variable "lambda_runtime" { - description = "AWS Lambda runtime environment" - default = "provided.al2" + description = "AWS Lambda runtime environment, either `provided.al2` or `go1.x`. `go1.x` is deprecated" + default = "go1.x" type = string } From f6d1d8fdaf65ee8a65ba5843ef4e20b6c1b43abe Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:26:02 -0700 Subject: [PATCH 5/9] Revert "remove ALERTS_EMAIL_ENABLED from idp-pw-api task definition" This reverts commit c8b46e84945721fed90b618284561f20f968bac3. --- docker-compose/docker-compose.yml | 1 + terraform/050-pw-manager/task-definition-api.json | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index d2362e88..cb806144 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -141,6 +141,7 @@ services: IDP_NAME: development COMPOSER_ALLOW_SUPERUSER: 1 COMPOSER_CACHE_DIR: /composer + ALERTS_EMAIL_ENABLED: "false" EMAIL_SERVICE_accessToken: abc123 EMAIL_SERVICE_assertValidIp: "false" EMAIL_SERVICE_baseUrl: http://email diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index b34e309c..14e8fdd0 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -29,6 +29,10 @@ "name": "ALERTS_EMAIL", "value": "${alerts_email}" }, + { + "name": "ALERTS_EMAIL_ENABLED", + "value": "true" + }, { "name": "APP_ENV", "value": "${app_env}" From ed7c34b6de77df4a3aca6256a4bfedec9709f6e9 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:29:57 -0700 Subject: [PATCH 6/9] add alerts_email_enabled variable to pw-api task definition --- terraform/050-pw-manager/main-api.tf | 1 + terraform/050-pw-manager/task-definition-api.json | 2 +- terraform/050-pw-manager/vars.tf | 8 +++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index 2fa93483..53396168 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -61,6 +61,7 @@ locals { task_def = templatefile("${path.module}/task-definition-api.json", { access_token_hash = random_id.access_token_hash.hex alerts_email = var.alerts_email + alerts_email_enabled = var.alerts_email_enabled app_env = var.app_env app_name = var.app_name aws_region = var.aws_region diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index 14e8fdd0..bd77fd49 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -31,7 +31,7 @@ }, { "name": "ALERTS_EMAIL_ENABLED", - "value": "true" + "value": "${alerts_email_enabled}" }, { "name": "APP_ENV", diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index 801fd462..ae6ccd10 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -7,11 +7,17 @@ variable "alb_https_listener_arn" { } variable "alerts_email" { - description = "Email to which to send error alerts. Omit to disable email alerts." + description = "Email to which to send error alerts" type = string default = "" } +variable "alerts_email_enabled" { + description = "Set to true to disable email alerts. Must be a string for insertion into task definition." + type = string + default = "true" +} + variable "api_subdomain" { type = string } From c2ccaa79659c6339699c9cd06aed4aa15b36f9e7 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:34:05 -0700 Subject: [PATCH 7/9] Add variable changes to README --- terraform/050-pw-manager/README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/terraform/050-pw-manager/README.md b/terraform/050-pw-manager/README.md index a44ac4eb..6fc3d233 100644 --- a/terraform/050-pw-manager/README.md +++ b/terraform/050-pw-manager/README.md @@ -13,7 +13,6 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl - `alb_dns_name` - DNS name for application load balancer - `alb_https_listener_arn` - ARN for ALB HTTPS listener - - `alerts_email` - Email address to send alerts/notifications to - `api_subdomain` - Subdomain for pw manager api - `app_env` - Application environment - `app_name` - Application name @@ -59,13 +58,15 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl ## Optional Inputs - - `code_length` - Number of digits in reset code. Default: `6` + - `alerts_email` - Email address to send alerts/notifications. Must be