working on workspace cleanup

CSVD · Feb 13, 2025 · c65b5ac · c65b5ac
1 parent ea3d01a
commit c65b5ac
Show file tree

Hide file tree

Showing 12 changed files with 38,783 additions and 71 deletions.
diff --git a/amazon_linux.tf b/amazon_linux.tf
@@ -20,27 +20,35 @@ module "amazon_linux" {
   ]
   packer_source_type = "S3"
   packer_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "linux-image-pipeline.zip"
   }
   ansible_source_type = "S3"
   ansible_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "image-pipeline-ansible-playbooks.zip"
   }
   playbook         = "hello-world.yaml"
   goss_source_type = "S3"
   goss_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "image-pipeline-goss-testing.zip"
   }
   goss_profile = "base-test"
-  state        = local.state_config
+  state        = merge(
+    module.external_dependencies.state,
+    {
+      key = "linux-image-pipeline/terraform.tfstate",
+      region = local.vpc_config.region
+    }
+  )
   vpc_config   = local.vpc_config
   ami = {
     source_ami    = "ami-03fadeeea589a106b"
     instance_type = "t2.micro"
   }
+
+  depends_on = [module.external_dependencies]
 }
 
 output "linux_iam_arn" {

diff --git a/downloads.tf b/downloads.tf
@@ -18,7 +18,7 @@ module "downloader" {
 
 resource "aws_s3_object" "morpheus_rpms" {
   for_each   = tomap({ for download in local.downloads : download.name => download })
-  bucket     = aws_s3_bucket.assets_bucket.bucket
+  bucket     = module.external_dependencies.assets_bucket_name
   key        = "${each.value.path_prefix}/${each.key}"
   source     = "${each.value.output_path}/${each.key}"
   depends_on = [module.downloader]

diff --git a/external-dependencies.tf b/external-dependencies.tf
@@ -1,25 +1,65 @@
 module "external_dependencies" {
   source = "../terraform-aws-image-pipeline-external"
-
-  project_name      = "aws-image-pipeline"
-  assets_bucket_name = aws_s3_bucket.assets_bucket.bucket
+  region = local.vpc_config.region
+  vpc_id = local.vpc_config.vpc_id
+  subnet_ids = local.vpc_config.subnets
+  project_name = "aws-image-pipeline"
+  assets_bucket_name = "image-pipeline-assets"
   state_bucket_name = local.state_config.bucket
 
-  pipeline_iam_arns = [
-    module.amazon_linux.iam_arn,
-    module.morpheus.iam_arn
-  ]
-
+  pipeline_iam_arns = []  # Initially empty, will be updated by aws_s3_bucket_policy
+
   vpc_config = {
     vpc_id             = local._vpc_config.vpc_id
     region             = local._vpc_config.region
     security_group_ids = local._vpc_config.security_group_ids
-    subnets           = local._vpc_config.subnets
+    subnets            = local._vpc_config.subnets
   }
-
-  # Add common tags
+  # Feature flags
+  enable_assets_bucket   = true
+  enable_vpc_endpoints   = true
+  enable_security_groups = true
+  enable_state_backend   = true
+  enable_build_user     = true
+
   tags = {
     Project     = "aws-image-pipeline"
-    Environment = local.environment
+    Environment = "dev"
   }
+}
+
+# Create bucket policy separately after roles are created
+resource "aws_s3_bucket_policy" "assets_bucket_policy" {
+  bucket = module.external_dependencies.assets_bucket_name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "AllowPipelineAccess"
+        Effect    = "Allow"
+        Principal = {
+          AWS = [
+            module.amazon_linux.iam_arn,
+            module.morpheus.iam_arn
+          ]
+        }
+        Action = [
+          "s3:Get*",
+          "s3:List*",
+          "s3:PutObject",
+          "s3:DeleteObject"
+        ]
+        Resource = [
+          module.external_dependencies.assets_bucket_arn,
+          "${module.external_dependencies.assets_bucket_arn}/*"
+        ]
+      }
+    ]
+  })
+
+  depends_on = [
+    module.amazon_linux,
+    module.morpheus,
+    module.external_dependencies
+  ]
 }
diff --git a/imports.tf b/imports.tf
@@ -1,11 +1,7 @@
-# module.morpheus.module.build_user[0].aws_secretsmanager_secret.credentials
-import {
-  to = module.morpheus.module.build_user[0].aws_secretsmanager_secret.credentials
-  id = "arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:/image-pipeline/morpheus-app/build_user_credentials-BF4y0w"
-}
+# Now handled by the external module
+# import {
+#   to = module.morpheus.module.build_user[0].aws_secretsmanager_secret.credentials
+#   id = "arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:/image-pipeline/morpheus-app/build_user_credentials-BF4y0w"
+# }
 
