diff --git a/kms.tf b/kms.tf index ac978bf..6df8ceb 100644 --- a/kms.tf +++ b/kms.tf @@ -20,7 +20,7 @@ resource "aws_kms_key" "rhel_x86_codepipeline_key" { "kms:GenerateDataKey*", "kms:DescribeKey" ], - "Resource": "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/ba7dabdd-0f5a-44aa-9a90-a36c246a29a4" + "Resource": "*" }, { "Sid": "Allow admin actions", @@ -29,7 +29,7 @@ resource "aws_kms_key" "rhel_x86_codepipeline_key" { "AWS": "arn:aws-us-gov:iam::229685449397:root" }, "Action": "kms:*", - "Resource": "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/ba7dabdd-0f5a-44aa-9a90-a36c246a29a4" + "Resource": "*" } ] } @@ -38,5 +38,5 @@ EOF resource "aws_kms_alias" "rhel_x86_codepipeline_alias" { name = "alias/rhel-x86-codepipeline-key" - target_key_id = "ba7dabdd-0f5a-44aa-9a90-a36c246a29a4" # Static KMS Key ID -} + target_key_id = aws_kms_key.rhel_x86_codepipeline_key.id +} \ No newline at end of file diff --git a/main.tf b/main.tf index 7e31615..442c96c 100644 --- a/main.tf +++ b/main.tf @@ -1,55 +1,59 @@ provider "aws" { - region = "us-gov-west-1" + region = "us-gov-west-1" profile = "229685449397-csvd-dev-gov.inf-admin-t2" } - locals { - proxy_env_vars = { - HTTP_PROXY = "http://proxy.tco.census.gov:3128" - NO_PROXY = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev,${local._vpc_config.region}.compute.internal,.${local._vpc_config.region}.compute.internal" - HTTPS_PROXY = "http://proxy.tco.census.gov:3128" - } - source_repo = "linux-image-pipeline" - project_name = "linux-image-pipeline-demo" - environment = "dev" - _vpc_config = { - vpc_id = "vpc-00576a396ec570b94" - region = "us-gov-west-1" - security_group_ids = [ - "sg-0d828d223df9834a6" - ] - subnets = [ - # "subnet-0b1992a84536c581b" - "subnet-062189d742937204e" - ] + proxy_env_vars = { + HTTP_PROXY = "http://proxy.tco.census.gov:3128" + NO_PROXY = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev,${local._vpc_config.region}.compute.internal,.${local._vpc_config.region}.compute.internal" + HTTPS_PROXY = "http://proxy.tco.census.gov:3128" + } + source_repo = "linux-image-pipeline" + project_name = "linux-image-pipeline-demo" + environment = "dev" + _vpc_config = { + vpc_id = "vpc-00576a396ec570b94" + region = "us-gov-west-1" + security_group_ids = ["sg-0d828d223df9834a6"] + subnets = ["subnet-062189d742937204e"] + } + vpc_config = merge( + local._vpc_config, + { + security_group_ids = concat( + local._vpc_config.security_group_ids, + [aws_security_group.allow_amznlinux_cdn.id] + ) } - vpc_config = merge( - local._vpc_config, - { - security_group_ids = concat( - local._vpc_config.security_group_ids, - [ - aws_security_group.allow_amznlinux_cdn.id - ]) - } - ) - state_config = { - bucket = aws_s3_bucket.state_bucket.bucket - key = "csvd-dev-gov/common/apps/${local.environment}/${local.project_name}" - region = local.vpc_config.region - dynamodb_table = "tf_remote_state" - } + ) + state_config = { + bucket = aws_s3_bucket.state_bucket.bucket + key = "csvd-dev-gov/common/apps/${local.environment}/${local.project_name}" + region = local.vpc_config.region + dynamodb_table = "tf_remote_state" + } } -resource random_uuid random {} -resource aws_s3_bucket state_bucket { +resource "random_uuid" "random" {} + +resource "aws_s3_bucket" "state_bucket" { bucket = "inf-test-${random_uuid.random.result}" } +resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encryption" { + bucket = aws_s3_bucket.state_bucket.