specified if `alerts_email_enabled` is `"true"`. Default: `""` + - `alerts_email_enabled` - Enable or disabled alert notification emails. Default: `"true"` + - `code_length` - Number of digits in reset code. Default: `"6"` - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` - `extra_hosts` - Extra hosts for the API task definition, e.g. "\["hostname":"host.example.com","ipAddress":"192.168.1.1"\]" - - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `true` - - `password_rule_maxlength` - Maximum password length. Default: `255` - - `password_rule_minlength` - Minimum password length. Default: `10` - - `password_rule_minscore` - Minimum password score. Default: `3` + - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `"true"` + - `password_rule_maxlength` - Maximum password length. Default: `"255"` + - `password_rule_minlength` - Minimum password length. Default: `"10"` + - `password_rule_minscore` - Minimum password score. Default: `"3"` - `sentry_dsn` - Sentry DSN for error logging and alerting. Obtain from Sentry dashboard: Settings - Projects - (project) - Client Keys - `support_feedback` - Email address for end user feedback, displayed on PW UI. - `support_phone` - Phone number for end user support, displayed on PW UI. From 6dd61b2c3aa7c4d9203e063708de487d036264cc Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 13 Feb 2024 14:20:10 -0700 Subject: [PATCH 8/9] remove the aws_region variable since it is not really necessary --- terraform/010-cluster/README.md | 2 -- terraform/031-email-service/README.md | 2 -- terraform/031-email-service/main.tf | 21 +++++++++++++++++---- terraform/031-email-service/vars.tf | 4 +++- terraform/032-db-backup/README.md | 2 -- terraform/032-db-backup/main.tf | 14 +++++++++++++- terraform/032-db-backup/vars.tf | 4 +++- terraform/040-id-broker/README.md | 2 -- terraform/040-id-broker/main.tf | 22 ++++++++++++++++++---- terraform/040-id-broker/vars.tf | 4 +++- terraform/050-pw-manager/README.md | 2 -- terraform/050-pw-manager/main-api.tf | 14 +++++++++++--- terraform/050-pw-manager/vars.tf | 4 +++- terraform/060-simplesamlphp/README.md | 2 -- terraform/060-simplesamlphp/main.tf | 17 +++++++++++++++-- terraform/060-simplesamlphp/vars.tf | 4 +++- terraform/070-id-sync/README.md | 2 -- terraform/070-id-sync/main.tf | 21 ++++++++++++++++----- terraform/070-id-sync/vars.tf | 4 +++- test/031-email-service.tf | 1 - test/032-db-backup.tf | 1 - test/040-id-broker.tf | 1 - test/050-pw-manager.tf | 1 - test/060-simplesamlphp.tf | 1 - test/070-id-sync.tf | 1 - 25 files changed, 108 insertions(+), 45 deletions(-) diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md index 38badeaf..5820efd7 100644 --- a/terraform/010-cluster/README.md +++ b/terraform/010-cluster/README.md @@ -16,7 +16,6 @@ ssl certificate, core application load balancer, and a CloudWatch log group - `app_name` - Name of application, ex: Doorman, IdP, etc. - `app_env` - Name of environment, ex: prod, test, etc. - `aws_instance` - A map containing keys for `instance_type`, `volume_size`, `instance_count` - - `aws_region` - A string with region to deploy in, example: `us-east-1` - `aws_zones` - A list of availability zones to distribute instances across, example: `["us-east-1a", "us-east-1b", "us-east-1c"]` - `cert_domain_name` - Domain name for certificate, example: `*.mydomain.com` - `ecs_cluster_name` - ECS cluster name for registering instances @@ -58,7 +57,6 @@ module "cluster" { app_name = var.app_name app_env = var.app_env aws_instance = var.aws_instance - aws_region = var.aws_region aws_zones = var.aws_zones cert_domain_name = var.cert_domain_name ecs_cluster_name = data.terraform_remote_state.core.ecs_cluster_name diff --git a/terraform/031-email-service/README.md b/terraform/031-email-service/README.md index c84c2f6f..77da880e 100644 --- a/terraform/031-email-service/README.md +++ b/terraform/031-email-service/README.md @@ -11,7 +11,6 @@ This module is used to create an ECS service running