From 7e20c4eb52262cb2e32d9a4c22d2ad0d95ca94f2 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Tue, 23 Aug 2022 11:11:28 +0530 Subject: [PATCH 01/20] DOPS-101 Add bootstrap module for terraform project --- .gitignore | 6 ++-- terraform/bootstrap/.terraform.lock.hcl | 22 +++++++++++++ terraform/bootstrap/README.md | 44 +++++++++++++++++++++++++ terraform/bootstrap/main.tf | 41 +++++++++++++++++++++++ terraform/bootstrap/variables.tf | 9 +++++ 5 files changed, 119 insertions(+), 3 deletions(-) create mode 100644 terraform/bootstrap/.terraform.lock.hcl create mode 100644 terraform/bootstrap/README.md create mode 100644 terraform/bootstrap/main.tf create mode 100644 terraform/bootstrap/variables.tf diff --git a/.gitignore b/.gitignore index 0d48e99..e9ac50d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,9 +6,9 @@ .DS_Store .vagrant /env.sh -/terraform/.terraform* -/terraform/terraform.tfstate* -/terraform/tf.plan +/terraform/**/.terraform +/terraform/**/terraform.tfstate* +/terraform/**/tf.plan __pycache__ build/ tmp/ diff --git a/terraform/bootstrap/.terraform.lock.hcl b/terraform/bootstrap/.terraform.lock.hcl new file mode 100644 index 0000000..21de3e4 --- /dev/null +++ b/terraform/bootstrap/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.27.0" + constraints = ">= 3.75.0, ~> 4.16" + hashes = [ + "h1:JjDRnFkYnMTgW1OJclVkE7ucHPFXwhNzrdexhtj97Lo=", + "zh:0f5ade3801fec487641e4f7d81e28075b716c787772f9709cc2378d20f325791", + "zh:19ffa83be6b6765a4f821a17b8d260dd0f192a6c40765fa53ac65fd042cb1f65", + "zh:3ac89d33ff8ca75bdc42f31c63ce0018ffc66aa69917c18713e824e381950e4e", + "zh:81a199724e74992c8a029a968d211cb45277d95a2e88d0f07ec85127b6c6849b", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a2e2c851a37ef97bbccccd2e686b4d016abe207a7f56bff70b10bfdf8ed1cbfd", + "zh:baf844def338d77f8a3106b1411a1fe22e93a82e3dc51e5d33b766f741c4a6a3", + "zh:bc33137fae808f91da0a9de7031cbea77d0ee4eefb4d2ad6ab7f58cc2111a7ff", + "zh:c960ae2b33c8d3327f67a3db5ce1952315146d69dfc3f1b0922242e2b218eec8", + "zh:f3ea1a25797c79c035463a1188a6a42e131f391f3cb714975ce49ccd301cda07", + "zh:f7e77c871d38236e5fedee0086ff77ff396e88964348c794cf38e578fcc00293", + "zh:fb338d5dfafab907b8608bd66cad8ca9ae4679f8c62c2435c2056a38b719baa2", + ] +} diff --git a/terraform/bootstrap/README.md b/terraform/bootstrap/README.md new file mode 100644 index 0000000..8d44894 --- /dev/null +++ b/terraform/bootstrap/README.md @@ -0,0 +1,44 @@ +# Modus Devops Demo Bootstrap + +This terraform module is used to bootstrap the backend for the `/terraform` project. It uses [trussworks/bootstrap/aws](https://github.com/trussworks/terraform-aws-bootstrap) module to create all the resources needed to enable terraform backend in AWS. + +## How to use + +```bash +cd terraform/bootstrap +terraform init +terraform apply +``` + +This will generate output which looks like this: + +``` +backend_details = { + "dynamodb_table" = "moduscreate-devops-demo-state-lock" + "logging_bucket" = "moduscreate-devops-demo-tf-state-log-us-east-1" + "state_bucket" = "moduscreate-devops-demo-tf-state-us-east-1" +} +``` + +It can then be used in the `terraform.backend` config of main project (not the bootstrap project). + +```terraform +terraform { + # ... existing config + + backend "s3" { + bucket = "moduscreate-devops-demo-tf-state-us-east-1" + key = "terraform-state.tfstate" + dynamodb_table = "moduscreate-devops-demo-state-lock" + region = "us-east-1" + encrypt = "true" + } +} +``` + +## Inputs + +| Name | Description | Default | +|-----------------|------------------------------|-------------------------| +| `aws_region` | Amazon region to use | us-east-1 | +| `account_alias` | Prefix for backend resources | moduscreate-devops-demo | diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf new file mode 100644 index 0000000..eb6412f --- /dev/null +++ b/terraform/bootstrap/main.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.16" + } + } + + required_version = "~> 1.2.0" +} + +provider "aws" { + region = var.aws_region +} + +module "bootstrap" { + source = "trussworks/bootstrap/aws" + + region = var.aws_region + account_alias = var.account_alias + dynamodb_table_name = "${var.account_alias}-state-lock" +} + +data "aws_caller_identity" "current" {} + +output "account_id" { + value = "${data.aws_caller_identity.current.account_id}" +} + +output "arn" { + value = "${data.aws_caller_identity.current.arn}" +} + +output "user_id" { + value = "${data.aws_caller_identity.current.user_id}" +} + +output "backend_details" { + description = "Details of the S3 bucket and DynamoDB tables created for backend" + value = module.bootstrap +} diff --git a/terraform/bootstrap/variables.tf b/terraform/bootstrap/variables.tf new file mode 100644 index 0000000..4073534 --- /dev/null +++ b/terraform/bootstrap/variables.tf @@ -0,0 +1,9 @@ +variable "aws_region" { + description = "Amazon Region to use" + default = "us-east-1" +} + +variable "account_alias" { + description = "Prefix for backend resources" + default = "moduscreate-devops-demo" +} From 19cb916d1ae4a429963e96a4c2a79357fb74c80f Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Tue, 23 Aug 2022 11:33:50 +0530 Subject: [PATCH 02/20] DOPS-101 Add bootstrap and backend details to terrform project Updated README to point to bootstrap project for setting up terraform backend. Updated main terraform project's backend with the S3 and DynamoDB tables generated using default bootstrap values. --- README.md | 26 ++++++++++---------------- terraform/terraform.tf | 17 ++++++++--------- 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 31a7204..450e0fa 100644 --- a/README.md +++ b/README.md @@ -13,17 +13,17 @@ See the branch [demo-20180619](https://github.com/ModusCreateOrg/devops-infra-de See the branch [demo-20180926](https://github.com/ModusCreateOrg/devops-infra-demo/tree/demo-20180926) for the code for the demo for the [Continuous Delivery NYC talk _Managing Expensive or Destructive Operations in Jenkins CI_](https://www.meetup.com/ContinuousDeliveryNYC/events/254036209/). Slides from this presentation are on [SlideShare](https://www.slideshare.net/RichardBullingtonMcG/managing-expensive-or-destructive-operations-in-jenkins-ci). See the branch [demo-20181205](https://github.com/ModusCreateOrg/devops-infra-demo/tree/demo-20181205) for the code for the demo for the [Ansible NYC talk _Ansible Image Bakeries: Best Practices & Pitfalls_](https://www.meetup.com/Ansible-NYC/events/256728741/). Slides from this presentation are on [SlideShare](https://www.slideshare.net/RichardBullingtonMcG/ansible-image-bakeries-best-practices-and-pitfalls). - + See the branch [demo-20190130](https://github.com/ModusCreateOrg/devops-infra-demo/tree/demo-20190130) for the code for the demo for the [Big Apple DevOps talk _Monitoring and Alerting as code with Terraform and New Relic_](https://www.meetup.com/Big-Apple-DevOps/events/257744262/). Slides from this presentation are on [Slideshare](https://www.slideshare.net/RichardBullingtonMcG/monitoring-and-alerting-as-code-with-terraform-and-new-relic). - + See the branch [demo-20191109](https://github.com/ModusCreateOrg/devops-infra-demo/tree/demo-20191109) for the code for the demo for the [BSidesCT 2019 talk _Extensible DevSecOps pipelines with Jenkins, Docker, Terraform, and a kitchen sink full of scanners_](https://bsidesct.org/schedule/). Slides from this presentation are on [Slideshare](https://www.slideshare.net/RichardBullingtonMcG/extensible-dev-secops-pipelines-with-jenkins-docker-terraform-and-a-kitchen-sink-full-of-scanners) - + Instructions ------------ To run the demo end to end, you will need: - + * [AWS Account](https://aws.amazon.com/) * [Google Cloud Account](https://cloud.google.com/) * [Docker](https://docker.com/) (tested with 18.05.0-ce) @@ -33,7 +33,7 @@ Instructions Optionally, you can use Vagrant to test ansible playbooks locally and Jenkins to orchestrate creation of AMIs in conjunction with GitHub branches and pull requests. -You will also need to set a few environment variables. The method of doing so will vary from platform to platform. +You will also need to set a few environment variables. The method of doing so will vary from platform to platform. ``` AWS_PROFILE @@ -74,20 +74,14 @@ Install [Vagrant](https://www.vagrantup.com/). Change directory into the root of ### Terraform -This Terraform setup stores its state in Amazon S3 and uses DynamoDB for locking. There is a bit of setup required to bootstrap that configuration. You can use [this repository](https://github.com/monterail/terraform-bootstrap-example) to use Terraform to do that bootstrap process. The `backend.tfvars` file in that repo should be modified as follows to work with this project: +This Terraform setup stores its state in Amazon S3 and uses DynamoDB for locking. There is a bit of setup required to bootstrap the configuration. Check out `./terraform/bootstrap/README.md` to setup the resources required for backend. + +If you override the default input values (by CLI or using a `.tfvars` file) for bootstrapping, please update the `terraform.backend` section in `./terraform/terraform.tf` to reflect that. -(Replace us-east-1 and XXXXXXXXXXXX with the AWS region and your account ID) -``` -bucket = "tf-state.devops-infra-demo.us-east-1.XXXXXXXXXXXX" -dynamodb_table = "TerraformStatelock-devops-infra-demo" -key = "terraform.tfstate" -profile = "terraform" -region = "us-east-1" -``` You'll also need to modify the list of operators who can modify the object in the S3 bucket. Put in the IAM user names of the user into the `setup/variables.tf` file in that project. If your Jenkins instance uses an IAM role to grant access, give it a similar set of permissions to those granted on in the bucket policy to IAM users. These commands will then set up cloud resources using terraform: - + cd terraform terraform init terraform get @@ -112,7 +106,7 @@ The application loads an image from Google storage. To get it loading correctly, ### Auto Scaling Groups -The application in this demo uses an AWS Auto Scaling