-# module.morpheus.aws_secretsmanager_secret.ssh_key
-import {
-  to = module.morpheus.aws_secretsmanager_secret.ssh_key
-  id = "arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:/image-pipeline/morpheus-app/ssh-private-key-FCQtUR"
-}
+# module.morpheus.aws_secretsmanager_secret.ssh_key
diff --git a/linux-images.code-workspace b/linux-images.code-workspace
@@ -7,7 +7,7 @@
             "path": "../terraform-aws-image-pipeline"
         },
         {
-            "path": "../../terraform-aws-image-pipeline-external"
+            "path": "../terraform-aws-image-pipeline-external"
         }
     ]
 }
diff --git a/locals.tf b/locals.tf
@@ -1,7 +1,3 @@
-data "aws_security_group" "it_linux_base" {
-  name = "it-linux-base"
-}
-
 locals {
   proxy_env_vars = {
     HTTP_PROXY  = "http://proxy.example.com:80"
@@ -12,9 +8,7 @@ locals {
   _vpc_config = {
     vpc_id = "vpc-00576a396ec570b94"
     region = "us-gov-west-1"
-    security_group_ids = [
-      data.aws_security_group.it_linux_base.id
-    ]
+    security_group_ids = []  # The base security group will be added by the external module
     subnets = [
       "subnet-062189d742937204e"
     ]
@@ -25,8 +19,14 @@ locals {
       security_group_ids = concat(
         local._vpc_config.security_group_ids,
         [
-          aws_security_group.allow_amznlinux_cdn.id
+          module.external_dependencies.pipeline_security_group_id
       ])
     }
   )
+
+  state_config = {
+    bucket  = "terraform-state-bucket"
+    key     = "linux-image-pipeline/terraform.tfstate"
+    region  = local.vpc_config.region
+  }
 }
diff --git a/main.tf b/main.tf
@@ -1,23 +1,19 @@
-resource "random_uuid" "random" {}
-
-data "aws_iam_policy_document" "build_user_policy_document" {
-  statement {
-    actions = [
-      "s3:Get*",
-      "s3:List*",
-      "s3:ReplicateObject",
-      "s3:PutObject",
-      "s3:RestoreObject",
-      "s3:PutObjectVersionTagging",
-      "s3:PutObjectTagging",
-      "s3:PutObjectAcl"
-    ]
-
-    resources = [
-      module.external_dependencies.assets_bucket_arn,
-      "${module.external_dependencies.assets_bucket_arn}/*",
-    ]
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
   }
 }
 
+provider "aws" {
+  region = "us-gov-west-1"  # Using hardcoded value from locals.tf
+}
+
+resource "random_uuid" "random" {}
+
 
diff --git a/morpheus.tf b/morpheus.tf
@@ -17,23 +17,28 @@ module "morpheus" {
   shared_kms_key_arns = local.ami_kms_keys
   packer_source_type  = "S3"
   packer_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "image-pipeline-packer.zip"
   }
   packer_config       = "morpheus-build.pkr.hcl"
   ansible_source_type = "S3"
   ansible_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "image-pipeline-ansible-playbooks.zip"
   }
   goss_source_type = "S3"
   goss_bucket = {
-    name = aws_s3_bucket.assets_bucket.bucket
+    name = "image-pipeline-assets"
     key  = "image-pipeline-goss.zip"
   }
   goss_profile = "morpheus-base-test"
-  # goss_profile  = "base-test"
-  state      = local.state_config
+  state      = merge(
+    module.external_dependencies.state,
+    {
+      key    = "morpheus-app/terraform.tfstate"
+      region = local.vpc_config.region
+    }
+  )
   vpc_config = local.vpc_config
   ami = {
     source_ami    = one(data.aws_ssm_parameter.rhel9_ami).value
@@ -77,13 +82,12 @@ module "morpheus" {
       encrypted             = true
     }
   ]
+  create_build_user   = false  # Disable the build user since we're using the static role
+  depends_on          = [module.external_dependencies]
 }
 
