From 8e4c33ba205ac50b9891d71bb1a4a5386fb8292d Mon Sep 17 00:00:00 2001 From: George Crosby Date: Fri, 18 Feb 2022 11:07:13 +0000 Subject: [PATCH 01/40] upping the mongodb cluster count to 1 to fix all microservice errors --- terraform/vars/terraform-staging.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/vars/terraform-staging.tfvars b/terraform/vars/terraform-staging.tfvars index f5b4812..3442a45 100644 --- a/terraform/vars/terraform-staging.tfvars +++ b/terraform/vars/terraform-staging.tfvars @@ -4,7 +4,7 @@ log_retention_period = 7 rds_instance_class = "db.t3.medium" rds_instance_count = 1 db_instance_class = "db.t3.medium" -db_instance_count = 0 +db_instance_count = 1 redis_node_group_count = 1 redis_replica_count = 0 redis_node_type = "cache.t2.micro" \ No newline at end of file From b4b124f3bab60539a97b87f8dc765bb01c2b90b7 Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 23 Feb 2022 12:38:18 +0000 Subject: [PATCH 02/40] Attach security group to redis --- terraform/modules/elastic_cache/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/modules/elastic_cache/main.tf b/terraform/modules/elastic_cache/main.tf index 0b571c2..a18764d 100644 --- a/terraform/modules/elastic_cache/main.tf +++ b/terraform/modules/elastic_cache/main.tf @@ -13,6 +13,7 @@ resource "aws_elasticache_replication_group" "default" { snapshot_retention_limit = var.snapshot_retention_limit snapshot_window = "00:00-05:00" + security_group_ids = [ aws_security_group.default.id ] subnet_group_name = aws_elasticache_subnet_group.default.name automatic_failover_enabled = var.num_replicas > 1 ? true : false From 590256bd4599e71c025ca9e9f1ddd3721a48eec4 Mon Sep 17 00:00:00 2001 From: George Crosby Date: Wed, 2 Mar 2022 09:14:39 +0000 Subject: [PATCH 03/40] force commit --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 74701d8..a645126 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# GFW AWS Core Infrastructure +# GFW AWS Core Infrastructure This repo describes GFW's core infrastructure on AWS using Terraform framework. @@ -77,4 +77,4 @@ resource "aws_lambda_function" "default" { } } } -``` \ No newline at end of file +``` From 737efb03f6da625e0cc8997366e55ec388e4d136 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Fri, 4 Mar 2022 15:35:07 -0800 Subject: [PATCH 04/40] Update 3SC public keys --- terraform/standalone.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/terraform/standalone.tf b/terraform/standalone.tf index ab2d35a..2908465 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -28,11 +28,9 @@ resource "aws_key_pair" "all" { // TODO: Same keys are also define in the FW Core Infrastructure State. Due to circular dependencies, and TF version conflicts I could not import those keys into this state // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo - sdavidge_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDrcI4YJtnQo5IhUeGFrqzVf4utuSV8qqpgxbh3iFz1LkFZ84rZ5S+taDqhxc7Oq7g5Au/7Z6Eal5kuSxSG212tHGQ/4Ebsjqa9qN6SPLQ+PCUUDH7t9tTKduKeaesS4PY5F/6RF2KA3dQVtvowxvQ1iGIngR7AfU8JVvHoN7YEG02UeCfMxkoAdXho7lQFHPvug+/I6K2RtG2StSYGpxFNc8FcDEc7897nCv8tG9hV+lsUlPRTRlPpuaut/kDzeHqLeEw4S/lMD7s0nWGAZ31GE0b2kpdwbBeyhbZDXr2FX6ZJA4ERoUVh5xn14Lx2CDJoit3hCSDkuX2XlpQsapVD8I8MIhI9pgLWdhxfOnxOKU96pH76O1Zza0FswNGig3smvxxbDjYNSyAYIywxyRyBepHmlA/R7iyMazzE9MIU5PYPnOXXHqkovDl8GbWgaFAtD1q9trMRk5/xIu25OzpS2fyuQOa0GyakGPjrLzdRLsMBx1JXNlQ7RxaFWrbYgLEldCZWT364YnTL6bEWi0Eaoiifv3kuKZXigClWsSxSxtH3axqf/RRg0AO6Uhbi3tGznCV6uSYI9HoFquiQE6ucPlS48yEEM6z78gmRLi1ob0bzeqUfOT4YcE2/VmGP3lAPvTET4Y51muhNw5GTboGitL4S8B3cB+dbBz/FzzTWtQ== samdavidge@Sams-MacBook-Pro.local" - tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwij4YT+AA2GgIohM1L8yRP3KgvWFZJwHH9Dwbl7r0C4hClZTKlJoaTT/GN+FOpk83MpM+SybcJMfJTBtw3/8K/WzRd3ry+yHOn23FW3AXR/pAOuBg0CPsvd8i1K8eOmdqFBDuJi/fIqpykoKf/b79vxfWRb5N8dkDaolSRfMQibuuw74G5CNSmC+24rHZBiM5CYua6Mck2vnZFsYgraZ0iuDIFc9mj73AdOfcXie7u8kRU8axRuCDBprLGwUtAJ5q2dN97IVXTeHCoIrMNoaWhj2TnXfku49woDm0flmPWMTEv8Io7MIiPiu2wDCkjAoyrjG6nmaV58SxilxpVFCFMJWMVez964NfGxa+dxRC1mR/Z9suiA7njnpUlcsUiJgr3+WJZ6TJQXvw7tMAUZdSd7w44f43rFSeTXEovhAGUQoFof1ctodLCXLganZ1xhXAAQZ3NAIuXEzxV5L10w83A7SlDfmN+hEyzXBMNM0Txh6PAfyatl7s5MWSnEdJ3Wk=" - bsherred_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" - jsantos_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDefcdUnLcTtIQBL/J4+AyX7Em8NclP9UU9AyG/NSu1Di19HRnN0/IiuYKDvgyeyNtUOW7n/im2xf4RX7RfcrjeGTudrlHZX5sZF5R+PEQoktGTl11Mhkmqj/z//gHymDDk4wVyRJ8J1YHyxbwyhx6Y3m2hdDZOeS/VKejPSSaDk6DPCeB7smHE5W1gXr4EgCEKyC6u2b8neZEi0fn7Mx/pLTsIklQwud+wfJRhq9SilM8BVH5a/mUaE6joDoxcMdjKzb0iHGFzmnseJNJPPZbny917WG3OGlCn1Tpv0rv2x0QhSll5DDSAdJBx4O/N0ka/WhfpjRDg3Syj+AOONDZV9EwsykPc+29KHwVyathONxjbt6gm0E9zhBin0687mdhoAo24FSxc7mWZXtzS7Y64tYKB1yH7iLFBkRZdsX+sMTrL40cZbuIZtDRvrJsEtIWCkiOTN3hWpROIhFEfmbeVRbzB0wAI5ee1UfR3XKMykGcMzhTremLCRRTFpXo4Ty2x309Cv59W6dIlizHO2RLwQlZawFT8U0FLtuelvriiSrHAXEb/8FVqPpc8STt0Wn6Zqnljqdja+sQ6CmTNU6wI0hOXeqwd0VXx5o+pnhQovj2prJrzbi75q9eRJP2Trw4cwR8ZjklBDdqo+Y/CT+B099czn4fD8mGP512dpX5K4Q== javier@3sidedcube.com" - wkelsey_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDehBSncifV972we9WVA8LRmdtICNAEYwQHelFD/8G3nW7DV840vWacRxagm7bCRN5bALm6XwUtNJ53UahHvPpaNvqMZxidwAnIUOWQK2/3gpbvHpy2Czss9sICrTK3Rju4U6moRHYtn1Req/rDhi3ULSJnENXXwfGP+oC8XrBBe2541FrP9ReKlWQfCkNNxmsuoPpOt/etnhp1X68TY0pdi3eusFUCDneJuJd6E1TPnorvDXhzDnf+IixZdi3AbeR0yvYO7mUpR0qnl1XQQ/FVNgHm31DNh754kFUVC2vXkt7erVNQcZmftY2/fJMshngC2uORLq31WbmG5pMK3bCvLidQ8PxaK/tl+iJ+/5W70G1xe82ExaCU1evj9nr1/NlxCFRIhFAYouBcj/ZDQ/ZZAwZWRr8xVKx+lkQpoT22CDDYqCE4cfD+Z4kBHvWNsr0M3okLdlykl5BjYP3eedvuHZljSxMqXZNZKSDdO3A8HisCmuR2aMPSmzYalEEVAUM= will@wills-MBP.home" + tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" + oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" + gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" } key_name = each.key public_key = each.value From 9b7abe76f383f48ed94cfa850467cdd2e4cf32a6 Mon Sep 17 00:00:00 2001 From: dockerised Date: Mon, 7 Mar 2022 17:15:33 +0000 Subject: [PATCH 05/40] Update firewall list --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index dff5adb..9160a65 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN"] + ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32"] + description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id From 179e4d28a42f98227ecf942ea2641bd3904f81f3 Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 9 Mar 2022 10:07:24 +0000 Subject: [PATCH 06/40] Update firewall list --- terraform/main.tf | 4 ++-- terraform/standalone.tf | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 9160a65..c673086 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised"] + ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32"] + description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 2908465..aad7f2c 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -31,6 +31,7 @@ resource "aws_key_pair" "all" { tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" + gcrosby2_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" } key_name = each.key public_key = each.value From 8aece4f39d16424a490e64e0ee42bac1c1a3c25a Mon Sep 17 00:00:00 2001 From: George Crosby Date: Wed, 9 Mar 2022 11:20:38 +0000 Subject: [PATCH 07/40] adding ecs describe perms to fix issue with task not deploying --- terraform/modules/vpc/main.tf | 61 +++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index 7bca375..a283337 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -176,11 +176,13 @@ data "aws_ami" "amazon_linux_ami" { } resource "aws_instance" "bastion" { - ami = data.aws_ami.amazon_linux_ami.id - availability_zone = var.availability_zones[0] - ebs_optimized = true - instance_type = var.bastion_instance_type - monitoring = true + ami = data.aws_ami.amazon_linux_ami.id + availability_zone = var.availability_zones[0] + ebs_optimized = true + instance_type = var.bastion_instance_type + monitoring = true + iam_instance_profile = "${aws_iam_instance_profile.bastion_profile.name}" + subnet_id = aws_subnet.public[0].id vpc_security_group_ids = var.security_group_ids associate_public_ip_address = true @@ -199,6 +201,53 @@ resource "aws_instance" "bastion" { } +resource "aws_iam_instance_profile" "bastion_profile" { + name = "bastion_profile" + role = "${aws_iam_role.bastion_role.name}" +} +resource "aws_iam_role" "bastion_role" { + name = "bastion_role" + + assume_role_policy = < Date: Wed, 9 Mar 2022 11:22:31 +0000 Subject: [PATCH 08/40] adding ecs describe perms to fix issue with task not deploying --- terraform/modules/vpc/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index a283337..3682917 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -234,8 +234,8 @@ resource "aws_iam_role_policy" "test_policy" { "Statement": [ { "Action": [ - "ecs:Describe*" - "ecs:List*" + "ecs:Describe*", + "ecs:List*", "ecs:UpdateService", "ecs:StopTask" ], From a876ab1483a7a69364df8448d5f65c3d56ca4521 Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 9 Mar 2022 11:36:03 +0000 Subject: [PATCH 09/40] Add new ec2 host for APIGW testing --- terraform/apigw.tf | 95 ++++++++++++++++++++++++ terraform/user_data/bastion_setup.sh.tpl | 11 +++ 2 files changed, 106 insertions(+) create mode 100644 terraform/apigw.tf create mode 100644 terraform/user_data/bastion_setup.sh.tpl diff --git a/terraform/apigw.tf b/terraform/apigw.tf new file mode 100644 index 0000000..e6a99b2 --- /dev/null +++ b/terraform/apigw.tf @@ -0,0 +1,95 @@ +locals { + public_subnet_cidr_blocks = ["10.0.0.0/20", # Copied from default value of modules/vpc/variables.tf + "10.0.16.0/20", + "10.0.32.0/20", + "10.0.48.0/20", + "10.0.64.0/20", + "10.0.80.0/20"] +} + +data "aws_ami" "amazon_linux_ami" { + most_recent = true + owners = [ + "amazon"] + + filter { + name = "name" + values = [ + "amzn2-ami-hvm*"] + } +} + +resource "aws_security_group" "apigw" { + vpc_id = module.vpc.id + name = "${var.project_prefix}-apigw" + tags = merge( + { + Name = "${var.project_prefix}-apigw" + }, + local.tags + ) +} + +resource "aws_security_group_rule" "apigw_http_ingress" { + type = "ingress" + from_port = "80" + to_port = "80" + protocol = "tcp" + cidr_blocks = local.public_subnet_cidr_blocks + + security_group_id = aws_security_group.apigw.id +} +resource "aws_security_group_rule" "apigw_https_ingress" { + type = "ingress" + from_port = "443" + to_port = "443" + protocol = "tcp" + cidr_blocks = local.public_subnet_cidr_blocks + + security_group_id = aws_security_group.apigw.id +} + +# User data script to bootstrap authorized ssh keys +data "template_file" "apigw_setup" { + template = file("${path.module}/user_data/bastion_setup.sh.tpl") + vars = { + user = "ec2-user" + authorized_ssh_keys = <> /home/ec2-user/.ssh/authorized_keys", values(aws_key_pair.all)[*].public_key)~} +${row} +%{endfor~} +EOT + } +} + +resource "aws_instance" "apigw" { + ami = data.aws_ami.amazon_linux_ami.id + availability_zone = "us-east-1a" + ebs_optimized = true + instance_type = "t3.large" + monitoring = true + subnet_id = module.vpc.public_subnets[0].id + vpc_security_group_ids = [module.firewall.default_security_group_id, aws_security_group.apigw.id] + associate_public_ip_address = true + user_data = data.template_file.apigw_setup.rendered + + lifecycle { + ignore_changes = [ami] + } + + tags = merge( + { + Name = "${var.project}-ApiGW" + }, + local.tags + ) +} + +resource "aws_eip" "apigw" { + vpc = true +} + +resource "aws_eip_association" "eip_assoc" { + instance_id = aws_instance.apigw.id + allocation_id = aws_eip.apigw.id +} \ No newline at end of file diff --git a/terraform/user_data/bastion_setup.sh.tpl b/terraform/user_data/bastion_setup.sh.tpl new file mode 100644 index 0000000..57ab245 --- /dev/null +++ b/terraform/user_data/bastion_setup.sh.tpl @@ -0,0 +1,11 @@ +#!/bin/bash + +# +# Public keys for ssh +# +touch /home/"${user}"/.ssh/authorized_keys + +${authorized_ssh_keys} + +chown ${user}: /home/"${user}"/.ssh/authorized_keys +chmod 0600 /home/"${user}"/.ssh/authorized_keys \ No newline at end of file From 6ad91981e54e448f95f3a3ef351c2dfa4bacd35d Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 9 Mar 2022 11:44:31 +0000 Subject: [PATCH 10/40] Add outputs and troubleshoot apigw --- terraform/apigw.tf | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/terraform/apigw.tf b/terraform/apigw.tf index e6a99b2..0fbf58a 100644 --- a/terraform/apigw.tf +++ b/terraform/apigw.tf @@ -1,12 +1,3 @@ -locals { - public_subnet_cidr_blocks = ["10.0.0.0/20", # Copied from default value of modules/vpc/variables.tf - "10.0.16.0/20", - "10.0.32.0/20", - "10.0.48.0/20", - "10.0.64.0/20", - "10.0.80.0/20"] -} - data "aws_ami" "amazon_linux_ami" { most_recent = true owners = [ @@ -35,7 +26,7 @@ resource "aws_security_group_rule" "apigw_http_ingress" { from_port = "80" to_port = "80" protocol = "tcp" - cidr_blocks = local.public_subnet_cidr_blocks + cidr_blocks = module.vpc.cidr_block security_group_id = aws_security_group.apigw.id } @@ -44,7 +35,7 @@ resource "aws_security_group_rule" "apigw_https_ingress" { from_port = "443" to_port = "443" protocol = "tcp" - cidr_blocks = local.public_subnet_cidr_blocks + cidr_blocks = module.vpc.cidr_block security_group_id = aws_security_group.apigw.id } @@ -64,7 +55,7 @@ EOT resource "aws_instance" "apigw" { ami = data.aws_ami.amazon_linux_ami.id - availability_zone = "us-east-1a" + availability_zone = module.vpc.public_subnet_az[0] ebs_optimized = true instance_type = "t3.large" monitoring = true @@ -92,4 +83,11 @@ resource "aws_eip" "apigw" { resource "aws_eip_association" "eip_assoc" { instance_id = aws_instance.apigw.id allocation_id = aws_eip.apigw.id +} + +output "api_gw_hostname" { + value = aws_instance.apigw.public_dns +} +output "api_gw_public_ip" { + value = aws_instance.apigw.public_ip } \ No newline at end of file From 433b331ce57ea391a2d63d4ad42d71d0d73fb61e Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 9 Mar 2022 11:47:29 +0000 Subject: [PATCH 11/40] Troubleshoot apigw ingress rules --- terraform/apigw.