email-service. ## Required Inputs - `app_env` - Application environment - - `aws_region` - AWS region - `cloudflare_domain` - Top level domain name for use with Cloudflare - `cloudwatch_log_group_name` - CloudWatch log group name - `db_name` - Name of MySQL database for email-service @@ -64,7 +63,6 @@ module "email" { source = "github.com/silinternational/idp-in-a-box//terraform/031-email-service" app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region` cloudflare_domain = var.cloudflare_domain cloudwatch_log_group_name = var.cloudwatch_log_group_name cpu_api = var.cpu_api diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index c73f97f1..ee43dc9c 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -1,3 +1,8 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + /* * Create target group for ALB */ @@ -54,7 +59,7 @@ resource "random_id" "access_token_idsync" { * Create role for access to SES */ resource "aws_iam_role" "ses" { - name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}" + name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -100,13 +105,13 @@ resource "aws_iam_role_policy" "ses" { * Create ECS services */ locals { - subdomain_with_region = "${var.subdomain}-${var.aws_region}" + subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def_api = templatefile("${path.module}/task-definition-api.json", { api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name cpu_api = var.cpu_api db_name = var.db_name @@ -148,7 +153,7 @@ locals { api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name cpu_cron = var.cpu_cron db_name = var.db_name @@ -195,3 +200,11 @@ resource "cloudflare_record" "emaildns" { data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf index 5e6555d0..4e9aaefe 100644 --- a/terraform/031-email-service/vars.tf +++ b/terraform/031-email-service/vars.tf @@ -8,7 +8,9 @@ variable "app_name" { } variable "aws_region" { - type = string + description = "This is not used. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "cloudflare_domain" { diff --git a/terraform/032-db-backup/README.md b/terraform/032-db-backup/README.md index 2a076653..67964caf 100644 --- a/terraform/032-db-backup/README.md +++ b/terraform/032-db-backup/README.md @@ -10,7 +10,6 @@ This module is used to run mysqldump and backup files to S3 ## Required Inputs - `app_env` - Application environment - - `aws_region` - AWS region - `cloudwatch_log_group_name` - CloudWatch log group name - `docker_image` - The docker image to use for this - `ecs_cluster_id` - ID for ECS Cluster @@ -44,7 +43,6 @@ module "dbbackup" { source = "github.com/silinternational/idp-in-a-box//terraform/032-db-backup" app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region` cloudwatch_log_group_name = var.cloudwatch_log_group_name cpu = var.cpu cron_schedule = var.cron_schedule diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index 919dffbf..fd68d902 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -1,3 +1,8 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + /* * Create S3 bucket for storing backups */ @@ -82,7 +87,7 @@ locals { task_def_backup = templatefile("${path.module}/task-definition.json", { app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name aws_access_key = aws_iam_access_key.backup.id aws_secret_key = aws_iam_access_key.backup.secret @@ -183,3 +188,10 @@ resource "aws_cloudwatch_event_target" "backup_event_target" { } } +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/032-db-backup/vars.tf b/terraform/032-db-backup/vars.tf index 7099c16f..8ea3c5a9 100644 --- a/terraform/032-db-backup/vars.tf +++ b/terraform/032-db-backup/vars.tf @@ -8,7 +8,9 @@ variable "app_name" { } variable "aws_region" { - type = string + description = "This is not used. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "backup_user_name" { diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md index 7fe202b2..8efb7901 100644 --- a/terraform/040-id-broker/README.md +++ b/terraform/040-id-broker/README.md @@ -11,7 +11,6 @@ This module is used to create an ECS service running id-broker. - `app_env` - Application environment - `app_name` - Application name - - `aws_region` - AWS region - `cloudflare_domain` - Top level domain name for use with Cloudflare - `cloudwatch_log_group_name` - CloudWatch log group name - `db_name` - Name of MySQL database for id-broker @@ -145,7 +144,6 @@ module "broker" { source = "github.com/silinternational/idp-in-a-box//terraform/040-id-broker" app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region cloudflare_domain = var.cloudflare_domain cloudwatch_log_group_name = var.cloudwatch_log_group_name contingent_user_duration = var.contingent_user_duration diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 52387cb9..7ab72b4e 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -1,3 +1,8 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + /* * Create target group for ALB */ @@ -71,7 +76,7 @@ locals { random_id.access_token_idsync.hex ]) - subdomain_with_region = "${var.subdomain}-${var.aws_region}" + subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition.json", { api_access_keys = local.api_access_keys @@ -80,7 +85,7 @@ locals { abandoned_user_deactivate_instructions_url = var.abandoned_user_deactivate_instructions_url app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name contingent_user_duration = var.contingent_user_duration cpu = var.cpu @@ -210,7 +215,7 @@ locals { abandoned_user_deactivate_instructions_url = var.abandoned_user_deactivate_instructions_url app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name cpu = var.cpu_cron contingent_user_duration = var.contingent_user_duration @@ -320,7 +325,7 @@ locals { * Create role for scheduled running of cron task definitions. */ resource "aws_iam_role" "ecs_events" { - name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}" + name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" assume_role_policy = jsonencode( { @@ -414,3 +419,12 @@ resource "cloudflare_record" "brokerdns" { data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index 602aab41..c7f6afa5 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -25,7 +25,9 @@ variable "app_name" { } variable "aws_region" { - type = string + description = "This is deprecated. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "cloudflare_domain" { diff --git a/terraform/050-pw-manager/README.md b/terraform/050-pw-manager/README.md index 6fc3d233..d90ebfc4 100644 --- a/terraform/050-pw-manager/README.md +++ b/terraform/050-pw-manager/README.md @@ -25,7 +25,6 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl - `auth_saml_spCertificate` - Public cert contents for this SP - `auth_saml_spPrivateKey` - Private cert contents for this SP - `auth_saml_ssoUrl` - SSO url for IdP - - `aws_region` - AWS region - `cloudflare_domain` - Top level domain name for use with Cloudflare - `cloudwatch_log_group_name` - CloudWatch log group name - `cpu` - Amount of CPU to allocate to API container @@ -98,7 +97,6 @@ module "pwmanager" { auth_saml_spPrivateKey = var.auth_saml_spPrivateKey auth_saml_ssoUrl = var.auth_saml_ssoUrl cd_user_username = data.terraform_remote_state.core.cduser_username - aws_region = var.aws_region cloudflare_domain = var.cloudflare_domain cloudwatch_log_group_name = var.cloudwatch_log_group_name code_length = var.code_length diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index 53396168..81ede583 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -1,5 +1,6 @@ - locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" } @@ -56,7 +57,7 @@ resource "random_id" "access_token_hash" { * Create ECS service for API */ locals { - api_subdomain_with_region = "${var.api_subdomain}-${var.aws_region}" + api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition-api.json", { access_token_hash = random_id.access_token_hash.hex @@ -64,7 +65,7 @@ locals { alerts_email_enabled = var.alerts_email_enabled app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name auth_saml_checkResponseSigning = var.auth_saml_checkResponseSigning auth_saml_entityId = var.auth_saml_entityId @@ -152,3 +153,10 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index ae6ccd10..51830231 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -77,7 +77,9 @@ variable "auth_saml_ssoUrl" { } variable "aws_region" { - type = string + description = "This is not used. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "cd_user_username" { diff --git a/terraform/060-simplesamlphp/README.md b/terraform/060-simplesamlphp/README.md index fa4181b8..8cd22678 100644 --- a/terraform/060-simplesamlphp/README.md +++ b/terraform/060-simplesamlphp/README.md @@ -14,7 +14,6 @@ This module is used to create an ECS service running simpleSAMLphp. - `vpc_id` - ID for VPC - `alb_https_listener_arn` - ARN for ALB HTTPS listener - `subdomain` - Subdomain for SSP IdP - - `aws_region` - AWS region - `broker_subdomain` - Subdomain for id-broker - `cloudflare_domain` - Top level domain name for use with Cloudflare - `cloudwatch_log_group_name` - CloudWatch log group name @@ -78,7 +77,6 @@ module "ssp" { vpc_id = data.terraform_remote_state.cluster.vpc_id alb_https_listener_arn = data.terraform_remote_state.cluster.alb_https_listener_arn subdomain = var.ssp_subdomain - aws_region = var.aws_region` cloudflare_domain = var.cloudflare_domain cloudwatch_log_group_name = var.cloudwatch_log_group_name docker_image = data.terraform_remote_state.ecr.ecr_repo_simplesamlphp diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index bd50280a..db0db8c8 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -1,3 +1,8 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + /* * Create target group for ALB */ @@ -52,7 +57,7 @@ module "cf_ips" { } locals { - subdomain_with_region = "${var.subdomain}-${var.aws_region}" + subdomain_with_region = "${var.subdomain}-${local.aws_region}" other_ip_addresses = var.trust_cloudflare_ips == "ipv4" ? module.cf_ips.ipv4_cidrs : [] @@ -68,7 +73,7 @@ locals { admin_pass = random_id.admin_pass.hex app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region base_url = "https://${var.subdomain}.${var.cloudflare_domain}/" cloudwatch_log_group_name = var.cloudwatch_log_group_name docker_image = var.docker_image @@ -142,3 +147,11 @@ resource "cloudflare_record" "sspdns_intermediate" { data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/060-simplesamlphp/vars.tf b/terraform/060-simplesamlphp/vars.tf index 050cfaec..fb41de22 100644 --- a/terraform/060-simplesamlphp/vars.tf +++ b/terraform/060-simplesamlphp/vars.tf @@ -29,7 +29,9 @@ variable "alb_https_listener_arn" { } variable "aws_region" { - type = string + description = "This is not used. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "subdomain" { diff --git a/terraform/070-id-sync/README.md b/terraform/070-id-sync/README.md index 66c0c148..a2c7de7a 100644 --- a/terraform/070-id-sync/README.md +++ b/terraform/070-id-sync/README.md @@ -10,7 +10,6 @@ store. - `app_name` - Application name - `app_env` - Application environment - - `aws_region` - AWS region - `cloudwatch_log_group_name` - CloudWatch log group name - `vpc_id` - ID for VPC - `docker_image` - URL to Docker image @@ -54,7 +53,6 @@ module "idsync" { app_env = var.app_env vpc_id = data.terraform_remote_state.cluster.vpc_id alb_https_listener_arn = data.terraform_remote_state.cluster.alb_https_listener_arn - aws_region = var.