Group in order to dynamically change the number of servers deployed in response to load. Two policies help guide how many instances are available: a CPU scaling policy that seeks to keep the average CPU load below 40% in the cluster, and a scheduled scaling policy that scales the entire cluster down to 0 instances at 02:00 UTC every night, to minimize the charges should you forget to destroy the cluster. If the cluster is scaled down to 0 instances, you will need to edit the Auto Scaling Group through the console, the CLI, or an API call to set the sizes to non-zero, for example +The application in this demo uses an AWS Auto Scaling Group in order to dynamically change the number of servers deployed in response to load. Two policies help guide how many instances are available: a CPU scaling policy that seeks to keep the average CPU load below 40% in the cluster, and a scheduled scaling policy that scales the entire cluster down to 0 instances at 02:00 UTC every night, to minimize the charges should you forget to destroy the cluster. If the cluster is scaled down to 0 instances, you will need to edit the Auto Scaling Group through the console, the CLI, or an API call to set the sizes to non-zero, for example ### Elastic Load Balancing diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 9d95fae..0cfa892 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -1,15 +1,14 @@ terraform { + #=================================================================== + # The S3 bucket and DyanmoDB table used here are created using + # ./bootstrap project. See ./bootstrap/README.md for details. + #=================================================================== backend "s3" { - encrypt = true - - # We can't specify parameterized config here but if we could it would look like: - # bucket = "tf-state.${project_name}.${aws_region}.${data.aws_caller_identity.current.account_id}" - # dynamodb_table = "TerraformStatelock-${project_name}" - bucket = "my-terraform-bucket" - - dynamodb_table = "TerraformStatelock" + bucket = "moduscreate-devops-demo-tf-state-us-east-1" + key = "terraform-state.tfstate" + dynamodb_table = "moduscreate-devops-demo-state-lock" region = "us-east-1" - key = "terraform.tfstate" + encrypt = "true" } } From d82cfb4377176a43f6e8a341d0f32ae40199d871 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Thu, 25 Aug 2022 11:03:06 +0530 Subject: [PATCH 03/20] DOPS-101 Add variable for account alias for main terraform project This alias needs to match the one used in bootstrap project to use correct names for S3 bucket and DynamoDB table. --- bin/common-terraform.sh | 6 ++---- terraform/terraform.tf | 6 +++--- terraform/variables.tf | 5 +++++ 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/bin/common-terraform.sh b/bin/common-terraform.sh index c05deb8..30b8f20 100755 --- a/bin/common-terraform.sh +++ b/bin/common-terraform.sh @@ -51,10 +51,8 @@ function init_terraform() { #shellcheck disable=SC2086,SC2046 $DOCKER_TERRAFORM init \ -input="$INPUT_ENABLED" \ - -backend-config bucket=tf-state.${PROJECT_NAME}.${AWS_DEFAULT_REGION}.$(get_aws_account_id) \ - -backend-config dynamodb_table=TerraformStatelock-${PROJECT_NAME} \ - -backend-config region=${AWS_DEFAULT_REGION} \ - -backend-config encrypt=true + -backend-config region=${AWS_DEFAULT_REGION} + # Generate an SSH keypair if none exists yet if [[ ! -f ~/.ssh/id_rsa.pub ]]; then #shellcheck disable=SC2174 diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 0cfa892..d0e9e9b 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -4,10 +4,10 @@ terraform { # ./bootstrap project. See ./bootstrap/README.md for details. #=================================================================== backend "s3" { - bucket = "moduscreate-devops-demo-tf-state-us-east-1" + bucket = "${var.backend_account_alias}-tf-state-us-east-1" key = "terraform-state.tfstate" - dynamodb_table = "moduscreate-devops-demo-state-lock" - region = "us-east-1" + dynamodb_table = "${var.backend_account_alias}-state-lock" + region = "${var.aws_region}" encrypt = "true" } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 531fa1f..7932b59 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -111,3 +111,8 @@ variable "newrelic_alert_email" { description = "New Relic alert email" default = "" } + +variable "backend_account_alias" { + description = "Account alias, or prefix, used by bootstrap project" + default = "moduscreate-devops-demo" +} From c6d33d4303529aa0dfaef59c75c436d5a56c2682 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Tue, 30 Aug 2022 10:40:34 +0530 Subject: [PATCH 04/20] DOPS-101 Bootstrap terraform state for sandbox account We validate the backend in our CI and need the S3 and DynamoDB resources to exist for that to pass. --- terraform/bootstrap/terraform.tfstate | 1567 +++++++++++++++++++++++++ 1 file changed, 1567 insertions(+) create mode 100644 terraform/bootstrap/terraform.tfstate diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate new file mode 100644 index 0000000..c836561 --- /dev/null +++ b/terraform/bootstrap/terraform.tfstate @@ -0,0 +1,1567 @@ +{ + "version": 4, + "terraform_version": "1.2.7", + "serial": 181, + "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", + "outputs": { + "account_id": { + "value": "587267277416", + "type": "string" + }, + "arn": { + "value": "arn:aws:sts::587267277416:assumed-role/AWSReservedSSO_AdministratorAccess_f36dc38d21a01223/akash@moduscreate.com", + "type": "string" + }, + "backend_details": { + "value": { + "dynamodb_table": "moduscreate-devops-demo-state-lock", + "logging_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "state_bucket": "moduscreate-devops-demo-tf-state-us-east-1" + }, + "type": [ + "object", + { + "dynamodb_table": "string", + "logging_bucket": "string", + "state_bucket": "string" + } + ] + }, + "user_id": { + "value": "AROAYRO63QJUDMIL2CDJT:akash@moduscreate.com", + "type": "string" + } + }, + "resources": [ + { + "mode": "data", + "type": "aws_caller_identity", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "587267277416", + "arn": "arn:aws:sts::587267277416:assumed-role/AWSReservedSSO_AdministratorAccess_f36dc38d21a01223/akash@moduscreate.com", + "id": "587267277416", + "user_id": "AROAYRO63QJUDMIL2CDJT:akash@moduscreate.com" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap", + "mode": "managed", + "type": "aws_dynamodb_table", + "name": "terraform_state_lock", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "arn": "arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock", + "attribute": [ + { + "name": "LockID", + "type": "S" + } + ], + "billing_mode": "PROVISIONED", + "global_secondary_index": [], + "hash_key": "LockID", + "id": "moduscreate-devops-demo-state-lock", + "local_secondary_index": [], + "name": "moduscreate-devops-demo-state-lock", + "point_in_time_recovery": [ + { + "enabled": false + } + ], + "range_key": null, + "read_capacity": 2, + "replica": [], + "restore_date_time": null, + "restore_source_name": null, + "restore_to_latest_time": null, + "server_side_encryption": [ + { + "enabled": true, + "kms_key_arn": "arn:aws:kms:us-east-1:587267277416:key/51417bc8-fc8d-42c0-8a6a-9cd96b202aba" + } + ], + "stream_arn": "", + "stream_enabled": false, + "stream_label": "", + "stream_view_type": "", + "table_class": "", + "tags": { + "Automation": "Terraform", + "Name": "terraform-state-lock" + }, + "tags_all": { + "Automation": "Terraform", + "Name": "terraform-state-lock" + }, + "timeouts": null, + "ttl": [ + { + "attribute_name": "", + "enabled": false + } + ], + "write_capacity": 2 + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=" + } + ] + }, + { + "module": "module.bootstrap", + "mode": "managed", + "type": "aws_iam_account_alias", + "name": "alias", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "account_alias": "moduscreate-devops-demo", + "id": "moduscreate-devops-demo" + }, + "sensitive_attributes": [], + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "data", + "type": "aws_caller_identity", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "587267277416", + "arn": "arn:aws:sts::587267277416:assumed-role/AWSReservedSSO_AdministratorAccess_f36dc38d21a01223/akash@moduscreate.com", + "id": "587267277416", + "user_id": "AROAYRO63QJUDMIL2CDJT:akash@moduscreate.com" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "supplemental_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "576074780", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "s3:*" + ], + "condition": [ + { + "test": "Bool", + "values": [ + "false" + ], + "variable": "aws:SecureTransport" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "*" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" + ], + "sid": "enforce-tls-requests-only" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [ + { + "test": "ArnLike", + "values": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1" + ], + "variable": "aws:SourceArn" + }, + { + "test": "StringEquals", + "values": [ + "587267277416" + ], + "variable": "aws:SourceAccount" + }, + { + "test": "StringEquals", + "values": [ + "bucket-owner-full-control" + ], + "variable": "s3:x-amz-acl" + } + ], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "s3.