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/apigw.tf b/terraform/apigw.tf index 0fbf58a..c80fc7f 100644 --- a/terraform/apigw.tf +++ b/terraform/apigw.tf @@ -26,7 +26,7 @@ resource "aws_security_group_rule" "apigw_http_ingress" { from_port = "80" to_port = "80" protocol = "tcp" - cidr_blocks = module.vpc.cidr_block + cidr_blocks = [module.vpc.cidr_block] security_group_id = aws_security_group.apigw.id } @@ -35,7 +35,7 @@ resource "aws_security_group_rule" "apigw_https_ingress" { from_port = "443" to_port = "443" protocol = "tcp" - cidr_blocks = module.vpc.cidr_block + cidr_blocks = [module.vpc.cidr_block] security_group_id = aws_security_group.apigw.id } From 812e1bb57b7c14e838d70c0db7dc36ebe19483ab Mon Sep 17 00:00:00 2001 From: dockerised Date: Wed, 9 Mar 2022 13:49:22 +0000 Subject: [PATCH 12/40] Add output for apigw instance arn --- terraform/apigw.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/apigw.tf b/terraform/apigw.tf index c80fc7f..acc65aa 100644 --- a/terraform/apigw.tf +++ b/terraform/apigw.tf @@ -90,4 +90,7 @@ output "api_gw_hostname" { } output "api_gw_public_ip" { value = aws_instance.apigw.public_ip +} +output "api_gw_instance_arn" { + value = aws_instance.apigw.arn } \ No newline at end of file From ace1f95b0b476075288d8a1b12837fb083870c7d Mon Sep 17 00:00:00 2001 From: dockerised Date: Tue, 22 Mar 2022 10:54:33 +0000 Subject: [PATCH 13/40] Add ips to firewall --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index c673086..85d791c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2"] + ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id From c0e0888be613c8e0852faa4e6ab35e549f216f96 Mon Sep 17 00:00:00 2001 From: Daniel Mannarino Date: Wed, 30 Mar 2022 14:07:34 -0400 Subject: [PATCH 14/40] Fix a typo --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index dff5adb..028367d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -102,7 +102,7 @@ module "pipeline_bucket" { enabled = true prefix = "geotrellis/results/" transition = [{ - days = 30 # initally set to 7 days but this is somehow no longer possible + days = 30 # initially set to 7 days but this is somehow no longer possible storage_class = "STANDARD_IA" # or "ONEZONE_IA" }, { days = 60 From 4ce26a79a9c8fcbd08f9e48b6604cb98caf874db Mon Sep 17 00:00:00 2001 From: Daniel Mannarino Date: Mon, 4 Apr 2022 12:37:58 -0400 Subject: [PATCH 15/40] Add globalforestwatch_new cert --- terraform/outputs.tf | 2 +- terraform/standalone.tf | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 639dea4..1bc8e00 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -134,7 +134,7 @@ output "secrets_planet_api_key_policy_arn" { } output "acm_certificate" { - value = aws_acm_certificate.globalforestwatch[0].arn + value = aws_acm_certificate.globalforestwatch_new[0].arn } output "aurora_cluster_instance_class" { diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 2908465..6cc98e4 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -1,5 +1,6 @@ # We generate certificates outside of AWS and manually registered it with the account. # We imported the existing certificate into TF state +# I suspect ^ is only true of staging/prod, not dev - Daniel resource "aws_acm_certificate" "globalforestwatch" { domain_name = "*.globalforestwatch.org" @@ -16,6 +17,21 @@ resource "aws_acm_certificate" "globalforestwatch" { count = 1 } +resource "aws_acm_certificate" "globalforestwatch_new" { + domain_name = "*.globalforestwatch.org" + validation_method = "DNS" + + tags = merge({ + "Name" = "Global Forest Watch Wildcard" + }, + local.tags) + + lifecycle { + create_before_destroy = true + } + count = 1 +} + # Need to create new private keys outside of TF and AWS # Note: Adding new keys will destroy the Bastion host and recreate it with new user data @@ -43,5 +59,4 @@ resource "aws_key_pair" "all" { resource "aws_cloudwatch_log_group" "batch_job" { name = "/aws/batch/job" retention_in_days = 30 -} - +} \ No newline at end of file From 48b7a4777794e572dd8fc47c67288f2162cce6e6 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Mon, 11 Apr 2022 11:36:57 -0700 Subject: [PATCH 16/40] Add code owners --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..20b2998 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse \ No newline at end of file From 3cd5656ed67dc06b723a614378e389406d48c1b6 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Mon, 11 Apr 2022 11:36:57 -0700 Subject: [PATCH 17/40] Add code owners --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..20b2998 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse \ No newline at end of file From e1d4007011001fe49624c3436688f543e5c4a29e Mon Sep 17 00:00:00 2001 From: George Crosby Date: Thu, 14 Apr 2022 13:34:26 +0200 Subject: [PATCH 18/40] Adding Luri --- terraform/main.tf | 4 ++-- terraform/standalone.tf | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 028367d..aa34bde 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 6cc98e4..d033ab4 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -47,6 +47,7 @@ resource "aws_key_pair" "all" { tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" + lpopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= 2022-04-14" } key_name = each.key public_key = each.value From 94b6b5aae5026852c24f3db8fc46cfdeca48ad95 Mon Sep 17 00:00:00 2001 From: George Crosby Date: Fri, 22 Apr 2022 11:05:23 +0100 Subject: [PATCH 19/40] adding owens new ssh key --- terraform/standalone.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 6cc98e4..c90debf 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -45,7 +45,7 @@ resource "aws_key_pair" "all" { // TODO: Same keys are also define in the FW Core Infrastructure State. Due to circular dependencies, and TF version conflicts I could not import those keys into this state // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" - oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" + oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdy9oatA/nDCdGpBusaK/XiqSWrWSMtVkBQAfIEznZf1vCUsbOrgLQTYJWbuPaHj0IBzZlEeFATLEY04GIYa++t1du1JAIJqd2bhNYrEGYPimkzF11k93UygIuYnDdgJfApwyibdvUj63xtgP/INzUJan2NdgGZ/pg7ZJAbPMZgtE+QO8qFZkHIsnnAyJl+ZyV5SrMjK+5Qxv05TuR+bb1sGg05IW2uqAHdRMZEREfRdDoo1jVU7oIsHbNJQdSvA6kC0NBfIn0M1nb/br6t+Gr7oACzpOs/JKSOinIi0l1pJZ1dDoQTS5ACppUh5MXjgsmGCxYk7pN7x0vTj+bxQBFLbJZklK/dTAPVO8MKIFDHgfnh4LyoEPnOcpkUcmZ3Dxl1PulEYmtQRkOdQPI5jkF2SOT/iJ42UIgMZ1m08ZOT4wf+oKncW9Rb/4uo+PHRddrdBcyS/dZHkLDogvYNpMXpeJyniRHcEsXszv5HPPf88Ka93pj0N1btz0bwgpG8Yc= owen@3s-MacBook-Pro.local" gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" } key_name = each.key From 86b284bcc95fe098c21d67a8d054b1fef4d086fc Mon Sep 17 00:00:00 2001 From: George Crosby Date: Fri, 22 Apr 2022 11:56:46 +0100 Subject: [PATCH 20/40] adding pub and ssh key --- terraform/main.tf | 4 ++-- terraform/standalone.