Skip to content

[DEV-14468] Update modules to handle customer IAM restrictions #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ashmuck merged 4 commits into from
Mar 25, 2026
Merged

[DEV-14468] Update modules to handle customer IAM restrictions #551

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fea12d9
Update modules with more functionality to match potential IAM restric…
ashmuck Mar 24, 2026
9b46fef
update s3 storage input variable
ashmuck Mar 24, 2026
53702b5
update modules to fix cursorbot findings
ashmuck Mar 25, 2026
a0561ca
fix moved block
ashmuck Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ module "security-group" {
module "s3-storage" {
count = var.load_environment == "" ? 1 : 0
source = "app.terraform.io/indico/indico-aws-buckets/mod"
version = "4.6.0"
version = "4.6.3"
force_destroy = true # allows terraform to destroy non-empty buckets.
label = var.label
kms_key_arn = local.environment_kms_key_arn
Expand All @@ -216,6 +216,8 @@ module "s3-storage" {
enable_loki_logging = var.enable_loki_logging
cleanup_noncurrent_days = var.s3_cleanup_noncurrent_days
retain_backup_days = var.s3_retain_backup_days
include_pgbackup = var.include_pgbackup
Copy link
Copy Markdown

@cursor cursor bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disabling pgbackup now breaks pgBackRest S3 bucket reference

Medium Severity

Passing include_pgbackup to the s3-storage module is new — previously the module always created the pgbackup bucket regardless of this flag. Now when include_pgbackup = false, the bucket won't be created, but application.tf unconditionally configures crunchy-postgres pgBackRestConfig with local.environment_pgbackup_s3_bucket_name (which becomes the string "null" via coalesce). This means PostgreSQL backups will silently target a nonexistent bucket, causing backup failures with no corresponding config guard.

Additional Locations (1)
Fix in Cursor Fix in Web

Copy link
Copy Markdown
Contributor Author

@ashmuck ashmuck Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only applies if either intake or insights are enabled

Copy link
Copy Markdown

@cursor cursor bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pgbackup bucket created when intake/insights both disabled

Medium Severity

The include_pgbackup parameter is passed unconditionally as var.include_pgbackup (which defaults to true), but the pgbackup S3 bucket is only consumed by pgBackRest configs for intake and insights Crunchy Postgres instances. When neither ipa_enabled nor insights_enabled is true, this creates an unnecessary bucket. On customer-hosted clusters with IAM restrictions (the purpose of this PR), creating unneeded S3 resources could fail or violate least-privilege policies. The value likely needs to be gated on var.ipa_enabled || var.insights_enabled.

Fix in Cursor Fix in Web

enable_public_access_block = var.s3_enable_public_access_block
}


Expand Down Expand Up @@ -286,7 +288,7 @@ module "efs-storage" {
module "fsx-storage" {
count = var.include_fsx == true && var.load_environment == "" ? 1 : 0
source = "app.terraform.io/indico/indico-aws-fsx/mod"
version = "2.0.0"
version = "2.0.4"
label = var.label
additional_tags = var.additional_tags
region = var.region
Expand All @@ -308,6 +310,7 @@ module "fsx-storage" {
fsx_rwx_arn = var.fsx_rwx_arn
fsx_rox_id = var.fsx_rox_id
fsx_rox_arn = var.fsx_rox_arn
enable_backup_lambda = var.enable_backup_lambda
}

module "iam" {
Expand Down Expand Up @@ -352,7 +355,7 @@ module "iam" {
module "cluster" {
count = var.multitenant_enabled == false ? 1 : 0
source = "app.terraform.io/indico/indico-aws-eks-cluster/mod"
version = "10.0.2"
version = "10.0.6"
label = var.multitenant_enabled ? var.tenant_cluster_name : var.label
region = var.region
cluster_version = var.k8s_version
Expand All @@ -372,13 +375,16 @@ module "cluster" {
instance_volume_size = var.instance_volume_size
instance_volume_type = var.instance_volume_type

additional_users = var.additional_users
enable_additional_access_entries = var.enable_additional_access_entries

public_endpoint_enabled = var.cluster_api_endpoint_public == true ? true : false
private_endpoint_enabled = var.network_allow_public == true ? false : true

create_cluster_security_group = var.create_cluster_security_group
cluster_security_group_id = local.environment_all_subnets_sg_id
cluster_additional_security_group_ids = [local.environment_all_subnets_sg_id]
create_node_security_group = var.create_node_security_group
node_security_group_id = local.environment_all_subnets_sg_id
http_tokens = var.http_tokens
}

Expand Down
35 changes: 29 additions & 6 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ variable "include_fsx" {
variable "include_pgbackup" {
type = bool
default = true
description = "Create a read only FSx file system"
description = "Create a s3 backup for postgres"
}

variable "include_efs" {
Expand Down Expand Up @@ -1127,13 +1127,12 @@ variable "indico_sqs_sns_policy_name" {
default = null
}

variable "additional_users" {
type = list(string)
default = []
description = "The names of additional AWS users to provide admin access to the cluster"
variable "enable_additional_access_entries" {
type = bool
default = true
description = "If true this will create additional access entries for the cluster"
}


## Unused variables

variable "aws_account_name" {
Expand Down Expand Up @@ -1228,6 +1227,12 @@ variable "create_s3_backup_role" {
description = "Flag to create or load s3 backup role"
}

variable "s3_enable_public_access_block" {
type = bool
default = true
description = "If true this will enable public access block on the s3 buckets"
}

variable "create_vpc_flow_logs_role" {
type = bool
default = true
Expand Down Expand Up @@ -1270,6 +1275,18 @@ variable "pgbackup_s3_bucket_name_override" {
description = "The name of the existing S3 bucket to be created/loaded and used as the postgres backup bucket"
}

variable "create_cluster_security_group" {
type = bool
default = true
description = "Flag to create or load cluster security group"
}

variable "create_node_security_group" {
type = bool
default = true
description = "Flag to create or load node security group"
}

# Additional variables
variable "enable_s3_replication" {
type = bool
Expand Down Expand Up @@ -1326,6 +1343,12 @@ variable "fsx_deployment_type" {
description = "The deployment type to launch"
}

variable "enable_backup_lambda" {
type = bool
default = true
description = "If true this will enable the backup lambda for fsx"
}

variable "fsx_type" {
type = string
default = "create"
Expand Down
Loading