From 563d159d6e9d890bd62139cc8e0b10b6cdbe16d1 Mon Sep 17 00:00:00 2001
From: Dave Arnold <dave@roknsound.com>
Date: Tue, 3 Sep 2024 12:28:07 -0700
Subject: [PATCH] Update Docker and Linux pipeline configurations

---
 .secrets/main.tf      | 40 ++++++++++++++++++++++++++
 ansible_parameters.tf | 66 +++++++++++++++++++++++++++++++++++++++++++
 docker.tf             | 12 ++++----
 linux.tf              | 12 ++++----
 rhel.tf               | 16 +++++------
 vpc_endpoint.tf       |  2 +-
 6 files changed, 127 insertions(+), 21 deletions(-)
 create mode 100644 .secrets/main.tf
 create mode 100644 ansible_parameters.tf

diff --git a/.secrets/main.tf b/.secrets/main.tf
new file mode 100644
index 0000000..76643b6
--- /dev/null
+++ b/.secrets/main.tf
@@ -0,0 +1,40 @@
+variable "packer_atx_host_ansible_pswd" {
+  type = string
+}
+
+variable "packer_atx_api_usr_pswd" {
+  type = string
+}
+
+locals {
+  secrets = {
+    packer_atx_host_ansible_pswd = var.packer_atx_host_ansible_pswd
+    packer_atx_api_usr_pswd      = var.packer_atx_api_usr_pswd
+  }
+}
+
+resource "aws_kms_ciphertext" "ciphertext_blob" {
+  for_each  = tomap(local.secrets)
+  key_id    = aws_kms_key.oauth_config.key_id
+  plaintext = lookup(local.secrets, each.key)
+}
+
+resource "aws_secretsmanager_secret" "secrets" {
+  for_each = tomap(local.secrets)
+  name     = "/image-pipeline/global/${each.key}"
+}
+
+resource "aws_secretsmanager_secret_version" "secrets" {
+  for_each      = tomap(local.secrets)
+  secret_id     = lookup(aws_secretsmanager_secret.secrets, each.key).id
+  secret_string = jsonencode(lookup(local.secrets, each.key))
+}
+
+terraform {
+  backend "s3" {
+    bucket         = "inf-tfstate-229685449397"
+    key            = "csvd-dev-gov/common/apps/aws-image-pipeline-global-secrets"
+    region         = "us-gov-east-1"
+    dynamodb_table = "tf_remote_state"
+  }
+}
diff --git a/ansible_parameters.tf b/ansible_parameters.tf
new file mode 100644
index 0000000..ae8178f
--- /dev/null
+++ b/ansible_parameters.tf
@@ -0,0 +1,66 @@
+# Purpose: This file is used to create SSM parameters and Secrets Manager secrets for Ansible parameters.
+resource "aws_kms_key" "image_pipeline_globals" {
+  description = "image-pipeline global parameters and secrets"
+  is_enabled  = true
+}
+
+locals {
+  packer = {
+    aap = {
+      ami = {
+        pipeline_workflow_url = ""
+      }
+    }
+    atx = {
+      host = {
+        ansible_pswd = ""
+        ansible_user = ""
+        action       = ""
+        ipv4         = ""
+        name         = ""
+        osver        = ""
+      }
+      api = {
+        usr_name = ""
+        usr_pswd = ""
+      }
+      inventory = ""
+    }
+  }
+
+  ansible_secrets = {
+    packer_atx_host_ansible_pswd = local.packer.atx.host.ansible_pswd
+    packer_atx_api_usr_pswd      = local.packer.atx.api.usr_pswd
+  }
+
+  ansible_parameters = {
+    packer_aap_ami_pipeline_workflow_url = local.packer.aap.ami.pipeline_workflow_url
+    packer_atx_api_usr_name              = local.packer.atx.api.usr_name
+    packer_atx_host_name                 = local.packer.atx.host.name
+    packer_atx_host_ipv4                 = local.packer.atx.host.ipv4
+    packer_atx_host_osver                = local.packer.atx.host.osver
+    packer_atx_inventory                 = local.packer.atx.inventory
+    packer_atx_host_action               = local.packer.atx.host.action
+    packer_atx_host_ansible_user         = local.packer.atx.host.ansible_user
+  }
+}
+
+
+# Managed Parameters: Parameters not listed in var.nonmanaged_parameters are fully managed by Terraform.
+resource "aws_ssm_parameter" "managed_parameters" {
+  for_each = tomap({ for k, v in local.ssm_parameters : k => v if !contains(var.nonmanaged_parameters, k) })
+  name     = "/image-pipeline/${var.project_name}/${each.key}"
+  type     = "StringList"
+  value    = each.value
+}
+
+resource "aws_secretsmanager_secret" "secrets" {
+  for_each = toset(local.secret_keys)
+  name     = "/image-pipeline/${var.project_name}/${each.key}"
+}
+
+resource "aws_secretsmanager_secret_version" "secrets" {
+  for_each      = toset(local.secret_keys)
+  secret_id     = lookup(aws_secretsmanager_secret.secrets, each.key).id
+  secret_string = jsonencode(lookup(local.secrets, each.key))
+}
diff --git a/docker.tf b/docker.tf
index 4cf3145..4dd95a6 100644
--- a/docker.tf
+++ b/docker.tf
@@ -29,12 +29,12 @@ module "ecr-clone" {
 }
 