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name docker_image = data.terraform_remote_state.ecr.ecr_repo_idsync email_service_accessToken = data.terraform_remote_state.email.access_token_idsync diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 78b2aafd..8e1cf645 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,7 +1,10 @@ -/* - * Create ECS service - */ locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + + /* + * Create ECS service + */ id_store_config = join(",", [for k, v in var.id_store_config : jsonencode({ name = "ID_STORE_CONFIG_${k}" @@ -12,7 +15,7 @@ locals { task_def = templatefile("${path.module}/task-definition.json", { app_env = var.app_env app_name = var.app_name - aws_region = var.aws_region + aws_region = local.aws_region cloudwatch_log_group_name = var.cloudwatch_log_group_name docker_image = var.docker_image email_service_accessToken = var.email_service_accessToken @@ -43,7 +46,7 @@ locals { * Create role for scheduled running of cron task definitions. */ resource "aws_iam_role" "ecs_events" { - name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}" + name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" assume_role_policy = jsonencode( { @@ -123,3 +126,11 @@ resource "aws_cloudwatch_event_target" "id_sync_event_target" { task_definition_arn = aws_ecs_task_definition.cron_td.arn } } + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/070-id-sync/vars.tf b/terraform/070-id-sync/vars.tf index 27c3b251..1f27e2a2 100644 --- a/terraform/070-id-sync/vars.tf +++ b/terraform/070-id-sync/vars.tf @@ -20,7 +20,9 @@ variable "vpc_id" { } variable "aws_region" { - type = string + description = "This is not used. The region is more reliably determined from the aws_region data source." + type = string + default = "" } variable "cloudwatch_log_group_name" { diff --git a/test/031-email-service.tf b/test/031-email-service.tf index 697fcf53..77562321 100644 --- a/test/031-email-service.tf +++ b/test/031-email-service.tf @@ -3,7 +3,6 @@ module "email" { app_env = "" app_name = "" - aws_region = "" cloudflare_domain = "" cloudwatch_log_group_name = "" cpu_api = "" diff --git a/test/032-db-backup.tf b/test/032-db-backup.tf index 2c9ee7d5..81da95f3 100644 --- a/test/032-db-backup.tf +++ b/test/032-db-backup.tf @@ -3,7 +3,6 @@ module "backup" { app_env = "" app_name = "" - aws_region = "" backup_user_name = "" cloudwatch_log_group_name = "" cpu = "" diff --git a/test/040-id-broker.tf b/test/040-id-broker.tf index 1023fea2..2541ee02 100644 --- a/test/040-id-broker.tf +++ b/test/040-id-broker.tf @@ -6,7 +6,6 @@ module "broker" { abandoned_user_deactivate_instructions_url = "" app_env = "" app_name = "" - aws_region = "" cloudflare_domain = "" cloudwatch_log_group_name = "" contingent_user_duration = "" diff --git a/test/050-pw-manager.tf b/test/050-pw-manager.tf index 4cb36342..4ca94a4f 100644 --- a/test/050-pw-manager.tf +++ b/test/050-pw-manager.tf @@ -16,7 +16,6 @@ module "pw" { auth_saml_spCertificate = "" auth_saml_spPrivateKey = "" auth_saml_ssoUrl = "" - aws_region = "" cd_user_username = "" cloudflare_domain = "" cloudwatch_log_group_name = "" diff --git a/test/060-simplesamlphp.tf b/test/060-simplesamlphp.tf index 37657f3a..80be4389 100644 --- a/test/060-simplesamlphp.tf +++ b/test/060-simplesamlphp.tf @@ -8,7 +8,6 @@ module "ssp" { analytics_id = "" app_env = "" app_name = "" - aws_region = "" cloudflare_domain = "" cloudwatch_log_group_name = "" cpu = "" diff --git a/test/070-id-sync.tf b/test/070-id-sync.tf index f6c93fdc..83cbac49 100644 --- a/test/070-id-sync.tf +++ b/test/070-id-sync.tf @@ -5,7 +5,6 @@ module "sync" { allow_empty_email = "" app_env = "" app_name = "" - aws_region = "" cloudwatch_log_group_name = "" cpu = "" docker_image = "" From f1f6ae13ebf92bef3f67e951f7c36220b0d4938f Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 15 Feb 2024 09:19:56 -0700 Subject: [PATCH 9/9] PR feedback: make the warning more clear Co-authored-by: forevermatt --- terraform/031-email-service/vars.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf index 4e9aaefe..bf53b18c 100644 --- a/terraform/031-email-service/vars.tf +++ b/terraform/031-email-service/vars.tf @@ -8,7 +8,7 @@ variable "app_name" { } variable "aws_region" { - description = "This is not used. The region is more reliably determined from the aws_region data source." + description = "WARNING: This is not used. The region is more reliably determined from the aws_region data source." type = string default = "" }