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 028367d..f27a208 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN"] + ssh_cidr_blocks = ["92.234.149.30/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32"] + description = ["george","Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 6cc98e4..0029ce0 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -46,7 +46,7 @@ resource "aws_key_pair" "all" { // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" - gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" + gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" } key_name = each.key public_key = each.value From ab41d4d3000a3fa5a6e3d1492ce6236da693129f Mon Sep 17 00:00:00 2001 From: dockerised Date: Mon, 25 Apr 2022 11:31:51 +0100 Subject: [PATCH 21/40] Add output for keypairs --- terraform/outputs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 1bc8e00..0c92686 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -47,6 +47,10 @@ output "webserver_security_group_id" { value = module.firewall.webserver_security_group_id } +output "key_pairs" { + value = aws_key_pair.all +} + output "key_pair_tmaschler_gfw" { value = aws_key_pair.all["tmaschler_gfw"].key_name } From 0cec607b93d6c5b563c5f23882a4b28f9e4d2989 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Mon, 25 Apr 2022 16:30:08 -0700 Subject: [PATCH 22/40] Merge firewall changes --- terraform/main.tf | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 5cd5293..d6f9fbe 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,13 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix -<<<<<<< HEAD - ssh_cidr_blocks = ["92.234.149.30/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32"] - description = ["george","Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN"] -======= - ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] ->>>>>>> dev + ssh_cidr_blocks = ["54.173.196.8/32", "92.234.149.30/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "george", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id From cc1d52fe1faea742467a62fe50d854f9846dd540 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 08:48:48 -0700 Subject: [PATCH 23/40] Fix SSH key and IP --- terraform/main.tf | 2 +- terraform/standalone.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index d6f9fbe..40b5562 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,7 +138,7 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "92.234.149.30/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] description = ["3SC Office VPN", "george", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 4861d56..4336593 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -50,7 +50,7 @@ resource "aws_key_pair" "all" { gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" lpopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= 2022-04-14" ipopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= iuripopov@Iuris-MacBook-Pro.local" - emartin_3sc = "ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIKFswrv6M8/eas6Q3WflzAN6IPLHJ426dfJE2a7MVm4S edward@3sidedcube.com" + emartin_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2CK+B7W21KNwYK9OYNgBME0ski/Iv92uyljXdIq8q6UjczaiuOx9k2uFTBKzRfcnUkd3/Csr7utw/grSZEAJz/nRq0r1LzW+CBv7FMuhAzQ0iO/dSLwgD0Jygb3y52o/P/raPobADFzpS1tOeX+RtOIEHT2Ki7m7FIdOAmHJ7iOSmpGpe/XSkrA3pjewVX2S/FKmTqgrRFsSxYbH0UlrX3AvetZOMCYsK5r0eWc+Pcifq2qEPc6uRasoLwlVj4f51llT36ILGvvQZJX/8JiBzhAo8Yg8Qz0S62tGCHpgLEOdTJu6ZyKA6xiq6YWwOxSEPq99L0pur0ahbLvmIJp0PPvhz9yMpdQCUu+wh0xy4fLtFm+112/uGl7THKiGWc/oM8VPNdF8ZtjU2FWA3oP1ZKm7uAKXw/pXiG50wYjaqh8joGoDn5d41vMfHCWC0ZsTyNYRDNIm2mKQBUQNdEiBYWOx2HVgWWbQbff2JMLS4qy5lnwBhL0GZArB6eSJsLiU= edward@3sidedcube.com" gcrosby2_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" } key_name = each.key From d34ee4535cfb731ba24ae7f26a5e8b3f01194248 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 09:06:42 -0700 Subject: [PATCH 24/40] Remove duplicate IPs --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 40b5562..25f0c2f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["3SC Office VPN", "george", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id From 0b77543d4addafa42ea890948b24791f27f9f137 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 09:13:59 -0700 Subject: [PATCH 25/40] Remove duplicate security IDs --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 25f0c2f..4c685d3 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id From dc454d4117fc81cb1dd22d3bf5605a17419de78f Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 09:32:02 -0700 Subject: [PATCH 26/40] Remove duplicate IP --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 4c685d3..79f9fac 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,7 +138,7 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block From fd0a08319d31a41e901d4520afb31759ba96ddba Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 08:48:48 -0700 Subject: [PATCH 27/40] Add SSH keys and IPs for 3SC --- terraform/main.tf | 4 ++-- terraform/standalone.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index d6f9fbe..79f9fac 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "92.234.149.30/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["3SC Office VPN", "george", "Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 4861d56..4336593 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -50,7 +50,7 @@ resource "aws_key_pair" "all" { gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" lpopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= 2022-04-14" ipopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= iuripopov@Iuris-MacBook-Pro.local" - emartin_3sc = "ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIKFswrv6M8/eas6Q3WflzAN6IPLHJ426dfJE2a7MVm4S edward@3sidedcube.com" + emartin_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2CK+B7W21KNwYK9OYNgBME0ski/Iv92uyljXdIq8q6UjczaiuOx9k2uFTBKzRfcnUkd3/Csr7utw/grSZEAJz/nRq0r1LzW+CBv7FMuhAzQ0iO/dSLwgD0Jygb3y52o/P/raPobADFzpS1tOeX+RtOIEHT2Ki7m7FIdOAmHJ7iOSmpGpe/XSkrA3pjewVX2S/FKmTqgrRFsSxYbH0UlrX3AvetZOMCYsK5r0eWc+Pcifq2qEPc6uRasoLwlVj4f51llT36ILGvvQZJX/8JiBzhAo8Yg8Qz0S62tGCHpgLEOdTJu6ZyKA6xiq6YWwOxSEPq99L0pur0ahbLvmIJp0PPvhz9yMpdQCUu+wh0xy4fLtFm+112/uGl7THKiGWc/oM8VPNdF8ZtjU2FWA3oP1ZKm7uAKXw/pXiG50wYjaqh8joGoDn5d41vMfHCWC0ZsTyNYRDNIm2mKQBUQNdEiBYWOx2HVgWWbQbff2JMLS4qy5lnwBhL0GZArB6eSJsLiU= edward@3sidedcube.com" gcrosby2_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" } key_name = each.key From d289901f0fc332f21eef6f84dd0d8afdf3ffc2f0 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 27 Apr 2022 09:58:26 -0700 Subject: [PATCH 28/40] Update 3SC SSH keys and IP addresses --- terraform/main.tf | 4 ++-- terraform/outputs.tf | 4 ++++ terraform/standalone.tf | 6 +++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 85d791c..2ad50fe 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.office_3sc_ip}/32", "${var.vpn_3sc_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["Office", "Thomas", "Justin", "Daniel", "Solomon", "3SC Office", "3SC VPN", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 