 module "docker" {
-  source              = "HappyPathway/image-pipeline/aws"
-  project_name        = "pipeline-test"
-  builder_image       = "aws/codebuild/standard:7.0"
-  create_new_role     = true
-  ssh_user            = "ec2-user"
-  terraform_version   = "1.8.5"
+  source            = "HappyPathway/image-pipeline/aws"
+  project_name      = "pipeline-test"
+  builder_image     = "aws/codebuild/standard:7.0"
+  create_new_role   = true
+  ssh_user          = "ec2-user"
+  terraform_version = "1.8.5"
   build_environment_variables = [
     for proxy_var in keys(local.proxy_env_vars) :
     {
diff --git a/linux.tf b/linux.tf
index a95f0f3..fd069fd 100644
--- a/linux.tf
+++ b/linux.tf
@@ -4,12 +4,12 @@ moved {
 }
 
 module "amazon_linux" {
-  source              = "HappyPathway/image-pipeline/aws"
-  project_name        = "linux-image-pipeline"
-  builder_image       = "aws/codebuild/standard:7.0"
-  create_new_role     = true
-  ssh_user            = "ec2-user"
-  terraform_version   = "1.8.5"
+  source            = "HappyPathway/image-pipeline/aws"
+  project_name      = "linux-image-pipeline"
+  builder_image     = "aws/codebuild/standard:7.0"
+  create_new_role   = true
+  ssh_user          = "ec2-user"
+  terraform_version = "1.8.5"
   build_environment_variables = [
     for proxy_var in keys(local.proxy_env_vars) :
     {
diff --git a/rhel.tf b/rhel.tf
index e100673..6d6f125 100644
--- a/rhel.tf
+++ b/rhel.tf
@@ -1,13 +1,13 @@
 
 module "rhel" {
-  source              = "HappyPathway/image-pipeline/aws"
-  project_name        = "rhel-image-pipeline-demo"
-  builder_image       = "aws/codebuild/standard:7.0"
-  create_new_role     = true
-  ssh_user            = "ec2-user"
-  playbook            = "rhel-arm-baseline.yaml"
-  terraform_version   = "1.8.5"
-  troubleshoot        = false
+  source            = "HappyPathway/image-pipeline/aws"
+  project_name      = "rhel-image-pipeline-demo"
+  builder_image     = "aws/codebuild/standard:7.0"
+  create_new_role   = true
+  ssh_user          = "ec2-user"
+  playbook          = "rhel-arm-baseline.yaml"
+  terraform_version = "1.8.5"
+  troubleshoot      = false
   build_environment_variables = [
     for proxy_var in keys(local.proxy_env_vars) : {
       name  = proxy_var
diff --git a/vpc_endpoint.tf b/vpc_endpoint.tf
index 52dd3ed..26686d6 100644
--- a/vpc_endpoint.tf
+++ b/vpc_endpoint.tf
@@ -18,5 +18,5 @@ resource "aws_vpc_endpoint" "endpoint" {
     local.vpc_config.security_group_ids,
     ["sg-0ba8072164c29e11f"]
   )
-  subnet_ids         = local.vpc_config.subnets
+  subnet_ids = local.vpc_config.subnets
 }