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" + ], + "sid": "inventory-and-analytics" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "data", + "type": "aws_partition", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "dns_suffix": "amazonaws.com", + "id": "aws", + "partition": "aws", + "reverse_dns_prefix": "com.amazonaws" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "acceleration_status": "", + "acl": null, + "arn": "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1", + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "bucket_domain_name": "moduscreate-devops-demo-tf-state-us-east-1.s3.amazonaws.com", + "bucket_prefix": null, + "bucket_regional_domain_name": "moduscreate-devops-demo-tf-state-us-east-1.s3.amazonaws.com", + "cors_rule": [], + "force_destroy": false, + "grant": [ + { + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", + "permissions": [ + "FULL_CONTROL" + ], + "type": "CanonicalUser", + "uri": "" + } + ], + "hosted_zone_id": "Z3AQBSTGFYJSTF", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "object_lock_enabled": false, + "policy": "", + "region": "us-east-1", + "replication_configuration": [], + "request_payer": "BucketOwner", + "server_side_encryption_configuration": [], + "tags": { + "Automation": "Terraform" + }, + "tags_all": { + "Automation": "Terraform" + }, + "timeouts": null, + "versioning": [ + { + "enabled": false, + "mfa_delete": false + } + ], + "website": [], + "website_domain": null, + "website_endpoint": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_acl", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "access_control_policy": [ + { + "grant": [ + { + "grantee": [ + { + "display_name": "richard+devopssandbox", + "email_address": "", + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", + "type": "CanonicalUser", + "uri": "" + } + ], + "permission": "FULL_CONTROL" + } + ], + "owner": [ + { + "display_name": "richard+devopssandbox", + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462" + } + ] + } + ], + "acl": "private", + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-us-east-1,private" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_analytics_configuration", + "name": "private_analytics_config", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "filter": [], + "id": "moduscreate-devops-demo-tf-state-us-east-1:Analytics", + "name": "Analytics", + "storage_class_analysis": [ + { + "data_export": [ + { + "destination": [ + { + "s3_bucket_destination": [ + { + "bucket_account_id": "", + "bucket_arn": "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1", + "format": "CSV", + "prefix": "_AWSBucketAnalytics" + } + ] + } + ], + "output_schema_version": "V_1" + } + ] + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_lifecycle_configuration", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "rule": [ + { + "abort_incomplete_multipart_upload": [ + { + "days_after_initiation": 14 + } + ], + "expiration": [ + { + "date": "", + "days": 0, + "expired_object_delete_marker": true + } + ], + "filter": [ + { + "and": [], + "object_size_greater_than": "", + "object_size_less_than": "", + "prefix": "", + "tag": [] + } + ], + "id": "abort-incomplete-multipart-upload", + "noncurrent_version_expiration": [ + { + "newer_noncurrent_versions": "", + "noncurrent_days": 365 + } + ], + "noncurrent_version_transition": [ + { + "newer_noncurrent_versions": "", + "noncurrent_days": 30, + "storage_class": "STANDARD_IA" + } + ], + "prefix": "", + "status": "Enabled", + "transition": [] + }, + { + "abort_incomplete_multipart_upload": [], + "expiration": [ + { + "date": "", + "days": 14, + "expired_object_delete_marker": false + } + ], + "filter": [ + { + "and": [], + "object_size_greater_than": "", + "object_size_less_than": "", + "prefix": "_AWSBucketInventory/", + "tag": [] + } + ], + "id": "aws-bucket-inventory", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "", + "status": "Enabled", + "transition": [] + }, + { + "abort_incomplete_multipart_upload": [], + "expiration": [ + { + "date": "", + "days": 30, + "expired_object_delete_marker": false + } + ], + "filter": [ + { + "and": [], + "object_size_greater_than": "", + "object_size_less_than": "", + "prefix": "_AWSBucketAnalytics/", + "tag": [] + } + ], + "id": "aws-bucket-analytics", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "", + "status": "Enabled", + "transition": [] + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_logging", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "target_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "target_grant": [], + "target_prefix": "s3/moduscreate-devops-demo-tf-state-us-east-1/" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_policy", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_policy_document.supplemental_policy", + "module.bootstrap.module.terraform_state_bucket.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_public_access_block", + "name": "public_access_block", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "block_public_acls": true, + "block_public_policy": true, + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "ignore_public_acls": true, + "restrict_public_buckets": true + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_server_side_encryption_configuration", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket", + "mode": "managed", + "type": "aws_s3_bucket_versioning", + "name": "private_bucket", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-us-east-1", + "mfa": null, + "versioning_configuration": [ + { + "mfa_delete": "", + "status": "Enabled" + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket.aws_s3_bucket.private_bucket", + "module.bootstrap.module.terraform_state_bucket.data.aws_iam_account_alias.current", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_public_access_block.public_access_block", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_caller_identity", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "587267277416", + "arn": "arn:aws:sts::587267277416:assumed-role/AWSReservedSSO_AdministratorAccess_f36dc38d21a01223/akash@moduscreate.com", + "id": "587267277416", + "user_id": "AROAYRO63QJUDMIL2CDJT:akash@moduscreate.com" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_elb_service_account", + "name": "main", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::127311923021:root", + "id": "127311923021", + "region": null + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "main", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "2517482211", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "cloudtrail.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1" + ], + "sid": "cloudtrail-logs-get-bucket-acl" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "bucket-owner-full-control" + ], + "variable": "s3:x-amz-acl" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "cloudtrail.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*" + ], + "sid": "cloudtrail-logs-put-object" + }, + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "logs.us-east-1.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1" + ], + "sid": "cloudwatch-logs-get-bucket-acl" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "bucket-owner-full-control" + ], + "variable": "s3:x-amz-acl" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "logs.us-east-1.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*" + ], + "sid": "cloudwatch-logs-put-object" + }, + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "config.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1" + ], + "sid": "config-permissions-check" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "bucket-owner-full-control" + ], + "variable": "s3:x-amz-acl" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "config.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*" + ], + "sid": "config-bucket-delivery" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::127311923021:root" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*" + ], + "sid": "elb-logs-put-object" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::127311923021:root" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*" + ], + "sid": "alb-logs-put-object" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "bucket-owner-full-control" + ], + "variable": "s3:x-amz-acl" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "delivery.logs.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*" + ], + "sid": "nlb-logs-put-object" + }, + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "delivery.logs.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1" + ], + "sid": "nlb-logs-acl-check" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::193672423079:user/logs" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*" + ], + "sid": "redshift-logs-put-object" + }, + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::193672423079:user/logs" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1" + ], + "sid": "redshift-logs-get-bucket-acl" + }, + { + "actions": [ + "s3:*" + ], + "condition": [ + { + "test": "Bool", + "values": [ + "false" + ], + "variable": "aws:SecureTransport" + } + ], + "effect": "Deny", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "*" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1", + "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*" + ], + "sid": "enforce-tls-requests-only" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_partition", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "dns_suffix": "amazonaws.com", + "id": "aws", + "partition": "aws", + "reverse_dns_prefix": "com.amazonaws" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_redshift_service_account", + "name": "main", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::193672423079:user/logs", + "id": "193672423079", + "region": null + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "data", + "type": "aws_region", + "name": "current", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": "US East (N. Virginia)", + "endpoint": "ec2.us-east-1.amazonaws.com", + "id": "us-east-1", + "name": "us-east-1" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "acceleration_status": "", + "acl": null, + "arn": "arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1", + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "bucket_domain_name": "moduscreate-devops-demo-tf-state-log-us-east-1.s3.amazonaws.com", + "bucket_prefix": null, + "bucket_regional_domain_name": "moduscreate-devops-demo-tf-state-log-us-east-1.s3.amazonaws.com", + "cors_rule": [], + "force_destroy": false, + "grant": [ + { + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", + "permissions": [ + "FULL_CONTROL" + ], + "type": "CanonicalUser", + "uri": "" + } + ], + "hosted_zone_id": "Z3AQBSTGFYJSTF", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "object_lock_enabled": false, + "policy": "", + "region": "us-east-1", + "replication_configuration": [], + "request_payer": "BucketOwner", + "server_side_encryption_configuration": [], + "tags": { + "Automation": "Terraform", + "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" + }, + "tags_all": { + "Automation": "Terraform", + "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" + }, + "timeouts": null, + "versioning": [ + { + "enabled": false, + "mfa_delete": false + } + ], + "website": [], + "website_domain": null, + "website_endpoint": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19" + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_acl", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "access_control_policy": [ + { + "grant": [ + { + "grantee": [ + { + "display_name": "", + "email_address": "", + "id": "", + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + ], + "permission": "READ_ACP" + }, + { + "grantee": [ + { + "display_name": "", + "email_address": "", + "id": "", + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + ], + "permission": "WRITE" + }, + { + "grantee": [ + { + "display_name": "richard+devopssandbox", + "email_address": "", + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", + "type": "CanonicalUser", + "uri": "" + } + ], + "permission": "FULL_CONTROL" + } + ], + "owner": [ + { + "display_name": "richard+devopssandbox", + "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462" + } + ] + } + ], + "acl": "log-delivery-write", + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1,log-delivery-write" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_lifecycle_configuration", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "rule": [ + { + "abort_incomplete_multipart_upload": [], + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "filter": [ + { + "and": [], + "object_size_greater_than": "", + "object_size_less_than": "", + "prefix": "/*", + "tag": [] + } + ], + "id": "expire_all_logs", + "noncurrent_version_expiration": [ + { + "newer_noncurrent_versions": "", + "noncurrent_days": 30 + } + ], + "noncurrent_version_transition": [], + "prefix": "", + "status": "Enabled", + "transition": [] + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_policy", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_public_access_block", + "name": "public_access_block", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "block_public_acls": true, + "block_public_policy": true, + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "ignore_public_acls": true, + "restrict_public_buckets": true + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_server_side_encryption_configuration", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": null + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs" + ] + } + ] + }, + { + "module": "module.bootstrap.module.terraform_state_bucket_logs", + "mode": "managed", + "type": "aws_s3_bucket_versioning", + "name": "aws_logs", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "expected_bucket_owner": "", + "id": "moduscreate-devops-demo-tf-state-log-us-east-1", + "mfa": null, + "versioning_configuration": [ + { + "mfa_delete": "", + "status": "Disabled" + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs" + ] + } + ] + } + ] +} From 59441c346536067447c1e86e149ac142145c4df8 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Wed, 31 Aug 2022 17:59:31 +0530 Subject: [PATCH 05/20] DOPS-101 Remove interpolation from backend Terraform does not allow interpolation of values in backend block. This is because it executes backend way before other stuff. --- terraform/terraform.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/terraform.tf b/terraform/terraform.tf index d0e9e9b..0cfa892 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -4,10 +4,10 @@ terraform { # ./bootstrap project. See ./bootstrap/README.md for details. #=================================================================== backend "s3" { - bucket = "${var.backend_account_alias}-tf-state-us-east-1" + bucket = "moduscreate-devops-demo-tf-state-us-east-1" key = "terraform-state.tfstate" - dynamodb_table = "${var.backend_account_alias}-state-lock" - region = "${var.aws_region}" + dynamodb_table = "moduscreate-devops-demo-state-lock" + region = "us-east-1" encrypt = "true" } } From 85d8d9528c3dd2c8cf2b0d233c7b3e04a3e12dbd Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Fri, 2 Sep 2022 12:33:27 +0530 Subject: [PATCH 06/20] DOPS-101 Use interpolation for variables Apparently, using variables without interpolation doesn't work with older terraform versions. In this case, 0.11.7. --- terraform/bootstrap/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index eb6412f..0376cc7 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -10,14 +10,14 @@ terraform { } provider "aws" { - region = var.aws_region + region = "${var.aws_region}" } module "bootstrap" { source = "trussworks/bootstrap/aws" - region = var.aws_region - account_alias = var.account_alias + region = "${var.aws_region}" + account_alias = "${var.account_alias}" dynamodb_table_name = "${var.account_alias}-state-lock" } @@ -37,5 +37,5 @@ output "user_id" { output "backend_details" { description = "Details of the S3 bucket and DynamoDB tables created for backend" - value = module.bootstrap + value = "${module.bootstrap}" } From 86a7e78d857cd3e258211d52c16c85a198365088 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Fri, 2 Sep 2022 12:47:48 +0530 Subject: [PATCH 07/20] DOPS-101 Fix formatting of bootstrap module --- terraform/bootstrap/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index 0376cc7..0865b75 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -14,7 +14,7 @@ provider "aws" { } module "bootstrap" { - source = "trussworks/bootstrap/aws" + source = "trussworks/bootstrap/aws" region = "${var.aws_region}" account_alias = "${var.account_alias}" From f9d41cae67909771653b1adcade91400d7983482 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Thu, 8 Sep 2022 15:41:48 +0530 Subject: [PATCH 08/20] DOPS-101 Add s3 policy to role for jenkins --- terraform/bootstrap/jenkins.tf | 44 ++++ terraform/bootstrap/main.tf | 14 +- terraform/bootstrap/terraform.tfstate | 327 +++++++++++++++++++++++++- 3 files changed, 365 insertions(+), 20 deletions(-) create mode 100644 terraform/bootstrap/jenkins.tf diff --git a/terraform/bootstrap/jenkins.tf b/terraform/bootstrap/jenkins.tf new file mode 100644 index 0000000..2a5cc1f --- /dev/null +++ b/terraform/bootstrap/jenkins.tf @@ -0,0 +1,44 @@ +/* + We use jenkins to automate deployment with Terraform. Jenkins + is set up in a different AWS account. + + This group of IAM resources allow jenkins to assume a role needed + to deploy resources (and make changes to backend). +*/ + +data "aws_iam_policy_document" "terraform_backend_account_policy" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::191447213457:role/jenkins-role"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "terraform_backend_role" { + name = "terraform_sandbox_backend_admin" + assume_role_policy = data.aws_iam_policy_document.terraform_backend_account_policy.json +} + +data "aws_iam_policy_document" "terraform_backend_role_policy_document" { + statement { + effect = "Allow" + + actions = ["s3:*"] + resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"] + } +} + +resource "aws_iam_policy" "terraform_backend_role_policy" { + name = "terraform-backend-role-policy" + policy = data.aws_iam_policy_document.terraform_backend_role_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "terraform_backend_attachment" { + role = aws_iam_role.terraform_backend_role.name + policy_arn = aws_iam_policy.terraform_backend_role_policy.arn +} diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index 0865b75..3e0cc70 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -10,32 +10,32 @@ terraform { } provider "aws" { - region = "${var.aws_region}" + region = var.aws_region } module "bootstrap" { source = "trussworks/bootstrap/aws" - region = "${var.aws_region}" - account_alias = "${var.account_alias}" + region = var.aws_region + account_alias = var.account_alias dynamodb_table_name = "${var.account_alias}-state-lock" } data "aws_caller_identity" "current" {} output "account_id" { - value = "${data.aws_caller_identity.current.account_id}" + value = data.aws_caller_identity.current.account_id } output "arn" { - value = "${data.aws_caller_identity.current.arn}" + value = data.aws_caller_identity.current.arn } output "user_id" { - value = "${data.aws_caller_identity.current.user_id}" + value = data.aws_caller_identity.current.user_id } output "backend_details" { description = "Details of the S3 bucket and DynamoDB tables created for backend" - value = "${module.bootstrap}" + value = module.bootstrap } diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate index c836561..3cf7a6e 100644 --- a/terraform/bootstrap/terraform.tfstate +++ b/terraform/bootstrap/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.2.7", - "serial": 181, + "serial": 188, "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", "outputs": { "account_id": { @@ -51,6 +51,177 @@ } ] }, + { + "mode": "data", + "type": "aws_iam_policy_document", + "name": "terraform_backend_account_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "2130418613", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::191447213457:role/jenkins-role\"\n }\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::191447213457:role/jenkins-role" + ], + "type": "AWS" + } + ], + "resources": [], + "sid": "" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "data", + "type": "aws_iam_policy_document", + "name": "terraform_backend_role_policy_document", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "1576895499", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "s3:*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" + ], + "sid": "" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_policy", + "name": "terraform_backend_role_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "description": "", + "id": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "name": "terraform-backend-role-policy", + "name_prefix": null, + "path": "/", + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "policy_id": "ANPAYRO63QJUBKUZHCXFH", + "tags": {}, + "tags_all": {} + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_iam_policy_document.terraform_backend_role_policy_document" + ] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role", + "name": "terraform_backend_role", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::587267277416:role/terraform_backend_admin", + "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::191447213457:role/jenkins-role\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "create_date": "2022-09-08T07:40:10Z", + "description": "", + "force_detach_policies": false, + "id": "terraform_backend_admin", + "inline_policy": [], + "managed_policy_arns": [ + "arn:aws:iam::587267277416:policy/terraform-backend-role-policy" + ], + "max_session_duration": 3600, + "name": "terraform_backend_admin", + "name_prefix": "", + "path": "/", + "permissions_boundary": null, + "tags": {}, + "tags_all": {}, + "unique_id": "AROAYRO63QJUJ3QOZGTZF" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_iam_policy_document.terraform_backend_account_policy" + ] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role_policy_attachment", + "name": "terraform_backend_attachment", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "terraform_backend_admin-20220908083156757100000001", + "policy_arn": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "role": "terraform_backend_admin" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "aws_iam_policy.terraform_backend_role_policy", + "aws_iam_role.terraform_backend_role", + "data.aws_iam_policy_document.terraform_backend_account_policy", + "data.aws_iam_policy_document.terraform_backend_role_policy_document" + ] + } + ] + }, { "module": "module.bootstrap", "mode": "managed", @@ -305,15 +476,95 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "lifecycle_rule": [], - "logging": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 14, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 0, + "expired_object_delete_marker": true + } + ], + "id": "abort-incomplete-multipart-upload", + "noncurrent_version_expiration": [ + { + "days": 365 + } + ], + "noncurrent_version_transition": [ + { + "days": 30, + "storage_class": "STANDARD_IA" + } + ], + "prefix": "", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 14, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-inventory", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketInventory/", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 30, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-analytics", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketAnalytics/", + "tags": {}, + "transition": [] + } + ], + "logging": [ + { + "target_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "target_prefix": "s3/moduscreate-devops-demo-tf-state-us-east-1/" + } + ], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform" }, @@ -323,7 +574,7 @@ "timeouts": null, "versioning": [ { - "enabled": false, + "enabled": true, "mfa_delete": false } ], @@ -657,7 +908,7 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-us-east-1", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"enforce-tls-requests-only\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"},\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"inventory-and-analytics\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -1283,6 +1534,15 @@ "cors_rule": [], "force_destroy": false, "grant": [ + { + "id": "", + "permissions": [ + "READ_ACP", + "WRITE" + ], + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + }, { "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", "permissions": [ @@ -1294,15 +1554,51 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "lifecycle_rule": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "id": "expire_all_logs", + "noncurrent_version_expiration": [ + { + "days": 30 + } + ], + "noncurrent_version_transition": [], + "prefix": "/*", + "tags": {}, + "transition": [] + } + ], "logging": [], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"cloudtrail-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudtrail-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"cloudwatch-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudwatch-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"config-permissions-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"config-bucket-delivery\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"elb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\"},{\"Sid\":\"alb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\"},{\"Sid\":\"nlb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"nlb-logs-acl-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"redshift-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\"},{\"Sid\":\"redshift-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform", "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" @@ -1464,13 +1760,18 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudtrail-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Sid\":\"cloudtrail-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudwatch-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Sid\":\"cloudwatch-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"config-permissions-check\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Sid\":\"config-bucket-delivery\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\"Sid\":\"elb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\"Sid\":\"alb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Sid\":\"nlb-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"nlb-logs-acl-check\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\"Sid\":\"redshift-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"redshift-logs-get-bucket-acl\"},{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Sid\":\"enforce-tls-requests-only\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main" + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" ] } ] @@ -1522,7 +1823,7 @@ "sse_algorithm": "AES256" } ], - "bucket_key_enabled": null + "bucket_key_enabled": false } ] }, From 20df5340ff5f85c7a3791437fb26e18f05b50866 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Fri, 9 Sep 2022 12:19:34 +0530 Subject: [PATCH 09/20] DOPS-101 Sync terraform and aws versions with main project Use the same versions of terraform and aws provider in bootstrap as the main project. This avoids any tricky version mismatch. TODO Update terraform and aws to latest --- terraform/bootstrap/main.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index 3e0cc70..5561344 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -2,11 +2,9 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.16" + version = "~> 1.57" } } - - required_version = "~> 1.2.0" } provider "aws" { From 317cccbcc3016c68685f18db5a4849ad35707ce2 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Sat, 10 Sep 2022 11:30:18 +0530 Subject: [PATCH 10/20] DOPS-101 Revert to latest versions for terraform and AWS --- terraform/bootstrap/main.tf | 2 +- terraform/bootstrap/terraform.tfstate | 206 ++++---------------------- 2 files changed, 26 insertions(+), 182 deletions(-) diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index 5561344..771c8fb 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 1.57" + version = "~> 4.27" } } } diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate index 3cf7a6e..4bed74c 100644 --- a/terraform/bootstrap/terraform.tfstate +++ b/terraform/bootstrap/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, - "terraform_version": "1.2.7", - "serial": 188, + "terraform_version": "1.2.9", + "serial": 213, "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", "outputs": { "account_id": { @@ -150,8 +150,8 @@ "name_prefix": null, "path": "/", "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", - "policy_id": "ANPAYRO63QJUBKUZHCXFH", - "tags": {}, + "policy_id": "ANPAYRO63QJUEYGCFJVOK", + "tags": null, "tags_all": {} }, "sensitive_attributes": [], @@ -171,24 +171,22 @@ { "schema_version": 0, "attributes": { - "arn": "arn:aws:iam::587267277416:role/terraform_backend_admin", + "arn": "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin", "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::191447213457:role/jenkins-role\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", - "create_date": "2022-09-08T07:40:10Z", + "create_date": "2022-09-10T05:53:56Z", "description": "", "force_detach_policies": false, - "id": "terraform_backend_admin", + "id": "terraform_sandbox_backend_admin", "inline_policy": [], - "managed_policy_arns": [ - "arn:aws:iam::587267277416:policy/terraform-backend-role-policy" - ], + "managed_policy_arns": [], "max_session_duration": 3600, - "name": "terraform_backend_admin", + "name": "terraform_sandbox_backend_admin", "name_prefix": "", "path": "/", "permissions_boundary": null, - "tags": {}, + "tags": null, "tags_all": {}, - "unique_id": "AROAYRO63QJUJ3QOZGTZF" + "unique_id": "AROAYRO63QJUODJCEJTID" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -207,9 +205,9 @@ { "schema_version": 0, "attributes": { - "id": "terraform_backend_admin-20220908083156757100000001", + "id": "terraform_sandbox_backend_admin-20220910055357707400000001", "policy_arn": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", - "role": "terraform_backend_admin" + "role": "terraform_sandbox_backend_admin" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -476,95 +474,15 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "lifecycle_rule": [ - { - "abort_incomplete_multipart_upload_days": 14, - "enabled": true, - "expiration": [ - { - "date": "", - "days": 0, - "expired_object_delete_marker": true - } - ], - "id": "abort-incomplete-multipart-upload", - "noncurrent_version_expiration": [ - { - "days": 365 - } - ], - "noncurrent_version_transition": [ - { - "days": 