Updated

CSVD · Jul 24, 2024 · de6dbae · de6dbae
1 parent 89064cd
commit de6dbae
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 85 deletions.
diff --git a/kms.tf b/kms.tf
@@ -20,7 +20,7 @@ resource "aws_kms_key" "rhel_x86_codepipeline_key" {
         "kms:GenerateDataKey*",
         "kms:DescribeKey"
       ],
-      "Resource": "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/ba7dabdd-0f5a-44aa-9a90-a36c246a29a4"
+      "Resource": "*"
     },
     {
       "Sid": "Allow admin actions",
@@ -29,7 +29,7 @@ resource "aws_kms_key" "rhel_x86_codepipeline_key" {
         "AWS": "arn:aws-us-gov:iam::229685449397:root"
       },
       "Action": "kms:*",
-      "Resource": "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/ba7dabdd-0f5a-44aa-9a90-a36c246a29a4"
+      "Resource": "*"
     }
   ]
 }
@@ -38,5 +38,5 @@ EOF
 
 resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
   name          = "alias/rhel-x86-codepipeline-key"
-  target_key_id = "ba7dabdd-0f5a-44aa-9a90-a36c246a29a4"  # Static KMS Key ID
-}
+  target_key_id = aws_kms_key.rhel_x86_codepipeline_key.id
+}
diff --git a/main.tf b/main.tf
@@ -1,55 +1,59 @@
 provider "aws" {
-  region = "us-gov-west-1"
+  region  = "us-gov-west-1"
   profile = "229685449397-csvd-dev-gov.inf-admin-t2"
 }
 
-
 locals {
-    proxy_env_vars = {
-        HTTP_PROXY = "http://proxy.tco.census.gov:3128"
-        NO_PROXY = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev,${local._vpc_config.region}.compute.internal,.${local._vpc_config.region}.compute.internal"
-        HTTPS_PROXY = "http://proxy.tco.census.gov:3128"
-    }
-    source_repo   = "linux-image-pipeline"
-    project_name  = "linux-image-pipeline-demo"
-    environment   = "dev"
-    _vpc_config = {
-        vpc_id = "vpc-00576a396ec570b94"
-        region = "us-gov-west-1"
-        security_group_ids = [
-          "sg-0d828d223df9834a6"
-        ]
-        subnets = [
-          # "subnet-0b1992a84536c581b"
-          "subnet-062189d742937204e"
-        ]
+  proxy_env_vars = {
+    HTTP_PROXY  = "http://proxy.tco.census.gov:3128"
+    NO_PROXY    = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev,${local._vpc_config.region}.compute.internal,.${local._vpc_config.region}.compute.internal"
+    HTTPS_PROXY = "http://proxy.tco.census.gov:3128"
+  }
+  source_repo  = "linux-image-pipeline"
+  project_name = "linux-image-pipeline-demo"
+  environment  = "dev"
+  _vpc_config = {
+    vpc_id             = "vpc-00576a396ec570b94"
+    region             = "us-gov-west-1"
+    security_group_ids = ["sg-0d828d223df9834a6"]
+    subnets            = ["subnet-062189d742937204e"]
+  }
+  vpc_config = merge(
+    local._vpc_config,
+    {
+      security_group_ids = concat(
+        local._vpc_config.security_group_ids,
+        [aws_security_group.allow_amznlinux_cdn.id]
+      )
     }
-    vpc_config = merge(
-        local._vpc_config,
-        {
-          security_group_ids = concat(
-            local._vpc_config.security_group_ids, 
-            [
-              aws_security_group.allow_amznlinux_cdn.id
-            ])
-        }
-    )
-    state_config = {
-        bucket         = aws_s3_bucket.state_bucket.bucket
-        key            = "csvd-dev-gov/common/apps/${local.environment}/${local.project_name}"
-        region         = local.vpc_config.region
-        dynamodb_table = "tf_remote_state"
-    }  
+  )
+  state_config = {
+    bucket         = aws_s3_bucket.state_bucket.bucket
+    key            = "csvd-dev-gov/common/apps/${local.environment}/${local.project_name}"
+    region         = local.vpc_config.region
+    dynamodb_table = "tf_remote_state"
+  }
 }
 
-resource random_uuid random {}
-resource aws_s3_bucket state_bucket {
+resource "random_uuid" "random" {}
+
+resource "aws_s3_bucket" "state_bucket" {
   bucket = "inf-test-${random_uuid.random.result}"
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encryption" {
+  bucket = aws_s3_bucket.state_bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
 data "aws_iam_policy_document" "s3_access" {
   statement {
-    effect = "Allow"
+    effect    = "Allow"
     actions   = ["s3:*"]
     resources = ["*"]
   }
@@ -67,14 +71,13 @@ resource "aws_security_group" "allow_amznlinux_cdn" {
 resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
   security_group_id = aws_security_group.allow_amznlinux_cdn.id
   cidr_ipv4         = "0.0.0.0/0"
-  ip_protocol       = "-1" # semantically equivalent to all ports
+  ip_protocol       = "-1"
 }
 
