Merge pull request #104 from wri/staging

Staging -> Production

.github/workflows/terraform_build.yaml

@@ -25,10 +25,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -38,10 +38,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
         ./scripts/infra apply
@@ -58,10 +58,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -71,10 +71,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
 
@@ -92,10 +92,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -105,10 +105,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
 

.github/workflows/terraform_plan.yaml

@@ -21,10 +21,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -34,10 +34,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
 
@@ -54,10 +54,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -67,10 +67,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
 
@@ -87,10 +87,10 @@ jobs:
         RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }}
         GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }}
         PLANET_API_KEY: ${{secrets.planet_api_key }}
-        TMASCHLER_IP: ${{ secrets.tmaschler_ip }}
         JTERRY_IP: ${{ secrets.jterry_ip }}
         DMANNARINO_IP: ${{ secrets.dmannarino_ip }}
         SNEGUSSE_IP: ${{ secrets.snegusse_ip }}
+        GTEMPUS_IP: ${{ secrets.gtempus_ip }}
         OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }}
         VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }}
       run: |
@@ -100,10 +100,10 @@ jobs:
                               -var "rds_password_ro=${RDS_PASSWORD_RO}" \
                               -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \
                               -var "planet_api_key=${PLANET_API_KEY}" \
-                              -var "tmaschler_ip=${TMASCHLER_IP}" \
                               -var "jterry_ip=${JTERRY_IP}" \
                               -var "dmannarino_ip=${DMANNARINO_IP}" \
                               -var "snegusse_ip=${SNEGUSSE_IP}" \
+                              -var "gtempus_ip=${GTEMPUS_IP}" \
                               -var "office_3sc_ip=${OFFICE_3SC_IP}" \
                               -var "vpn_3sc_ip=${VPN_3SC_IP}"
 

.gitignore

@@ -36,4 +36,7 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
-venv/*
+venv/*
+
+# IDE configurations
+.idea

CODEOWNERS

@@ -1 +1 @@
-* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse
+* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse @gtempus

README.md

@@ -1,4 +1,4 @@
-# GFW AWS Core Infrastructure
+# GFW AWS Core Infrastructure 
 
 This repo describes GFW's core infrastructure on AWS using Terraform framework.
 
@@ -77,4 +77,4 @@ resource "aws_lambda_function" "default" {
     }
   }
 }
-```
+```