30, - "storage_class": "STANDARD_IA" - } - ], - "prefix": "", - "tags": {}, - "transition": [] - }, - { - "abort_incomplete_multipart_upload_days": 0, - "enabled": true, - "expiration": [ - { - "date": "", - "days": 14, - "expired_object_delete_marker": false - } - ], - "id": "aws-bucket-inventory", - "noncurrent_version_expiration": [], - "noncurrent_version_transition": [], - "prefix": "_AWSBucketInventory/", - "tags": {}, - "transition": [] - }, - { - "abort_incomplete_multipart_upload_days": 0, - "enabled": true, - "expiration": [ - { - "date": "", - "days": 30, - "expired_object_delete_marker": false - } - ], - "id": "aws-bucket-analytics", - "noncurrent_version_expiration": [], - "noncurrent_version_transition": [], - "prefix": "_AWSBucketAnalytics/", - "tags": {}, - "transition": [] - } - ], - "logging": [ - { - "target_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", - "target_prefix": "s3/moduscreate-devops-demo-tf-state-us-east-1/" - } - ], + "lifecycle_rule": [], + "logging": [], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", + "policy": "", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [ - { - "rule": [ - { - "apply_server_side_encryption_by_default": [ - { - "kms_master_key_id": "", - "sse_algorithm": "AES256" - } - ], - "bucket_key_enabled": false - } - ] - } - ], + "server_side_encryption_configuration": [], "tags": { "Automation": "Terraform" }, @@ -574,7 +492,7 @@ "timeouts": null, "versioning": [ { - "enabled": true, + "enabled": false, "mfa_delete": false } ], @@ -908,7 +826,7 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-us-east-1", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"enforce-tls-requests-only\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"},\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"inventory-and-analytics\"}],\"Version\":\"2012-10-17\"}" + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -1534,15 +1452,6 @@ "cors_rule": [], "force_destroy": false, "grant": [ - { - "id": "", - "permissions": [ - "READ_ACP", - "WRITE" - ], - "type": "Group", - "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" - }, { "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", "permissions": [ @@ -1554,51 +1463,15 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "lifecycle_rule": [ - { - "abort_incomplete_multipart_upload_days": 0, - "enabled": true, - "expiration": [ - { - "date": "", - "days": 90, - "expired_object_delete_marker": false - } - ], - "id": "expire_all_logs", - "noncurrent_version_expiration": [ - { - "days": 30 - } - ], - "noncurrent_version_transition": [], - "prefix": "/*", - "tags": {}, - "transition": [] - } - ], + "lifecycle_rule": [], "logging": [], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"cloudtrail-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudtrail-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"cloudwatch-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudwatch-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"config-permissions-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"config-bucket-delivery\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"elb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\"},{\"Sid\":\"alb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\"},{\"Sid\":\"nlb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"nlb-logs-acl-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"redshift-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\"},{\"Sid\":\"redshift-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}", + "policy": "", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [ - { - "rule": [ - { - "apply_server_side_encryption_by_default": [ - { - "kms_master_key_id": "", - "sse_algorithm": "AES256" - } - ], - "bucket_key_enabled": false - } - ] - } - ], + "server_side_encryption_configuration": [], "tags": { "Automation": "Terraform", "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" @@ -1636,30 +1509,6 @@ "access_control_policy": [ { "grant": [ - { - "grantee": [ - { - "display_name": "", - "email_address": "", - "id": "", - "type": "Group", - "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" - } - ], - "permission": "READ_ACP" - }, - { - "grantee": [ - { - "display_name": "", - "email_address": "", - "id": "", - "type": "Group", - "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" - } - ], - "permission": "WRITE" - }, { "grantee": [ { @@ -1760,18 +1609,13 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudtrail-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Sid\":\"cloudtrail-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudwatch-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Sid\":\"cloudwatch-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"config-permissions-check\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Sid\":\"config-bucket-delivery\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\"Sid\":\"elb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\"Sid\":\"alb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Sid\":\"nlb-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"nlb-logs-acl-check\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\"Sid\":\"redshift-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"redshift-logs-get-bucket-acl\"},{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Sid\":\"enforce-tls-requests-only\"}],\"Version\":\"2012-10-17\"}" + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main" ] } ] @@ -1823,7 +1667,7 @@ "sse_algorithm": "AES256" } ], - "bucket_key_enabled": false + "bucket_key_enabled": null } ] }, From e6ab2693ea40206b329a70b5ec23137915d5be10 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Sat, 10 Sep 2022 11:38:03 +0530 Subject: [PATCH 11/20] DOPS-101 Disable atlantis autoplan for bootstrap --- atlantis.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 atlantis.yaml diff --git a/atlantis.yaml b/atlantis.yaml new file mode 100644 index 0000000..68b4886 --- /dev/null +++ b/atlantis.yaml @@ -0,0 +1,7 @@ +version: 3 +projects: +- dir: ./terraform + terraform_version: v0.11.7 +- dir: ./terraform/bootstrap + autoplan: + enabled: false From 63150d03282961dcdd54d97bfae2e5d617285ed9 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Sat, 10 Sep 2022 11:55:27 +0530 Subject: [PATCH 12/20] DOPS-101 Add dynamodb permissions to jenkins role --- terraform/bootstrap/jenkins.tf | 7 + terraform/bootstrap/terraform.tfstate | 213 +++++++++++++++++++++++--- 2 files changed, 200 insertions(+), 20 deletions(-) diff --git a/terraform/bootstrap/jenkins.tf b/terraform/bootstrap/jenkins.tf index 2a5cc1f..ca74dda 100644 --- a/terraform/bootstrap/jenkins.tf +++ b/terraform/bootstrap/jenkins.tf @@ -31,6 +31,13 @@ data "aws_iam_policy_document" "terraform_backend_role_policy_document" { actions = ["s3:*"] resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"] } + + statement { + effect = "Allow" + + actions = ["dynamodb:*"] + resources = ["arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${module.bootstrap.dynamodb_table}"] + } } resource "aws_iam_policy" "terraform_backend_role_policy" { diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate index 4bed74c..ac7b90f 100644 --- a/terraform/bootstrap/terraform.tfstate +++ b/terraform/bootstrap/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.2.9", - "serial": 213, + "serial": 215, "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", "outputs": { "account_id": { @@ -104,8 +104,8 @@ { "schema_version": 0, "attributes": { - "id": "1576895499", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n }\n ]\n}", + "id": "1540866772", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\"\n }\n ]\n}", "override_json": null, "override_policy_documents": null, "policy_id": null, @@ -126,6 +126,21 @@ "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" ], "sid": "" + }, + { + "actions": [ + "dynamodb:*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [], + "resources": [ + "arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock" + ], + "sid": "" } ], "version": "2012-10-17" @@ -149,9 +164,9 @@ "name": "terraform-backend-role-policy", "name_prefix": null, "path": "/", - "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"},{\"Action\":\"dynamodb:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", "policy_id": "ANPAYRO63QJUEYGCFJVOK", - "tags": null, + "tags": {}, "tags_all": {} }, "sensitive_attributes": [], @@ -178,13 +193,15 @@ "force_detach_policies": false, "id": "terraform_sandbox_backend_admin", "inline_policy": [], - "managed_policy_arns": [], + "managed_policy_arns": [ + "arn:aws:iam::587267277416:policy/terraform-backend-role-policy" + ], "max_session_duration": 3600, "name": "terraform_sandbox_backend_admin", "name_prefix": "", "path": "/", "permissions_boundary": null, - "tags": null, + "tags": {}, "tags_all": {}, "unique_id": "AROAYRO63QJUODJCEJTID" }, @@ -214,8 +231,10 @@ "dependencies": [ "aws_iam_policy.terraform_backend_role_policy", "aws_iam_role.terraform_backend_role", + "data.aws_caller_identity.current", "data.aws_iam_policy_document.terraform_backend_account_policy", - "data.aws_iam_policy_document.terraform_backend_role_policy_document" + "data.aws_iam_policy_document.terraform_backend_role_policy_document", + "module.bootstrap.aws_dynamodb_table.terraform_state_lock" ] } ] @@ -474,15 +493,95 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "lifecycle_rule": [], - "logging": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 14, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 0, + "expired_object_delete_marker": true + } + ], + "id": "abort-incomplete-multipart-upload", + "noncurrent_version_expiration": [ + { + "days": 365 + } + ], + "noncurrent_version_transition": [ + { + "days": 30, + "storage_class": "STANDARD_IA" + } + ], + "prefix": "", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 14, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-inventory", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketInventory/", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 30, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-analytics", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketAnalytics/", + "tags": {}, + "transition": [] + } + ], + "logging": [ + { + "target_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "target_prefix": "s3/moduscreate-devops-demo-tf-state-us-east-1/" + } + ], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\",\"aws:SourceAccount\":\"587267277416\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform" }, @@ -492,7 +591,7 @@ "timeouts": null, "versioning": [ { - "enabled": false, + "enabled": true, "mfa_delete": false } ], @@ -826,7 +925,7 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-us-east-1", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"enforce-tls-requests-only\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"},\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"inventory-and-analytics\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -1452,6 +1551,15 @@ "cors_rule": [], "force_destroy": false, "grant": [ + { + "id": "", + "permissions": [ + "READ_ACP", + "WRITE" + ], + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + }, { "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", "permissions": [ @@ -1463,15 +1571,51 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "lifecycle_rule": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "id": "expire_all_logs", + "noncurrent_version_expiration": [ + { + "days": 30 + } + ], + "noncurrent_version_transition": [], + "prefix": "/*", + "tags": {}, + "transition": [] + } + ], "logging": [], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"cloudtrail-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudtrail-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"cloudwatch-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudwatch-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"config-permissions-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"config-bucket-delivery\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"elb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\"},{\"Sid\":\"alb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\"},{\"Sid\":\"nlb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"nlb-logs-acl-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"redshift-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\"},{\"Sid\":\"redshift-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform", "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" @@ -1509,6 +1653,30 @@ "access_control_policy": [ { "grant": [ + { + "grantee": [ + { + "display_name": "", + "email_address": "", + "id": "", + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + ], + "permission": "READ_ACP" + }, + { + "grantee": [ + { + "display_name": "", + "email_address": "", + "id": "", + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + ], + "permission": "WRITE" + }, { "grantee": [ { @@ -1609,13 +1777,18 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudtrail-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Sid\":\"cloudtrail-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudwatch-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Sid\":\"cloudwatch-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"config-permissions-check\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Sid\":\"config-bucket-delivery\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\"Sid\":\"elb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\"Sid\":\"alb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Sid\":\"nlb-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"nlb-logs-acl-check\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\"Sid\":\"redshift-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"redshift-logs-get-bucket-acl\"},{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Sid\":\"enforce-tls-requests-only\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main" + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" ] } ] @@ -1667,7 +1840,7 @@ "sse_algorithm": "AES256" } ], - "bucket_key_enabled": null + "bucket_key_enabled": false } ] }, From 40cca15a9d37d9c322df3bb637335775b7c87fca Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Sat, 10 Sep 2022 12:05:29 +0530 Subject: [PATCH 13/20] DOPS-101 Specify role arn to work with backend --- terraform/aws.tf | 3 +++ terraform/bootstrap/jenkins.tf | 11 ++------- terraform/bootstrap/terraform.tfstate | 33 +++++++-------------------- terraform/terraform.tf | 1 + 4 files changed, 14 insertions(+), 34 deletions(-) diff --git a/terraform/aws.tf b/terraform/aws.tf index 3f11d9a..b108589 100644 --- a/terraform/aws.tf +++ b/terraform/aws.tf @@ -4,6 +4,9 @@ provider "aws" { region = "${var.aws_region}" version = "~> 1.57" + assume_role = { + role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin" + } } data "aws_caller_identity" "current" {} diff --git a/terraform/bootstrap/jenkins.tf b/terraform/bootstrap/jenkins.tf index ca74dda..32ee958 100644 --- a/terraform/bootstrap/jenkins.tf +++ b/terraform/bootstrap/jenkins.tf @@ -28,15 +28,8 @@ data "aws_iam_policy_document" "terraform_backend_role_policy_document" { statement { effect = "Allow" - actions = ["s3:*"] - resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"] - } - - statement { - effect = "Allow" - - actions = ["dynamodb:*"] - resources = ["arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${module.bootstrap.dynamodb_table}"] + actions = ["*"] + resources = ["*"] } } diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate index ac7b90f..fd8724c 100644 --- a/terraform/bootstrap/terraform.tfstate +++ b/terraform/bootstrap/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.2.9", - "serial": 215, + "serial": 217, "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", "outputs": { "account_id": { @@ -104,8 +104,8 @@ { "schema_version": 0, "attributes": { - "id": "1540866772", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\"\n }\n ]\n}", + "id": "784443208", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}", "override_json": null, "override_policy_documents": null, "policy_id": null, @@ -114,22 +114,7 @@ "statement": [ { "actions": [ - "s3:*" - ], - "condition": [], - "effect": "Allow", - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [], - "resources": [ - "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" - ], - "sid": "" - }, - { - "actions": [ - "dynamodb:*" + "*" ], "condition": [], "effect": "Allow", @@ -138,7 +123,7 @@ "not_resources": [], "principals": [], "resources": [ - "arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock" + "*" ], "sid": "" } @@ -164,7 +149,7 @@ "name": "terraform-backend-role-policy", "name_prefix": null, "path": "/", - "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"},{\"Action\":\"dynamodb:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", "policy_id": "ANPAYRO63QJUEYGCFJVOK", "tags": {}, "tags_all": {} @@ -231,10 +216,8 @@ "dependencies": [ "aws_iam_policy.terraform_backend_role_policy", "aws_iam_role.terraform_backend_role", - "data.aws_caller_identity.current", "data.aws_iam_policy_document.terraform_backend_account_policy", - "data.aws_iam_policy_document.terraform_backend_role_policy_document", - "module.bootstrap.aws_dynamodb_table.terraform_state_lock" + "data.aws_iam_policy_document.terraform_backend_role_policy_document" ] } ] @@ -563,7 +546,7 @@ ], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\",\"aws:SourceAccount\":\"587267277416\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 0cfa892..ee089fa 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -9,6 +9,7 @@ terraform { dynamodb_table = "moduscreate-devops-demo-state-lock" region = "us-east-1" encrypt = "true" + role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin" } } From fcb82ffc4becc3aaa2395efe420cdf4ea169a5f0 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Sep 2022 11:13:10 -0400 Subject: [PATCH 14/20] Disable Atlantis --- atlantis.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/atlantis.yaml b/atlantis.yaml index 68b4886..6df4af9 100644 --- a/atlantis.yaml +++ b/atlantis.yaml @@ -1,7 +1,5 @@ +--- +# This does not use Atlantis (https://www.runatlantis.io/) to manage Terraform, +# so disable it with an empty list of projects. version: 3 projects: -- dir: ./terraform - terraform_version: v0.11.7 -- dir: ./terraform/bootstrap - autoplan: - enabled: false From fde725161d9a176c7da14c68648216ffcfd6c1b3 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Sep 2022 12:15:26 -0400 Subject: [PATCH 15/20] Move bootstrap out of terraform directory --- {terraform/bootstrap => bootstrap}/.terraform.lock.hcl | 0 {terraform/bootstrap => bootstrap}/README.md | 2 +- {terraform/bootstrap => bootstrap}/jenkins.tf | 0 {terraform/bootstrap => bootstrap}/main.tf | 0 {terraform/bootstrap => bootstrap}/terraform.tfstate | 0 {terraform/bootstrap => bootstrap}/variables.tf | 0 6 files changed, 1 insertion(+), 1 deletion(-) rename {terraform/bootstrap => bootstrap}/.terraform.lock.hcl (100%) rename {terraform/bootstrap => bootstrap}/README.md (98%) rename {terraform/bootstrap => bootstrap}/jenkins.tf (100%) rename {terraform/bootstrap => bootstrap}/main.tf (100%) rename {terraform/bootstrap => bootstrap}/terraform.tfstate (100%) rename {terraform/bootstrap => bootstrap}/variables.tf (100%) diff --git a/terraform/bootstrap/.terraform.lock.hcl b/bootstrap/.terraform.lock.hcl similarity index 100% rename from terraform/bootstrap/.terraform.lock.hcl rename to bootstrap/.terraform.lock.hcl diff --git a/terraform/bootstrap/README.md b/bootstrap/README.md similarity index 98% rename from terraform/bootstrap/README.md rename to bootstrap/README.md index 8d44894..0b72a9e 100644 --- a/terraform/bootstrap/README.md +++ b/bootstrap/README.md @@ -5,7 +5,7 @@ This terraform module is used to bootstrap the backend for the `/terraform` proj ## How to use ```bash -cd terraform/bootstrap +cd bootstrap terraform init terraform apply ``` diff --git a/terraform/bootstrap/jenkins.tf b/bootstrap/jenkins.tf similarity index 