diff --git a/.terraform_commits b/.terraform_commits index 4802b75..f4ab013 100644 --- a/.terraform_commits +++ b/.terraform_commits @@ -4,5 +4,11 @@ "commit_message": "working on adding template repo for aws-image-pipeline", "author": "arnol377", "timestamp": "2025-03-18T17:55:41.004668" + }, + { + "commit_hash": "de443e5fee4bda81fc3c7e8022577ea8cb184f4a", + "commit_message": "Implement code changes to enhance functionality and improve performance", + "author": "arnol377", + "timestamp": "2025-03-19T20:31:17.707462" } ] \ No newline at end of file diff --git a/actions-bucket.tf b/actions-bucket.tf index 4f5c588..5c8b551 100644 --- a/actions-bucket.tf +++ b/actions-bucket.tf @@ -1,9 +1,9 @@ locals { - bucket_name = "csvd-dev-ew-github-actions" - kms_key_deletion_days = 30 - kms_alias_name = "csvd-dev-ew-github-actions" - kms_description = "KMS key for actions bucket encryption" - enable_key_rotation = true + base_bucket_name = "csvd-dev-ew-github-actions" + east_bucket_name = "${local.base_bucket_name}-east" + kms_key_deletion_days = 30 + kms_description = "KMS key for actions bucket encryption" + enable_key_rotation = true # S3 permissions for ECS role ecs_s3_actions = [ @@ -18,11 +18,12 @@ locals { data "aws_partition" "current" {} data "aws_caller_identity" "current" {} -# KMS key for bucket encryption -resource "aws_kms_key" "actions_bucket" { - description = local.kms_description +# West Region Resources +resource "aws_kms_key" "actions_bucket_west" { + provider = aws.west + description = "${local.kms_description} (West)" deletion_window_in_days = local.kms_key_deletion_days - enable_key_rotation = local.enable_key_rotation + enable_key_rotation = local.enable_key_rotation policy = jsonencode({ Version = "2012-10-17" @@ -40,48 +41,49 @@ resource "aws_kms_key" "actions_bucket" { }) } -resource "aws_kms_alias" "actions_bucket" { - name = "alias/${local.kms_alias_name}" - target_key_id = aws_kms_key.actions_bucket.key_id +resource "aws_kms_alias" "actions_bucket_west" { + provider = aws.west + name = "alias/${local.base_bucket_name}" + target_key_id = aws_kms_key.actions_bucket_west.key_id } -# S3 Bucket -resource "aws_s3_bucket" "actions" { - bucket = local.bucket_name +resource "aws_s3_bucket" "actions_west" { + provider = aws.west + bucket = local.base_bucket_name } -# Bucket versioning -resource "aws_s3_bucket_versioning" "actions" { - bucket = aws_s3_bucket.actions.id +resource "aws_s3_bucket_versioning" "actions_west" { + provider = aws.west + bucket = aws_s3_bucket.actions_west.id versioning_configuration { status = "Enabled" } } -# Bucket encryption -resource "aws_s3_bucket_server_side_encryption_configuration" "actions" { - bucket = aws_s3_bucket.actions.id +resource "aws_s3_bucket_server_side_encryption_configuration" "actions_west" { + provider = aws.west + bucket = aws_s3_bucket.actions_west.id rule { apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.actions_bucket.arn + kms_master_key_id = aws_kms_key.actions_bucket_west.arn sse_algorithm = "aws:kms" } } } -# Block public access -resource "aws_s3_bucket_public_access_block" "actions" { - bucket = aws_s3_bucket.actions.id +resource "aws_s3_bucket_public_access_block" "actions_west" { + provider = aws.west + bucket = aws_s3_bucket.actions_west.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } -# Bucket policy -resource "aws_s3_bucket_policy" "actions" { - bucket = aws_s3_bucket.actions.id +resource "aws_s3_bucket_policy" "actions_west" { + provider = aws.west + bucket = aws_s3_bucket.actions_west.id policy = jsonencode({ Version = "2012-10-17" @@ -94,8 +96,94 @@ resource "aws_s3_bucket_policy" "actions" { } Action = local.ecs_s3_actions Resource = [ - aws_s3_bucket.actions.arn, - "${aws_s3_bucket.actions.arn}/*" + aws_s3_bucket.actions_west.arn, + "${aws_s3_bucket.actions_west.arn}/*" + ] + } + ] + }) +} + +# East Region Resources +resource "aws_kms_key" "actions_bucket_east" { + provider = aws.east + description = "${local.kms_description} (East)" + deletion_window_in_days = local.kms_key_deletion_days + enable_key_rotation = local.enable_key_rotation + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "Enable IAM User Permissions" + Effect = "Allow" + Principal = { + AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root" + } + Action = "kms:*" + Resource = "*" + } + ] + }) +} + +resource "aws_kms_alias" "actions_bucket_east" { + provider = aws.east + name = "alias/${local.east_bucket_name}" + target_key_id = aws_kms_key.actions_bucket_east.key_id +} + +resource "aws_s3_bucket" "actions_east" { + provider = aws.east + bucket = local.east_bucket_name +} + +resource "aws_s3_bucket_versioning" "actions_east" { + provider = aws.east + bucket = aws_s3_bucket.actions_east.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "actions_east" { + provider = aws.east + bucket = aws_s3_bucket.actions_east.id + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.actions_bucket_east.arn + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_public_access_block" "actions_east" { + provider = aws.east + bucket = aws_s3_bucket.actions_east.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_policy" "actions_east" { + provider = aws.east + bucket = aws_s3_bucket.actions_east.