terraform.md

@@ -15,27 +15,27 @@
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| application | Name of the current application | `string` | `"gfw-aws-core-infrastructure"` | no |
-| aws\_region | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no |
-| dev\_account\_number | Account number of production account | `string` | `"563860007740"` | no |
-| dmannarino\_ip | Daniel's home IP address | `string` | n/a | yes |
-| dynamo\_db\_lock\_table\_name | Name of the lock table in Dynamo DB | `string` | `"aws-locks"` | no |
-| environment | An environment namespace for the infrastructure. | `string` | n/a | yes |
-| gfw-gee-export\_key | GCS key for service account | `string` | n/a | yes |
-| gfw\_api\_token | Access token for the GFW/RW API. | `string` | n/a | yes |
-| jterry\_ip | Justin's home IP address | `string` | n/a | yes |
-| log\_retention\_period | Time in days to keep log files | `number` | n/a | yes |
-| production\_account\_number | Account number of production account | `string` | `"401951483516"` | no |
-| project | A project namespace for the infrastructure. | `string` | `"Global Forest Watch"` | no |
-| rds\_backup\_retention\_period | Time in days to keep RDS backup files | `number` | n/a | yes |
-| rds\_instance\_class | RDS Aurora instance type for write node | `string` | n/a | yes |
-| rds\_password | Superuser password for RDS Aurora database | `string` | n/a | yes |
-| rds\_password\_ro | Read Only user password for RDS Aurora database | `string` | n/a | yes |
-| slack\_data\_updates\_hook | Hook for Slack data-updates channel | `string` | n/a | yes |
-| staging\_account\_number | Account number of production account | `string` | `"274931322839"` | no |
-| tmaschler\_ip | Thomas' home IP address | `string` | n/a | yes |
+| Name                           | Description                                             | Type | Default | Required |
+|--------------------------------|---------------------------------------------------------|------|---------|:--------:|
+| application                    | Name of the current application                         | `string` | `"gfw-aws-core-infrastructure"` | no |
+| aws\_region                    | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no |
+| dev\_account\_number           | Account number of production account                    | `string` | `"563860007740"` | no |
+| dmannarino\_ip                 | Daniel's home IP address                                | `string` | n/a | yes |
+| dynamo\_db\_lock\_table\_name  | Name of the lock table in Dynamo DB                     | `string` | `"aws-locks"` | no |
+| environment                    | An environment namespace for the infrastructure.        | `string` | n/a | yes |
+| gfw-gee-export\_key            | GCS key for service account                             | `string` | n/a | yes |
+| gfw\_api\_token                | Access token for the GFW/RW API.                        | `string` | n/a | yes |
+| jterry\_ip                     | Justin's home IP address                                | `string` | n/a | yes |
+| log\_retention\_period         | Time in days to keep log files                          | `number` | n/a | yes |
+| production\_account\_number    | Account number of production account                    | `string` | `"401951483516"` | no |
+| project                        | A project namespace for the infrastructure.             | `string` | `"Global Forest Watch"` | no |
+| rds\_backup\_retention\_period | Time in days to keep RDS backup files                   | `number` | n/a | yes |
+| rds\_instance\_class           | RDS Aurora instance type for write node                 | `string` | n/a | yes |
+| rds\_password                  | Superuser password for RDS Aurora database              | `string` | n/a | yes |
+| rds\_password\_ro              | Read Only user password for RDS Aurora database         | `string` | n/a | yes |
+| slack\_data\_updates\_hook     | Hook for Slack data-updates channel                     | `string` | n/a | yes |
+| staging\_account\_number       | Account number of production account                    | `string` | `"274931322839"` | no |
+| gtempus\_ip                    | Gary's home IP address                                  | `string` | n/a | yes |
 
 ## Outputs
 
@@ -53,7 +53,6 @@
 | environment | Environment of current state. |
 | iam\_policy\_s3\_write\_data-lake\_arn | n/a |
 | iam\_policy\_s3\_write\_pipelines\_arn | n/a |
-| key\_pair\_tmaschler\_gfw | n/a |
 | nat\_gateway\_ips | n/a |
 | pipelines\_bucket | n/a |
 | postgresql\_security\_group\_id | Security group ID to access postgresql database |

terraform/main.tf

@@ -40,7 +40,7 @@ module "postgresql" {
   project                     = var.project_prefix
   rds_backup_retention_period = var.backup_retention_period
   rds_db_name                 = "geostore"
-  rds_version                 = "12.8"
+  rds_version                 = var.rds_version
   rds_instance_class          = var.rds_instance_class
   rds_instance_count          = var.rds_instance_count
   rds_password                = var.rds_password
@@ -103,7 +103,7 @@ module "pipeline_bucket" {
       enabled = true
       prefix  = "geotrellis/results/"
       transition = [{
-        days          = 30            # initally set to 7 days but this is somehow no longer possible
+        days          = 30            # initially set to 7 days but this is somehow no longer possible
         storage_class = "STANDARD_IA" # or "ONEZONE_IA"
         }, {
         days          = 60
@@ -139,12 +139,12 @@ module "pipeline-test-bucket" {
 module "firewall" {
   source          = "./modules/firewall"
   project         = var.project_prefix
-  ssh_cidr_blocks = ["${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32"]
-  description     = ["Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "George"]
+  ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.gtempus_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"]
+  description     = ["3SC Office VPN", "Office", "Justin", "Daniel", "Solomon", "Gary", "Dockerised", "Dockerised2", "Owen", "Edward"]
   tags            = merge({ Job = "Firewall" }, local.tags)
   vpc_cidre_block = module.vpc.cidr_block
   vpc_id          = module.vpc.id
-} 
+}
 