639dea4..eb3c0c6 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -47,6 +47,10 @@ output "webserver_security_group_id" { value = module.firewall.webserver_security_group_id } +output "key_pairs" { + value = aws_key_pair.all +} + output "key_pair_tmaschler_gfw" { value = aws_key_pair.all["tmaschler_gfw"].key_name } diff --git a/terraform/standalone.tf b/terraform/standalone.tf index aad7f2c..26c932c 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -29,8 +29,12 @@ resource "aws_key_pair" "all" { // TODO: Same keys are also define in the FW Core Infrastructure State. Due to circular dependencies, and TF version conflicts I could not import those keys into this state // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo tyeadon_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEZ2a1o2OQCvScQipFvnQ7OrCxWRx7QwGa76BB6YJ9aex13AANeMXQQ3hLWdKvTA03N47x6CwbwBcFs532Oc0EFjYrFYmt3/ZrUW87OKC0LJz+i9Ap7HfMtJWAKL5HyFWTqL1ohsXrXftdotq54rfJK2xJ+hRsFVKXxd8FFVhPNAN5nV7oVf+7Q9/WnPwXcHJvPQCys6oiDCySk0a9P76sW1vSFghAIokgMsFYK9PE5gLP4wT3G13A+Z+VOZTLzUJHoYRnFK/QPI2P5fAf7vstVYwIdDhw9NwZF2j9bTabQsqJrxVUrqCX2A2xEzLgfbVQm4JG5LWxneLTkzX1vzHr" - oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd3YO71r9bA5ziwi0upz1ESlDUKqgLeWRdROJ5hRNb7fkMx68UnHqPxj/S/+OXWMjlW1kSnSqXZcaWbqSkQ7neI6obMjaQ7lGxCy1NPPDzwv/BID4S2U3hMIMKoAlhK6P0rvSPkn4wpPl4g8Dlmj9y0nX2GBK3zcoeTroDA9EUtZspjTX/+3lcJS/Yln+ZVHtTQVT83HbFXWyui53TyRG2m1ieEcCCUFYxeSKFdQvSTqTD+AioXdU7Z/Akie4DR/J1o1rO3WlBvpYqSAnWOcj+l1VtJYE7xMr/O+L6CkfhuIoU/LlbagdEJsq03WAYUfETUCCTcwKn2ALHQ4bQ/TeCYuEfnZ2KpUZOY+goNpptXozKx1+SDjJjpXbZ4mZcawEmPYQQS/dcgQi40X038c/X7nxtnQNWJUbbwIhiZ+mdfiRy7CS6J1u7LRm5T17Vg+V5IlKW98tDmbx9TFzUXeODgDoqII9KoF79+E/WvHNuQNqIAC/DMIFoGaOMS1R30dM=" + gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" + oevans_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdy9oatA/nDCdGpBusaK/XiqSWrWSMtVkBQAfIEznZf1vCUsbOrgLQTYJWbuPaHj0IBzZlEeFATLEY04GIYa++t1du1JAIJqd2bhNYrEGYPimkzF11k93UygIuYnDdgJfApwyibdvUj63xtgP/INzUJan2NdgGZ/pg7ZJAbPMZgtE+QO8qFZkHIsnnAyJl+ZyV5SrMjK+5Qxv05TuR+bb1sGg05IW2uqAHdRMZEREfRdDoo1jVU7oIsHbNJQdSvA6kC0NBfIn0M1nb/br6t+Gr7oACzpOs/JKSOinIi0l1pJZ1dDoQTS5ACppUh5MXjgsmGCxYk7pN7x0vTj+bxQBFLbJZklK/dTAPVO8MKIFDHgfnh4LyoEPnOcpkUcmZ3Dxl1PulEYmtQRkOdQPI5jkF2SOT/iJ42UIgMZ1m08ZOT4wf+oKncW9Rb/4uo+PHRddrdBcyS/dZHkLDogvYNpMXpeJyniRHcEsXszv5HPPf88Ka93pj0N1btz0bwgpG8Yc= owen@3s-MacBook-Pro.local" gcrosby_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlNQHV5VApZuneWtc9m9d7WEUqmfoLWm0John5vRwoPC0GYIU56BH90Yeiw5HkXJsiqnO+WXubFqWylhCRyfckNiTC7sKbpydZHVH4VmvNzOV4z8BXPob1qsnL2d+5eO8U7Sf21jpBQ4HEXgBk4GZ4eRuktM4eYRGsgTRW/FLFUex6c76Nb5va0FakDKXNKiojIoTIjLN0sxKAQtxuJAt4X4Jg6rtd5pS/4l9pH/VPncKcag1tDvx5ytN/4+lb9IZg/8OyG5JZDWaCsvhauJxn+LGP3GtHiEmiu3IMvTwthVWBj1rmFaX/KoOSlQazHlzEREHQ51mb+6MXSwoz+WrqcgkvFLtky0syMRqwjBgCU2IoKS/Cn2+qh7pI0L7ctPb7WjKmQw7vTfQDW3IDPPU2/H2WlJRChrLMWYzFt6oBWKDr4D7YwH89LYsA67rR9xZHY6TgmVexjiXPjnawAqHKEryESqSuNLDWQmNwrGJaWzmf04T3N+5puDIyuhq5MIlbP63mxSXOUEsFIsCKZPkuh/oR105cbSW3U2fZIajuNICXU/YETChn9K7CaR53uqWM7A6vU2VipNb8NJ4v0IP1djECR3/HwrCY+04Fvt/ZOzbvME6cXxfPZLCDRF9Styz4NiTKPQz/6g3Gbl6CF86vdG8uVKmLRUbSBUbEJX02Sw==" + lpopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= 2022-04-14" + ipopov_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI3Vd+ksZNDpkxKLdwgHD5FZ8ngUk7Xvj9cV9nlGQ90ti77d+QtqRjGYpCmechizl5BEaaT9xi1DH8W7h3Isu85CnuAQqwb5lZMKDGsEzQTzxZ7h3AuMFkMNrN3d7PupwFifLVXmQF5R7E9I0EIGTrtnrINrzWMuU4VxVu3N0z3VDdkAvOAPDARaggr9K5zvmxB8NQ0iXCafNFk5bsddour/yxmWXxT7M3+qDB3CcHVzFqtMKVPyAs9HSuEfNBpenSTyNCMw78Bn7uvTzZdVlLIfmvz4H17pwKnoQTf3TEzTmpKg8A3XaqbHVrFODr7zl11tVxykA5nsy+FdeRu2z8quUji/qK0tStAd/1F6a19bLZ1rvlZp5uGbQnMuqNqiuEJs0F90VqcaEZ1wZe7d6EFPr++Yby2hUEo/eh3X8aSg50uog5S4f3pnbzB6RTB1dwLZWMo/tTx0UW/SavrbTcQlCOm31uKfJWkOgVW/lVikPq0O7k903OMIPPMSkCJ3U= iuripopov@Iuris-MacBook-Pro.local" + emartin_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2CK+B7W21KNwYK9OYNgBME0ski/Iv92uyljXdIq8q6UjczaiuOx9k2uFTBKzRfcnUkd3/Csr7utw/grSZEAJz/nRq0r1LzW+CBv7FMuhAzQ0iO/dSLwgD0Jygb3y52o/P/raPobADFzpS1tOeX+RtOIEHT2Ki7m7FIdOAmHJ7iOSmpGpe/XSkrA3pjewVX2S/FKmTqgrRFsSxYbH0UlrX3AvetZOMCYsK5r0eWc+Pcifq2qEPc6uRasoLwlVj4f51llT36ILGvvQZJX/8JiBzhAo8Yg8Qz0S62tGCHpgLEOdTJu6ZyKA6xiq6YWwOxSEPq99L0pur0ahbLvmIJp0PPvhz9yMpdQCUu+wh0xy4fLtFm+112/uGl7THKiGWc/oM8VPNdF8ZtjU2FWA3oP1ZKm7uAKXw/pXiG50wYjaqh8joGoDn5d41vMfHCWC0ZsTyNYRDNIm2mKQBUQNdEiBYWOx2HVgWWbQbff2JMLS4qy5lnwBhL0GZArB6eSJsLiU= edward@3sidedcube.com" gcrosby2_3sc = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIRH+V6hqIpFfPrw+7SkeROHr30Meci99Nc7fmeIxdlxR+yJPlogLFauj3D/4MMSvx+p4QjULd0TKO9Pc7b92vX1diqSNq3dom79ccZlntA+ITaS1DzmMcIcX3/szBUCmEeBYDw+v7Z7A77PvUQqxlLfx0I34JQEyF59XxVIwisz0tACaY1iLvdCAEypMTRWm1hDQPPRYJUHQ3VyOJ4XMUTo6iP4dwv3W1gKhq6Kpc00Ha1FBtpLSRtJhLqxq0kT9T2dYpvF3xf/r569PVolES/IBkgM/Vobbb3THrmH0TXKZNydaI1gLZC3y38nSmVJ/B2SH7AYwgBTkfO6jYez1 2021-08-04" } key_name = each.key From b11c7a1c75a12e2c723a02b28f3c7be9db4a706d Mon Sep 17 00:00:00 2001 From: George Crosby Date: Fri, 29 Apr 2022 11:00:28 +0100 Subject: [PATCH 29/40] Changing version to match console --- terraform/modules/postgresql/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/postgresql/main.tf b/terraform/modules/postgresql/main.tf index 30e2232..3ae9e1f 100644 --- a/terraform/modules/postgresql/main.tf +++ b/terraform/modules/postgresql/main.tf @@ -7,7 +7,7 @@ resource "aws_rds_cluster" "aurora_cluster" { cluster_identifier = "gfw-aurora" # "${var.project}-aurora-cluster" engine = "aurora-postgresql" - engine_version = "12.4" + engine_version = "12.8" database_name = var.rds_db_name master_username = var.rds_user_name master_password = var.rds_password From 3bac85a161117083dcbfe2733e392530f2f51a8f Mon Sep 17 00:00:00 2001 From: gtempus Date: Fri, 15 Jul 2022 14:41:36 -0400 Subject: [PATCH 30/40] chore: Ignore JetBrains IDE configs --- .gitignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 729f376..bb8c748 100644 --- a/.gitignore +++ b/.gitignore @@ -36,4 +36,7 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* -venv/* \ No newline at end of file +venv/* + +# IDE configurations +.idea From 996ea6618628c114abd8cdbe9cf904f4c241b526 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Mon, 11 Apr 2022 11:36:57 -0700 Subject: [PATCH 31/40] chore: Add gtempus to CODEOWNERS file GTC-1921 --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 20b2998..5f37091 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse \ No newline at end of file +* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse @gtempus \ No newline at end of file From a4941a7b7ab87add1611e475320a37d0645fca75 Mon Sep 17 00:00:00 2001 From: George Crosby Date: Tue, 5 Apr 2022 10:14:26 +0100 Subject: [PATCH 32/40] Parameterising postgres version for production (cherry picked from commit 46bef5df1ee5f8a3eb445214d7b2123975ae4b26) --- terraform/main.tf | 1 + terraform/modules/postgresql/main.tf | 2 +- terraform/modules/postgresql/variables.tf | 7 ++++++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 79f9fac..75f4157 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -40,6 +40,7 @@ module "postgresql" { project = var.project_prefix rds_backup_retention_period = var.backup_retention_period rds_db_name = "geostore" + rds_version = = "12.8" rds_instance_class = var.rds_instance_class rds_instance_count = var.rds_instance_count rds_password = var.rds_password diff --git a/terraform/modules/postgresql/main.tf b/terraform/modules/postgresql/main.tf index 30e2232..1a84b0c 100644 --- a/terraform/modules/postgresql/main.tf +++ b/terraform/modules/postgresql/main.tf @@ -7,7 +7,7 @@ resource "aws_rds_cluster" "aurora_cluster" { cluster_identifier = "gfw-aurora" # "${var.project}-aurora-cluster" engine = "aurora-postgresql" - engine_version = "12.4" + engine_version = var.rds_version database_name = var.rds_db_name master_username = var.rds_user_name master_password = var.rds_password diff --git a/terraform/modules/postgresql/variables.tf b/terraform/modules/postgresql/variables.tf index 41bb2b8..97836b6 100644 --- a/terraform/modules/postgresql/variables.tf +++ b/terraform/modules/postgresql/variables.tf @@ -42,6 +42,11 @@ variable "rds_password_ro" { type = string description = "RDS read_only password" } +variable "rds_version" { + type = string + description = "RDS Aurora database engine version. eg. 12.4" + default = "12.4" +} variable "rds_backup_retention_period" { type = number @@ -76,4 +81,4 @@ variable "rds_instance_class" { variable "rds_port" { type = string description = "Port to access RDS database" -} \ No newline at end of file +} From 0f24822b44234081ca0c9ac569a1ed725d589472 Mon Sep 17 00:00:00 2001 From: George Crosby Date: Tue, 5 Apr 2022 10:39:44 +0100 Subject: [PATCH 33/40] typo (cherry picked from commit e4633a7bbf8a40835c80d7664bcc40562a0d5c41) --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 75f4157..f31580c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -40,7 +40,7 @@ module "postgresql" { project = var.project_prefix rds_backup_retention_period = var.backup_retention_period rds_db_name = "geostore" - rds_version = = "12.8" + rds_version = "12.8" rds_instance_class = var.rds_instance_class rds_instance_count = var.rds_instance_count rds_password = var.rds_password From e9a74d37c70849846f51ac66746125bed996bb23 Mon Sep 17 00:00:00 2001 From: gtempus Date: Fri, 15 Jul 2022 14:54:06 -0400 Subject: [PATCH 34/40] chore: Update Postgres default version 12.7 is now the minimum supported minor version on AWS GTC-1921 --- terraform/modules/postgresql/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/postgresql/variables.tf b/terraform/modules/postgresql/variables.tf index 97836b6..8f186a9 100644 --- a/terraform/modules/postgresql/variables.tf +++ b/terraform/modules/postgresql/variables.tf @@ -44,8 +44,8 @@ variable "rds_password_ro" { } variable "rds_version" { type = string - description = "RDS Aurora database engine version. eg. 12.4" - default = "12.4" + description = "RDS Aurora database engine version. eg. 12.7" + default = "12.7" } variable "rds_backup_retention_period" { From 7c0be8ed4599d627acbe40ee325a99a8e2ddd2ec Mon Sep 17 00:00:00 2001 From: gtempus Date: Fri, 15 Jul 2022 18:34:16 -0400 Subject: [PATCH 35/40] chore: Remove Thomas and add Gary GTC-1921 --- .github/workflows/terraform_build.yaml | 12 +++---- .github/workflows/terraform_plan.yaml | 12 +++---- terraform.md | 43 +++++++++++++------------- terraform/main.tf | 4 +-- terraform/outputs.tf | 4 --- terraform/standalone.tf | 4 +-- terraform/variables.tf | 9 +++--- 7 files changed, 41 insertions(+), 47 deletions(-) diff --git a/.github/workflows/terraform_build.yaml b/.github/workflows/terraform_build.yaml index 0efd5b1..45f84f0 100644 --- a/.github/workflows/terraform_build.yaml +++ b/.github/workflows/terraform_build.yaml @@ -25,10 +25,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -38,10 +38,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" ./scripts/infra apply @@ -58,10 +58,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -71,10 +71,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -92,10 +92,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -105,10 +105,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index d2ea270..2a34fc6 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -21,10 +21,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -34,10 +34,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -54,10 +54,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -67,10 +67,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -87,10 +87,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -100,10 +100,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" diff --git a/terraform.md b/terraform.md index 7655170..f236ad3 100644 --- a/terraform.md +++ b/terraform.md @@ -15,27 +15,27 @@ ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| application | Name of the current application | `string` | `"gfw-aws-core-infrastructure"` | no | -| aws\_region | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no | -| dev\_account\_number | Account number of production account | `string` | `"563860007740"` | no | -| dmannarino\_ip | Daniel's home IP address | `string` | n/a | yes | -| dynamo\_db\_lock\_table\_name | Name of the lock table in Dynamo DB | `string` | `"aws-locks"` | no | -| environment | An environment namespace for the infrastructure. | `string` | n/a | yes | -| gfw-gee-export\_key | GCS key for service account | `string` | n/a | yes | -| gfw\_api\_token | Access token for the GFW/RW API. | `string` | n/a | yes | -| jterry\_ip | Justin's home IP address | `string` | n/a | yes | -| log\_retention\_period | Time in days to keep log files | `number` | n/a | yes | -| production\_account\_number | Account number of production account | `string` | `"401951483516"` | no | -| project | A project namespace for the infrastructure. | `string` | `"Global Forest Watch"` | no | -| rds\_backup\_retention\_period | Time in days to keep RDS backup files | `number` | n/a | yes | -| rds\_instance\_class | RDS Aurora instance type for write node | `string` | n/a | yes | -| rds\_password | Superuser password for RDS Aurora database | `string` | n/a | yes | -| rds\_password\_ro | Read Only user password for RDS Aurora database | `string` | n/a | yes | -| slack\_data\_updates\_hook | Hook for Slack data-updates channel | `string` | n/a | yes | -| staging\_account\_number | Account number of production account | `string` | `"274931322839"` | no | -| tmaschler\_ip | Thomas' home IP address | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|--------------------------------|---------------------------------------------------------|------|---------|:--------:| +| application | Name of the current application | `string` | `"gfw-aws-core-infrastructure"` | no | +| aws\_region | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no | +| dev\_account\_number | Account number