100% rename from terraform/bootstrap/jenkins.tf rename to bootstrap/jenkins.tf diff --git a/terraform/bootstrap/main.tf b/bootstrap/main.tf similarity index 100% rename from terraform/bootstrap/main.tf rename to bootstrap/main.tf diff --git a/terraform/bootstrap/terraform.tfstate b/bootstrap/terraform.tfstate similarity index 100% rename from terraform/bootstrap/terraform.tfstate rename to bootstrap/terraform.tfstate diff --git a/terraform/bootstrap/variables.tf b/bootstrap/variables.tf similarity index 100% rename from terraform/bootstrap/variables.tf rename to bootstrap/variables.tf From 5858fb85e7da348e95ba1dbc5e1add302644a0c5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Sep 2022 12:50:09 -0400 Subject: [PATCH 16/20] Pass local AWS env vars to Terraform, tf fmt Also rearrange the order of the validation scripts to fmt first --- bin/common.sh | 1 + bin/validate.sh | 16 ++++++++-------- terraform/aws.tf | 1 + 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/bin/common.sh b/bin/common.sh index 811aa8e..eabb0b3 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -29,6 +29,7 @@ function get_env_tmpfile() { local TMPFILE TMPFILE="$(mktemp)" grep ^export "$DIR/../env.sh" | cut -c8- > "$TMPFILE" + printenv | grep '^AWS' >> "$TMPFILE" echo "$TMPFILE" } diff --git a/bin/validate.sh b/bin/validate.sh index b6c830d..09adb63 100755 --- a/bin/validate.sh +++ b/bin/validate.sh @@ -27,15 +27,8 @@ echo "Linting packer files" $DOCKER_PACKER validate app/packer/machines/web-server.json # Ensure that `terraform fmt` comes up clean -if [[ "$SKIP_TERRAFORM" == "false" ]]; then - echo "Linting terraform files for correctness" +if [[ "${SKIP_TERRAFORM:-false}" == "false" ]]; then DOCKER_TERRAFORM=$(get_docker_terraform) - init_terraform - $DOCKER_TERRAFORM validate \ - -var 'newrelic_license_key=ZZZZ' \ - -var 'newrelic_api_key=ZZZZ' \ - -var 'newrelic_alert_email=ferd.berferd@example.com' \ - echo "Linting terraform files for formatting" fmt=$($DOCKER_TERRAFORM fmt) if [[ -n "$fmt" ]]; then echo 'ERROR: these files are not formatted correctly. Run "terraform fmt"' @@ -43,6 +36,13 @@ if [[ "$SKIP_TERRAFORM" == "false" ]]; then git diff exit 1 fi + echo "Linting terraform files for correctness" + init_terraform + $DOCKER_TERRAFORM validate \ + -var 'newrelic_license_key=ZZZZ' \ + -var 'newrelic_api_key=ZZZZ' \ + -var 'newrelic_alert_email=ferd.berferd@example.com' \ + echo "Linting terraform files for formatting" fi echo "Linting shell scripts" diff --git a/terraform/aws.tf b/terraform/aws.tf index b108589..b9f2986 100644 --- a/terraform/aws.tf +++ b/terraform/aws.tf @@ -4,6 +4,7 @@ provider "aws" { region = "${var.aws_region}" version = "~> 1.57" + assume_role = { role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin" } From 2d6f47353d0b9e07cf6e0d6b0392482bc4d37973 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Sep 2022 12:53:51 -0400 Subject: [PATCH 17/20] Remove packer containers after running --- bin/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/common.sh b/bin/common.sh index eabb0b3..3001db4 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -67,7 +67,7 @@ function get_docker_packer { PACKER_AWS_VPC_ID="$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/"$INTERFACE"/vpc-id)" fi - echo "docker run -i + echo "docker run -i --rm ${USE_TTY} --env-file $TMPFILE -e PACKER_AWS_SUBNET_ID=$PACKER_AWS_SUBNET_ID From f5a4ca05edb49721ba674ad6172584ad61cbac44 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Wed, 14 Sep 2022 12:29:53 +0530 Subject: [PATCH 18/20] DOPS-101 Share packer ami between dops prod and sandbox --- bin/validate.sh | 4 ++-- packer/machines/web-server.json | 3 ++- terraform/variables.tf | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/bin/validate.sh b/bin/validate.sh index 09adb63..de9caa4 100755 --- a/bin/validate.sh +++ b/bin/validate.sh @@ -2,7 +2,7 @@ # Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ set -euo pipefail - + # Set DEBUG to true for enhanced debugging: run prefixed with "DEBUG=true" ${DEBUG:-false} && set -vx # Credit to https://stackoverflow.com/a/17805088 @@ -30,6 +30,7 @@ $DOCKER_PACKER validate app/packer/machines/web-server.json if [[ "${SKIP_TERRAFORM:-false}" == "false" ]]; then DOCKER_TERRAFORM=$(get_docker_terraform) fmt=$($DOCKER_TERRAFORM fmt) + echo "Linting terraform files for formatting" if [[ -n "$fmt" ]]; then echo 'ERROR: these files are not formatted correctly. Run "terraform fmt"' echo "$fmt" @@ -42,7 +43,6 @@ if [[ "${SKIP_TERRAFORM:-false}" == "false" ]]; then -var 'newrelic_license_key=ZZZZ' \ -var 'newrelic_api_key=ZZZZ' \ -var 'newrelic_alert_email=ferd.berferd@example.com' \ - echo "Linting terraform files for formatting" fi echo "Linting shell scripts" diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 5194a59..92e678a 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -18,7 +18,8 @@ "vpc_id": "{{user `aws_vpc_id`}}", "ssh_username": "centos", "ami_name": "devops-infra-demo-centos-7-{{timestamp}}", - "ami_description": "DevOps Infrastructure Demo CentOS 7 - CIS hardened" + "ami_description": "DevOps Infrastructure Demo CentOS 7 - CIS hardened", + "ami_users": ["587267277416"] // Share with devops sandbox account }], "provisioners": [ { diff --git a/terraform/variables.tf b/terraform/variables.tf index 7932b59..770515f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -48,9 +48,10 @@ variable "google_project" { default = "example-media" } +# Use devops prod account as default. We bake and store AMIs using packer. variable "aws_account_id_for_ami" { description = "AWS Account ID where AMIs live, if not the default" - default = "" + default = "191447213457" } variable "ami_pattern" { From 3a166d8f9bc7524e04621691ae0568a9d5083f0d Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Wed, 14 Sep 2022 13:13:02 +0530 Subject: [PATCH 19/20] DOPS-101 Add route 53 resource --- bin/validate.sh | 2 +- packer/machines/web-server.json | 2 +- terraform/route53.tf | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/validate.sh b/bin/validate.sh index de9caa4..07594e5 100755 --- a/bin/validate.sh +++ b/bin/validate.sh @@ -42,7 +42,7 @@ if [[ "${SKIP_TERRAFORM:-false}" == "false" ]]; then $DOCKER_TERRAFORM validate \ -var 'newrelic_license_key=ZZZZ' \ -var 'newrelic_api_key=ZZZZ' \ - -var 'newrelic_alert_email=ferd.berferd@example.com' \ + -var 'newrelic_alert_email=ferd.berferd@example.com' fi echo "Linting shell scripts" diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 92e678a..ec2fc20 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -19,7 +19,7 @@ "ssh_username": "centos", "ami_name": "devops-infra-demo-centos-7-{{timestamp}}", "ami_description": "DevOps Infrastructure Demo CentOS 7 - CIS hardened", - "ami_users": ["587267277416"] // Share with devops sandbox account + "ami_users": ["587267277416"] }], "provisioners": [ { diff --git a/terraform/route53.tf b/terraform/route53.tf index 6f5393e..b9caace 100644 --- a/terraform/route53.tf +++ b/terraform/route53.tf @@ -1,10 +1,10 @@ -data "aws_route53_zone" "dev" { - name = "${var.domain}." +resource "aws_route53_zone" "dev" { + name = "${var.host}.${var.domain}" } resource "aws_route53_record" "main" { - zone_id = "${data.aws_route53_zone.dev.zone_id}" - name = "${var.host}.${var.domain}" + zone_id = "${aws_route53_zone.dev.zone_id}" + name = "${aws_route53_zone.dev.name}" type = "CNAME" ttl = "300" @@ -14,5 +14,5 @@ resource "aws_route53_record" "main" { } output "route53-dns" { - value = "${var.host}.${var.domain}" + value = "${aws_route53_zone.dev.name}" } From c3f17f3b30c5239e15ac254b41ad4f86311c8946 Mon Sep 17 00:00:00 2001 From: Akash Agrawal Date: Fri, 16 Sep 2022 19:13:22 +0530 Subject: [PATCH 20/20] Debug packer build --- ansible/bakery.yml | 4 ++-- ansible/requirements.yml | 4 ++-- bin/ansible.sh | 4 +++- bin/install-ansible.sh | 2 ++ gauntlt/nmap-invariant.attack | 2 -- 5 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ansible/bakery.yml b/ansible/bakery.yml index 4282248..d547c6a 100644 --- a/ansible/bakery.yml +++ b/ansible/bakery.yml @@ -8,14 +8,14 @@ hosts: 127.0.0.1 connection: local become: yes - roles: + roles: - cloudwatch-agent - name: Install New Relic Infrastructure hosts: 127.0.0.1 connection: local become: yes - roles: + roles: - newrelic.newrelic-infra vars: nrinfragent_os_name: CentOS diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 5978c53..41d2fbe 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,10 +1,11 @@ # Install roles from Ansible Galaxy # CIS hardening -- src: MindPointGroup.RHEL7-CIS +- src: mindpointgroup.rhel7_cis # NGINX web server - src: nginxinc.nginx + version: 0.14.0 # AWS CodeDeploy agent # The original version of this role in Ansible Galaxy @@ -17,4 +18,3 @@ # New Relic Infrastructure - src: newrelic.newrelic-infra - diff --git a/bin/ansible.sh b/bin/ansible.sh index f5dee25..13e7496 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Run ansible +# Run ansible # # Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ set -euo pipefail @@ -20,5 +20,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root +sudo yum -y install yum-utils pcre2 + cd "$DIR/../ansible" ansible-playbook -l localhost "$@" diff --git a/bin/install-ansible.sh b/bin/install-ansible.sh index 0e8c04c..d5571db 100755 --- a/bin/install-ansible.sh +++ b/bin/install-ansible.sh @@ -16,6 +16,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" +ls -al /etc/yum.repos.d + ensure_not_root quick_yum_install epel-release diff --git a/gauntlt/nmap-invariant.attack b/gauntlt/nmap-invariant.attack index d500abc..5930ab6 100644 --- a/gauntlt/nmap-invariant.attack +++ b/gauntlt/nmap-invariant.attack @@ -1,5 +1,4 @@ @slow -# Adapted from https://github.com/gauntlt/gauntlt/blob/master/examples/nmap/nmap.attack Feature: nmap attacks for localhost Background: @@ -45,4 +44,3 @@ Feature: nmap attacks for localhost | ports port[protocol="tcp"][portid="22"] state[state="open"] | And the file "/app/build/nmap-results.xml" should not contain XML: | ports port[protocol="tcp"][portid="25"] state[state="open"] | -