 module "api_token_secret" {
   source        = "git::https://github.com/wri/gfw-terraform-modules.git//terraform/modules/secrets?ref=v0.4.0"

terraform/modules/elastic_cache/main.tf

@@ -12,7 +12,7 @@ resource "aws_elasticache_replication_group" "default" {
 
   snapshot_retention_limit = var.snapshot_retention_limit
   snapshot_window          = "00:00-05:00"
-  
+
   security_group_ids = [ aws_security_group.default.id ]
   subnet_group_name          = aws_elasticache_subnet_group.default.name
   automatic_failover_enabled = var.num_replicas > 1 ? true : false

terraform/modules/postgresql/variables.tf

@@ -44,8 +44,8 @@ variable "rds_password_ro" {
 }
 variable "rds_version" {
   type        = string
-  description = "RDS Aurora database engine version. eg. 12.4"
-  default     = "12.4"
+  description = "RDS Aurora database engine version. eg. 12.7"
+  default     = "12.7"
 }
 
 variable "rds_backup_retention_period" {

terraform/modules/vpc/main.tf

@@ -176,11 +176,13 @@ data "aws_ami" "amazon_linux_ami" {
 }
 
 resource "aws_instance" "bastion" {
-  ami                         = data.aws_ami.amazon_linux_ami.id
-  availability_zone           = var.availability_zones[0]
-  ebs_optimized               = true
-  instance_type               = var.bastion_instance_type
-  monitoring                  = true
+  ami                  = data.aws_ami.amazon_linux_ami.id
+  availability_zone    = var.availability_zones[0]
+  ebs_optimized        = true
+  instance_type        = var.bastion_instance_type
+  monitoring           = true
+  iam_instance_profile = "${aws_iam_instance_profile.bastion_profile.name}"
+
   subnet_id                   = aws_subnet.public[0].id
   vpc_security_group_ids      = var.security_group_ids
   associate_public_ip_address = true
@@ -199,6 +201,53 @@ resource "aws_instance" "bastion" {
 }
 
 
+resource "aws_iam_instance_profile" "bastion_profile" {
+  name = "bastion_profile"
+  role = "${aws_iam_role.bastion_role.name}"
+}
+resource "aws_iam_role" "bastion_role" {
+  name = "bastion_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+resource "aws_iam_role_policy" "test_policy" {
+  name = "test_policy"
+  role = "${aws_iam_role.bastion_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+       "ecs:Describe*",
+       "ecs:List*",
+       "ecs:UpdateService",
+       "ecs:StopTask"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+
 # User data script to bootstrap authorized ssh keys
 data "template_file" "bastion_setup" {
   template = file("${path.module}/user_data/bastion_setup.sh.tpl")
@@ -219,4 +268,4 @@ resource "aws_eip" "bastion" {
 resource "aws_eip_association" "eip_assoc" {
   instance_id   = aws_instance.bastion.id
   allocation_id = aws_eip.bastion.id
-}
+}

terraform/outputs.tf

@@ -51,10 +51,6 @@ output "key_pairs" {
   value = aws_key_pair.all
 }
 
-output "key_pair_tmaschler_gfw" {
-  value = aws_key_pair.all["tmaschler_gfw"].key_name
-}
-
 output "key_pair_jterry_gfw" {
   value = aws_key_pair.all["jterry_gfw"].key_name
 }
@@ -138,7 +134,7 @@ output "secrets_planet_api_key_policy_arn" {
 }
 
 output "acm_certificate" {
-  value = aws_acm_certificate.globalforestwatch[0].arn
+  value = aws_acm_certificate.globalforestwatch_new[0].arn
 }
 
 output "aurora_cluster_instance_class" {