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "AllowECSServiceRole" + Effect = "Allow" + Principal = { + AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" + } + Action = local.ecs_s3_actions + Resource = [ + aws_s3_bucket.actions_east.arn, + "${aws_s3_bucket.actions_east.arn}/*" ] } ] diff --git a/bucket-contents.json b/bucket-contents.json new file mode 100644 index 0000000..b76cc99 --- /dev/null +++ b/bucket-contents.json @@ -0,0 +1,200 @@ +{ + "Versions": [ + { + "ETag": "\"64584a574c6a5608168534c041aa8628-4\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 31084606, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/0e960303-d9d0-4302-8ab0-e592a72c2708/terraform-dir", + "VersionId": "vtAT43ftvWqcmAbLBk08wbabtAWcKb7T", + "IsLatest": true, + "LastModified": "2025-03-19T16:48:33+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"24d51e8e99660005620acf7d329ae3d0\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 5826, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/0e960303-d9d0-4302-8ab0-e592a72c2708/terraform.lock.hcl", + "VersionId": "IBeLnL.QDW2foh7445wUg02iCRb2gqac", + "IsLatest": true, + "LastModified": "2025-03-19T16:48:35+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"ae2562855b80145583e2174866ef8c57\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 233385, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/0e960303-d9d0-4302-8ab0-e592a72c2708/terraform.plan", + "VersionId": "RuvUheXK2cJl7QQeRVBFY8paeYDLU_uG", + "IsLatest": true, + "LastModified": "2025-03-19T16:49:18+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"5afcb3e77ae3e7e652c779e8b01b8f14-4\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 31084604, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/2ebfa243-1856-4cca-8da8-0271d766bc31/terraform-dir", + "VersionId": "T0XZWFRKjuuptgEWBfn61l4QPdNHkAAc", + "IsLatest": true, + "LastModified": "2025-03-19T21:58:09+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"d9ebd712757f50754d991c82ca45d4cd\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 5826, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/2ebfa243-1856-4cca-8da8-0271d766bc31/terraform.lock.hcl", + "VersionId": "japmffqzBb6UsEtszgfpH2ppR76EJEzf", + "IsLatest": true, + "LastModified": "2025-03-19T21:58:10+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"090a375afe346118350154d2a3520e7e\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 233169, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/2ebfa243-1856-4cca-8da8-0271d766bc31/terraform.plan", + "VersionId": "7PptDFrjytVtzB5atJBkcK94qOTa.QoN", + "IsLatest": true, + "LastModified": "2025-03-19T21:58:51+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"93b6bfe35c0f2efd5ea87badc5ad3ef8-4\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 31084603, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/88d9e6be-d7fe-4e4e-8ab9-4a24586029de/terraform-dir", + "VersionId": "61P2EQG0SajpQg79xQtVFhZK4lrbLBqG", + "IsLatest": true, + "LastModified": "2025-03-19T23:28:15+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"1fe0fe93079f9f951ed44eb78d8caf51\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 5826, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/88d9e6be-d7fe-4e4e-8ab9-4a24586029de/terraform.lock.hcl", + "VersionId": "JQ.9vugqmJcxtn_Ew2Le.9W8b5FDpBtx", + "IsLatest": true, + "LastModified": "2025-03-19T23:28:16+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"e82694539d5a908dfe7ffd8dd1d061e6\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 233251, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/88d9e6be-d7fe-4e4e-8ab9-4a24586029de/terraform.plan", + "VersionId": "IL4UUNJcN2MxkcQXmzbQx9HPOmOfnhG_", + "IsLatest": true, + "LastModified": "2025-03-19T23:29:14+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"f8dfce8d21a50acc595e5b16bd466295-4\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 31084611, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/8f757d9a-b3ac-47cc-b760-2d447bd3b00e/terraform-dir", + "VersionId": "8shZVikG0VKoyGQRy4WNAA2z75M4AIOb", + "IsLatest": true, + "LastModified": "2025-03-19T21:05:17+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"f1adaad8e8dd5812f00b390e85884ab5\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 5826, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/8f757d9a-b3ac-47cc-b760-2d447bd3b00e/terraform.lock.hcl", + "VersionId": "okSYAxTAlMpoXGcpXgTLZeq4VuqTeDPK", + "IsLatest": true, + "LastModified": "2025-03-19T21:05:18+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"8a4516dd557892d002ae71f6932e7c87\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 233386, + "StorageClass": "STANDARD", + "Key": "CSVD/github-actions/default/8f757d9a-b3ac-47cc-b760-2d447bd3b00e/terraform.plan", + "VersionId": ".Mv5xmVtDtZJ2bJJlVtghnFl_tM1tFGh", + "IsLatest": true, + "LastModified": "2025-03-19T21:06:02+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + }, + { + "ETag": "\"a10a69f687b7574800f772eec06ba859\"", + "ChecksumAlgorithm": [ + "CRC64NVME" + ], + "Size": 19862, + "StorageClass": "STANDARD", + "Key": "katello-server-ca.pem", + "VersionId": "AddcB1WIl8yKicnGlIsOm5b2coF_PMLK", + "IsLatest": true, + "LastModified": "2025-03-18T22:19:53+00:00", + "Owner": { + "ID": "1cdbccee29c5305ac377a789c6f924db69ec7da804ad7d8303a495cf5eef9084" + } + } + ], + "RequestCharged": null +} diff --git a/providers.tf b/providers.tf index 45050fd..e2f31ab 100644 --- a/providers.tf +++ b/providers.tf @@ -3,3 +3,13 @@ provider "github" { base_url = "https://github.e.it.census.gov/" # app_auth {} # When using `GITHUB_APP_XXX` environment variables } + +provider "aws" { + alias = "east" + region = "us-gov-east-1" +} + +provider "aws" { + alias = "west" + region = "us-gov-west-1" +}