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + data "aws_iam_policy_document" "s3_access" { statement { - effect = "Allow" + effect = "Allow" actions = ["s3:*"] resources = ["*"] } @@ -67,14 +71,13 @@ resource "aws_security_group" "allow_amznlinux_cdn" { resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" { security_group_id = aws_security_group.allow_amznlinux_cdn.id cidr_ipv4 = "0.0.0.0/0" - ip_protocol = "-1" # semantically equivalent to all ports + ip_protocol = "-1" } -# referenced_security_group_id resource "aws_vpc_security_group_ingress_rule" "allow_all_between_self" { - security_group_id = aws_security_group.allow_amznlinux_cdn.id - ip_protocol = "-1" # semantically equivalent to all ports - referenced_security_group_id = aws_security_group.allow_amznlinux_cdn.id + security_group_id = aws_security_group.allow_amznlinux_cdn.id + ip_protocol = "-1" + referenced_security_group_id = aws_security_group.allow_amznlinux_cdn.id } data "aws_codecommit_repository" "ansible" { @@ -85,7 +88,6 @@ data "aws_codecommit_repository" "goss" { repository_name = "image-pipeline-goss-testing" } - module "main" { source = "HappyPathway/image-pipeline/aws" project_name = local.project_name @@ -99,24 +101,22 @@ module "main" { playbook = "hello-world.yaml" terraform_version = "1.8.5" build_permissions_iam_doc = data.aws_iam_policy_document.s3_access - build_environment_variables = [ - for proxy_var in keys(local.proxy_env_vars) : - { - name=proxy_var, - value=lookup(local.proxy_env_vars, proxy_var), - type = "PLAINTEXT" - } + build_environment_variables = [ + for proxy_var in keys(local.proxy_env_vars) : { + name = proxy_var + value = lookup(local.proxy_env_vars, proxy_var) + type = "PLAINTEXT" + } ] ansible_repo = data.aws_codecommit_repository.ansible goss_repo = data.aws_codecommit_repository.goss goss_profile = "base-test" - state = local.state_config - vpc_config = local.vpc_config - source_ami = "ami-03fadeeea589a106b" - instance_type = "t2.micro" + state = local.state_config + vpc_config = local.vpc_config + source_ami = "ami-03fadeeea589a106b" + instance_type = "t2.micro" } - module "rhel-arm" { source = "HappyPathway/image-pipeline/aws" project_name = "rhel-arm-image-pipeline-demo" @@ -127,13 +127,13 @@ module "rhel-arm" { create_new_role = true create_vpc_endpoint = false ssh_user = "ec2-user" - playbook = "rhel-arm-baseline.yaml" # Updated path to main directory + playbook = "rhel-arm-baseline.yaml" terraform_version = "1.8.5" build_permissions_iam_doc = data.aws_iam_policy_document.s3_access build_environment_variables = [ for proxy_var in keys(local.proxy_env_vars) : { - name = proxy_var, - value = lookup(local.proxy_env_vars, proxy_var), + name = proxy_var + value = lookup(local.proxy_env_vars, proxy_var) type = "PLAINTEXT" } ] @@ -142,19 +142,17 @@ module "rhel-arm" { goss_profile = "rhel-arm-base-test" state = local.state_config vpc_config = local.vpc_config - source_ami = "ami-03f5c6b8195c66b04" # Updated AMI ID for RHEL 9 ARM - instance_type = "t3.micro" # Ensure the instance type is ARM64 compatible + source_ami = "ami-03f5c6b8195c66b04" + instance_type = "t4g.micro" } - - -resource random_password winrm { +resource "random_password" "winrm" { length = 24 override_special = "$*!" - special = true + special = true } -output password { +output "password" { value = nonsensitive(random_password.winrm.result) } @@ -189,17 +187,4 @@ module "windows" { vpc_config = local.vpc_config source_ami = "ami-012fffaddacaa52ff" instance_type = "t2.xlarge" -} - -output iam_arn { - value = module.main.iam_arn -} - -output codebuild_user { - value = module.main.build_user.name -} - -output parameters { - value = keys(module.main.parameters) - sensitive = true -} +} \ No newline at end of file