-# referenced_security_group_id
 resource "aws_vpc_security_group_ingress_rule" "allow_all_between_self" {
-  security_group_id = aws_security_group.allow_amznlinux_cdn.id
-  ip_protocol       = "-1" # semantically equivalent to all ports
-  referenced_security_group_id = aws_security_group.allow_amznlinux_cdn.id
+  security_group_id              = aws_security_group.allow_amznlinux_cdn.id
+  ip_protocol                    = "-1"
+  referenced_security_group_id   = aws_security_group.allow_amznlinux_cdn.id
 }
 
 data "aws_codecommit_repository" "ansible" {
@@ -85,7 +88,6 @@ data "aws_codecommit_repository" "goss" {
   repository_name = "image-pipeline-goss-testing"
 }
 
-
 module "main" {
   source                      = "HappyPathway/image-pipeline/aws"
   project_name                = local.project_name
@@ -99,24 +101,22 @@ module "main" {
   playbook                    = "hello-world.yaml"
   terraform_version           = "1.8.5"
   build_permissions_iam_doc   = data.aws_iam_policy_document.s3_access
-  build_environment_variables = [ 
-   for proxy_var in keys(local.proxy_env_vars) :
-   { 
-     name=proxy_var, 
-     value=lookup(local.proxy_env_vars, proxy_var),
-     type = "PLAINTEXT"
-   }
+  build_environment_variables = [
+    for proxy_var in keys(local.proxy_env_vars) : {
+      name  = proxy_var
+      value = lookup(local.proxy_env_vars, proxy_var)
+      type  = "PLAINTEXT"
+    }
   ]
   ansible_repo                = data.aws_codecommit_repository.ansible
   goss_repo                   = data.aws_codecommit_repository.goss
   goss_profile                = "base-test"
-  state = local.state_config
-  vpc_config = local.vpc_config
-  source_ami = "ami-03fadeeea589a106b"
-  instance_type = "t2.micro"
+  state                       = local.state_config
+  vpc_config                  = local.vpc_config
+  source_ami                  = "ami-03fadeeea589a106b"
+  instance_type               = "t2.micro"
 }
 
-
 module "rhel-arm" {
   source                      = "HappyPathway/image-pipeline/aws"
   project_name                = "rhel-arm-image-pipeline-demo"
@@ -127,13 +127,13 @@ module "rhel-arm" {
   create_new_role             = true
   create_vpc_endpoint         = false
   ssh_user                    = "ec2-user"
-  playbook                    = "rhel-arm-baseline.yaml"  # Updated path to main directory
+  playbook                    = "rhel-arm-baseline.yaml"
   terraform_version           = "1.8.5"
   build_permissions_iam_doc   = data.aws_iam_policy_document.s3_access
   build_environment_variables = [
     for proxy_var in keys(local.proxy_env_vars) : {
-      name  = proxy_var,
-      value = lookup(local.proxy_env_vars, proxy_var),
+      name  = proxy_var
+      value = lookup(local.proxy_env_vars, proxy_var)
       type  = "PLAINTEXT"
     }
   ]
@@ -142,19 +142,17 @@ module "rhel-arm" {
   goss_profile                = "rhel-arm-base-test"
   state                       = local.state_config
   vpc_config                  = local.vpc_config
-  source_ami                  = "ami-03f5c6b8195c66b04"  # Updated AMI ID for RHEL 9 ARM
-  instance_type               = "t3.micro"  # Ensure the instance type is ARM64 compatible
+  source_ami                  = "ami-03f5c6b8195c66b04"
+  instance_type               = "t4g.micro"
 }
 
-
-
-resource random_password winrm {
+resource "random_password" "winrm" {
   length           = 24
   override_special = "$*!"
-  special = true
+  special          = true
 }
 
-output password {
+output "password" {
   value = nonsensitive(random_password.winrm.result)
 }
 
@@ -189,17 +187,4 @@ module "windows" {
   vpc_config = local.vpc_config
   source_ami = "ami-012fffaddacaa52ff"
   instance_type = "t2.xlarge"
-}
-
-output iam_arn {
-  value = module.main.iam_arn
-}
-
-output codebuild_user {
-  value =  module.main.build_user.name
-}
-
-output parameters {
-  value = keys(module.main.parameters)
-  sensitive = true
-}
+}