-
-
-resource "aws_iam_user_policy" "morpheus_build_user" {
-  // Attach a policy to the build user
-  name   = "morpheus-build-user"
-  user   = module.morpheus.user.name
+resource "aws_iam_role_policy" "morpheus_build_role_policy" {
+  name   = "morpheus-build-role-policy"
+  role   = module.morpheus.role_name
   policy = data.aws_iam_policy_document.ami.json
 }
diff --git a/moved.tf b/moved.tf
@@ -19,10 +19,10 @@ moved {
   to   = module.external_dependencies.aws_s3_bucket_server_side_encryption_configuration.assets_bucket_encryption
 }
 
-moved {
-  from = aws_s3_bucket_policy.assets_bucket_policy
-  to   = module.external_dependencies.aws_s3_bucket_policy.assets_bucket_policy
-}
+# moved {
+#   from = aws_s3_bucket_policy.assets_bucket_policy
+#   to   = module.external_dependencies.aws_s3_bucket_policy.assets_bucket_policy
+# }
 
 # Additional S3 bucket configuration moves
 moved {
@@ -91,4 +91,91 @@ moved {
 moved {
   from = aws_vpc_security_group_ingress_rule.allow_all_between_self
   to   = module.external_dependencies.aws_vpc_security_group_ingress_rule.allow_self_traffic
-}
+}
+
+# Update moves for count resources
+moved {
+  from = module.external_dependencies.aws_s3_bucket.state_bucket
+  to   = module.external_dependencies.aws_s3_bucket.state_bucket[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket.assets_bucket
+  to   = module.external_dependencies.aws_s3_bucket.assets_bucket[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_server_side_encryption_configuration.state_bucket_encryption
+  to   = module.external_dependencies.aws_s3_bucket_server_side_encryption_configuration.state_bucket_encryption[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_server_side_encryption_configuration.assets_bucket_encryption
+  to   = module.external_dependencies.aws_s3_bucket_server_side_encryption_configuration.assets_bucket_encryption[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_versioning.assets_bucket_versioning
+  to   = module.external_dependencies.aws_s3_bucket_versioning.assets_bucket_versioning[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_versioning.state_bucket_versioning
+  to   = module.external_dependencies.aws_s3_bucket_versioning.state_bucket_versioning[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_public_access_block.assets_bucket_access
+  to   = module.external_dependencies.aws_s3_bucket_public_access_block.assets_bucket_access[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_public_access_block.state_bucket_access
+  to   = module.external_dependencies.aws_s3_bucket_public_access_block.state_bucket_access[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_security_group.pipeline_security_group
+  to   = module.external_dependencies.aws_security_group.pipeline_security_group[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4
+  to   = module.external_dependencies.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_vpc_security_group_ingress_rule.allow_self_traffic
+  to   = module.external_dependencies.aws_vpc_security_group_ingress_rule.allow_self_traffic[0]
+}
+
+# New moves for external dependencies
+moved {
+  from = module.external_dependencies.aws_dynamodb_table.terraform_state_lock
+  to   = module.external_dependencies.aws_dynamodb_table.terraform_state_lock[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_iam_instance_profile.build_user_instance_profile
+  to   = module.external_dependencies.aws_iam_instance_profile.build_user_instance_profile[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_iam_role.build_user_role
+  to   = module.external_dependencies.aws_iam_role.build_user_role[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_iam_role_policy.build_user_policy
+  to   = module.external_dependencies.aws_iam_role_policy.build_user_policy[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_s3_bucket_policy.assets_bucket_policy
+  to   = module.external_dependencies.aws_s3_bucket_policy.assets_bucket_policy[0]
+}
+
+moved {
+  from = module.external_dependencies.aws_vpc_endpoint.endpoints
+  to   = module.external_dependencies.aws_vpc_endpoint.endpoints[0]
+}