of production account | `string` | `"563860007740"` | no | +| dmannarino\_ip | Daniel's home IP address | `string` | n/a | yes | +| dynamo\_db\_lock\_table\_name | Name of the lock table in Dynamo DB | `string` | `"aws-locks"` | no | +| environment | An environment namespace for the infrastructure. | `string` | n/a | yes | +| gfw-gee-export\_key | GCS key for service account | `string` | n/a | yes | +| gfw\_api\_token | Access token for the GFW/RW API. | `string` | n/a | yes | +| jterry\_ip | Justin's home IP address | `string` | n/a | yes | +| log\_retention\_period | Time in days to keep log files | `number` | n/a | yes | +| production\_account\_number | Account number of production account | `string` | `"401951483516"` | no | +| project | A project namespace for the infrastructure. | `string` | `"Global Forest Watch"` | no | +| rds\_backup\_retention\_period | Time in days to keep RDS backup files | `number` | n/a | yes | +| rds\_instance\_class | RDS Aurora instance type for write node | `string` | n/a | yes | +| rds\_password | Superuser password for RDS Aurora database | `string` | n/a | yes | +| rds\_password\_ro | Read Only user password for RDS Aurora database | `string` | n/a | yes | +| slack\_data\_updates\_hook | Hook for Slack data-updates channel | `string` | n/a | yes | +| staging\_account\_number | Account number of production account | `string` | `"274931322839"` | no | +| gtempus\_ip | Gary's home IP address | `string` | n/a | yes | ## Outputs @@ -53,7 +53,6 @@ | environment | Environment of current state. | | iam\_policy\_s3\_write\_data-lake\_arn | n/a | | iam\_policy\_s3\_write\_pipelines\_arn | n/a | -| key\_pair\_tmaschler\_gfw | n/a | | nat\_gateway\_ips | n/a | | pipelines\_bucket | n/a | | postgresql\_security\_group\_id | Security group ID to access postgresql database | diff --git a/terraform/main.tf b/terraform/main.tf index f31580c..b48cd1c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -139,8 +139,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.gtempus_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Justin", "Daniel", "Solomon", "Gary", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 0c92686..0214cd1 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -51,10 +51,6 @@ output "key_pairs" { value = aws_key_pair.all } -output "key_pair_tmaschler_gfw" { - value = aws_key_pair.all["tmaschler_gfw"].key_name -} - output "key_pair_jterry_gfw" { value = aws_key_pair.all["jterry_gfw"].key_name } diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 4336593..fc7b296 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -37,10 +37,10 @@ resource "aws_acm_certificate" "globalforestwatch_new" { # Note: Adding new keys will destroy the Bastion host and recreate it with new user data resource "aws_key_pair" "all" { for_each = { - tmaschler_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCGI+i2fgsYXajjgKPPv3prXdEuFEQXrgtM6mVCK6nZeziuSW/3F0Y1JTCPp/SOw0p5I6ila0f1pzofeCeH+0MSwQ4q+tg66a6ZkgV16LWo0VYptBTIbDTUdp/O0KjxCviQLcZByvDd0AJAX81Cu7ChmZen0dq6U3lp9XWCQ/Lt3z2D8avikHvvtc9DZr6AmUD+fGEMBjKJI2KG7OizLJTLB2tvNJ5teEGNRVNI7ZiSgVg98Z0OeOODIM2QuVvU6xb6iCdGKdLRiNGf4Eq4Z71eiph+noaItziABWkiGha4EFbIWf4lKlH45mQn6BYhVtwtLnx6qsVA+PaErJuticnd tmaschler_gfw", jterry_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOGcXvYQel176C7gXPPsz8/tOotAJ8yfj4I2e1Uw0KMLgMao/9Yl9DZg9obBO7nG1DiDW9YUt2hpQkB2PpzP5N9yMriL4WXEhLroCWKj/vljRIDZjS3ZG+pPLs2Li9eFLDc0WGb9D+dxVG7Emwg8O/mTVbaAdklC4D1cwKQx7V7kU19K4jTTCA7aqagtI7X6FNh0fJGfVz0aQ01ECZmUNCkVZy+LYhk2wxSDuXV9DIha0akPXZCWqOtICPln+tquM9befLevCcuDpwVOkh1wrAP7EkRQtL8x8lIadenQpHgXoeoNGGp7x10Dywlw2u6Hm4b0mGITu4P1JTf0O2mmDd jterry_gfw", dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCLq0/1vhgRfispsHZHrX2H8Mz/HgtTSOiVlMmaUZE0xYPmTBf0cjpHggEN/vwM7FtAkoqozzkdA9PmlBXYye/7orNBGgOR/kXp2ssmyw80inrrCNgd5u6xKWwsydMXJZgvUHWu8PclM3xDNIkFr44ZwpUUJ4xoOzQNOoDjjL6te9rM6ZDXknQLYNf9gm6Isy584TP/kgtUGeS3megv0b+IE187AdLxllPRWCKp8rIWPBFFbP4TBiqWi5WJSJh+r8Z6DjfU/OTPPFgdiuaXjlHr/eGgKDx6merneLmt+rjb/dOxNbQErRzaCY0mZT9umod1vTZJS/4hV31ieXWr+ntF dmannarino_gfw", - snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org" + snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org", + gtempus_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCEdC0wsDmfQ2OFazxOqOSMn4hULT91irwpqLHpXac4r2xwZD+w+IvdFUouaQKEyI01Gki8uWlLXjfj0HSBrL+PKIwS4KsXkvgnqi/TTh2pJuOUIowV7IyO36ZtTP9wTIBteaG7HtNPTk/KUkdlNg1NA9Ds720OhLkf0Y4x2EUxln7bTaruCPTEP1YrAlmDsjHR3saw+xYKaElZk0SO6FTqd96GLpZ1kNJx/85nV0vV19NoL7MU84XhaVp5D8fNrxw4G6tm5orrUCWdfOA6mCgcYWS2bY/Ukq/zTTFb26irwGUJDAoCSiFQ8ljUlhSW1qoLhITPAjtSszUiTpIPmAst gtempus_gfw" // TODO: Same keys are also define in the FW Core Infrastructure State. Due to circular dependencies, and TF version conflicts I could not import those keys into this state // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo diff --git a/terraform/variables.tf b/terraform/variables.tf index ec33b41..3e7e7c1 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -121,10 +121,6 @@ variable "gfw-gee-export_key" { type = string description = "GCS key for service account" } -variable "tmaschler_ip" { - type = string - description = "Thomas' home IP address" -} variable "jterry_ip" { type = string description = "Justin's home IP address" @@ -137,7 +133,10 @@ variable "snegusse_ip" { type = string description = "Solomon's home IP address" } - +variable "gtempus_ip" { + type = string + description = "Gary's home IP address" +} variable "office_3sc_ip" { type = string } From 3fd31b36e90e858433ca89646951ef3493506a13 Mon Sep 17 00:00:00 2001 From: gtempus Date: Tue, 19 Jul 2022 11:54:45 -0400 Subject: [PATCH 36/40] chore: Allow rds version to be configured by environment GTC-1921 --- terraform/main.tf | 3 +-- terraform/variables.tf | 5 +++++ terraform/vars/terraform-dev.tfvars | 1 + terraform/vars/terraform-production.tfvars | 1 + terraform/vars/terraform-staging.tfvars | 1 + 5 files changed, 9 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index b48cd1c..405a15d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -31,7 +31,6 @@ module "vpc" { // keys = concat(values(aws_key_pair.all)[*].public_key, data.terraform_remote_state.fw_core.outputs.public_keys) } - module "postgresql" { source = "./modules/postgresql" availability_zone_names = [module.vpc.private_subnets[0].availability_zone, module.vpc.private_subnets[1].availability_zone, module.vpc.private_subnets[3].availability_zone] @@ -40,7 +39,7 @@ module "postgresql" { project = var.project_prefix rds_backup_retention_period = var.backup_retention_period rds_db_name = "geostore" - rds_version = "12.8" + rds_version = var.rds_version rds_instance_class = var.rds_instance_class rds_instance_count = var.rds_instance_count rds_password = var.rds_password diff --git a/terraform/variables.tf b/terraform/variables.tf index 3e7e7c1..76e0ef9 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -91,6 +91,11 @@ variable "rds_password_ro" { description = "Read Only user password for RDS Aurora database" } +variable "rds_version" { + type = string + description = "RDS engine version" +} + variable "db_instance_class" { type = string } diff --git a/terraform/vars/terraform-dev.tfvars b/terraform/vars/terraform-dev.tfvars index 51e8010..b79e543 100644 --- a/terraform/vars/terraform-dev.tfvars +++ b/terraform/vars/terraform-dev.tfvars @@ -1,6 +1,7 @@ environment = "dev" backup_retention_period = 1 log_retention_period = 7 +rds_version = "12.8" rds_instance_class = "db.t3.medium" rds_instance_count = 1 db_instance_class = "db.t3.medium" diff --git a/terraform/vars/terraform-production.tfvars b/terraform/vars/terraform-production.tfvars index 8b34a06..a04be6a 100644 --- a/terraform/vars/terraform-production.tfvars +++ b/terraform/vars/terraform-production.tfvars @@ -1,6 +1,7 @@ environment = "production" backup_retention_period = 7 log_retention_period = 30 +rds_version = "12.8" rds_instance_class = "db.r6g.large" rds_instance_count = 2 db_instance_class = "db.t3.medium" diff --git a/terraform/vars/terraform-staging.tfvars b/terraform/vars/terraform-staging.tfvars index 3442a45..b56f80b 100644 --- a/terraform/vars/terraform-staging.tfvars +++ b/terraform/vars/terraform-staging.tfvars @@ -1,6 +1,7 @@ environment = "staging" backup_retention_period = 1 log_retention_period = 7 +rds_version = "12.8" rds_instance_class = "db.t3.medium" rds_instance_count = 1 db_instance_class = "db.t3.medium" From 5d48636bc59c91b5d7bed9dee75b158729a375b6 Mon Sep 17 00:00:00 2001 From: Daniel Mannarino Date: Thu, 21 Jul 2022 16:03:59 -0400 Subject: [PATCH 37/40] Remove unnecessary SSL cert --- terraform/outputs.tf | 2 +- terraform/standalone.tf | 21 +-------------------- 2 files changed, 2 insertions(+), 21 deletions(-) diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 0214cd1..da4d85c 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -134,7 +134,7 @@ output "secrets_planet_api_key_policy_arn" { } output "acm_certificate" { - value = aws_acm_certificate.globalforestwatch_new[0].arn + value = aws_acm_certificate.globalforestwatch[0].arn } output "aurora_cluster_instance_class" { diff --git a/terraform/standalone.tf b/terraform/standalone.tf index fc7b296..fd7cd34 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -1,7 +1,3 @@ -# We generate certificates outside of AWS and manually registered it with the account. -# We imported the existing certificate into TF state -# I suspect ^ is only true of staging/prod, not dev - Daniel - resource "aws_acm_certificate" "globalforestwatch" { domain_name = "*.globalforestwatch.org" validation_method = "DNS" @@ -17,28 +13,13 @@ resource "aws_acm_certificate" "globalforestwatch" { count = 1 } -resource "aws_acm_certificate" "globalforestwatch_new" { - domain_name = "*.globalforestwatch.org" - validation_method = "DNS" - - tags = merge({ - "Name" = "Global Forest Watch Wildcard" - }, - local.tags) - - lifecycle { - create_before_destroy = true - } - count = 1 -} - # Need to create new private keys outside of TF and AWS # Note: Adding new keys will destroy the Bastion host and recreate it with new user data resource "aws_key_pair" "all" { for_each = { jterry_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOGcXvYQel176C7gXPPsz8/tOotAJ8yfj4I2e1Uw0KMLgMao/9Yl9DZg9obBO7nG1DiDW9YUt2hpQkB2PpzP5N9yMriL4WXEhLroCWKj/vljRIDZjS3ZG+pPLs2Li9eFLDc0WGb9D+dxVG7Emwg8O/mTVbaAdklC4D1cwKQx7V7kU19K4jTTCA7aqagtI7X6FNh0fJGfVz0aQ01ECZmUNCkVZy+LYhk2wxSDuXV9DIha0akPXZCWqOtICPln+tquM9befLevCcuDpwVOkh1wrAP7EkRQtL8x8lIadenQpHgXoeoNGGp7x10Dywlw2u6Hm4b0mGITu4P1JTf0O2mmDd jterry_gfw", - dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCLq0/1vhgRfispsHZHrX2H8Mz/HgtTSOiVlMmaUZE0xYPmTBf0cjpHggEN/vwM7FtAkoqozzkdA9PmlBXYye/7orNBGgOR/kXp2ssmyw80inrrCNgd5u6xKWwsydMXJZgvUHWu8PclM3xDNIkFr44ZwpUUJ4xoOzQNOoDjjL6te9rM6ZDXknQLYNf9gm6Isy584TP/kgtUGeS3megv0b+IE187AdLxllPRWCKp8rIWPBFFbP4TBiqWi5WJSJh+r8Z6DjfU/OTPPFgdiuaXjlHr/eGgKDx6merneLmt+rjb/dOxNbQErRzaCY0mZT9umod1vTZJS/4hV31ieXWr+ntF dmannarino_gfw", + dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC61msySjQ7S9dKxuqg5V9erJJsUQm1fJCa6pwvZKrfaq1LrmLjvvAwdzOhVEXqQEYYAM00D2eSJyT74VKKdMtpAVnk24PtbtOUy54pqOA+pDuNVOUbL045ZOKqmmoD4omGHBj8jiowmV/zOI9Y1qtlSXoiIT8VQ/uCtKTsY4FMRhBuphpeAWQfEXLI0RfSrw/b7w4pI/zYjzg4mvN17LovS31ZpRWAGK/T6MVyDdeMjF4GEB1P+fjy7tGuKDCTXwGinVKnY8diUihCdyQqQY/Y/5P33NX890F0CX8IGeIWsayk1PNjTw7EJELnJgHVPRYEnz6+Tqru7KmlrVc8V5m7 dmannarino_gfw", snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org", gtempus_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCEdC0wsDmfQ2OFazxOqOSMn4hULT91irwpqLHpXac4r2xwZD+w+IvdFUouaQKEyI01Gki8uWlLXjfj0HSBrL+PKIwS4KsXkvgnqi/TTh2pJuOUIowV7IyO36ZtTP9wTIBteaG7HtNPTk/KUkdlNg1NA9Ds720OhLkf0Y4x2EUxln7bTaruCPTEP1YrAlmDsjHR3saw+xYKaElZk0SO6FTqd96GLpZ1kNJx/85nV0vV19NoL7MU84XhaVp5D8fNrxw4G6tm5orrUCWdfOA6mCgcYWS2bY/Ukq/zTTFb26irwGUJDAoCSiFQ8ljUlhSW1qoLhITPAjtSszUiTpIPmAst gtempus_gfw" From 9b8a6766f0422b9c507f366d5a7961dbe34b169b Mon Sep 17 00:00:00 2001 From: Daniel Mannarino Date: Thu, 21 Jul 2022 17:49:12 -0400 Subject: [PATCH 38/40] Revert "Remove unnecessary certificate; update dmannarino public key" --- terraform/outputs.tf | 2 +- terraform/standalone.tf | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/terraform/outputs.tf b/terraform/outputs.tf index da4d85c..0214cd1 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -134,7 +134,7 @@ output "secrets_planet_api_key_policy_arn" { } output "acm_certificate" { - value = aws_acm_certificate.globalforestwatch[0].arn + value = aws_acm_certificate.globalforestwatch_new[0].arn } output "aurora_cluster_instance_class" { diff --git a/terraform/standalone.tf b/terraform/standalone.tf index fd7cd34..fc7b296 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -1,3 +1,7 @@ +# We generate certificates outside of AWS and manually registered it with the account. +# We imported the existing certificate into TF state +# I suspect ^ is only true of staging/prod, not dev - Daniel + resource "aws_acm_certificate" "globalforestwatch" { domain_name = "*.globalforestwatch.org" validation_method = "DNS" @@ -13,13 +17,28 @@ resource "aws_acm_certificate" "globalforestwatch" { count = 1 } +resource "aws_acm_certificate" "globalforestwatch_new" { + domain_name = "*.globalforestwatch.org" + validation_method = "DNS" + + tags = merge({ + "Name" = "Global Forest Watch Wildcard" + }, + local.tags) + + lifecycle { + create_before_destroy = true + } + count = 1 +} + # Need to create new private keys outside of TF and AWS # Note: Adding new keys will destroy the Bastion host and recreate it with new user data resource "aws_key_pair" "all" { for_each = { jterry_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOGcXvYQel176C7gXPPsz8/tOotAJ8yfj4I2e1Uw0KMLgMao/9Yl9DZg9obBO7nG1DiDW9YUt2hpQkB2PpzP5N9yMriL4WXEhLroCWKj/vljRIDZjS3ZG+pPLs2Li9eFLDc0WGb9D+dxVG7Emwg8O/mTVbaAdklC4D1cwKQx7V7kU19K4jTTCA7aqagtI7X6FNh0fJGfVz0aQ01ECZmUNCkVZy+LYhk2wxSDuXV9DIha0akPXZCWqOtICPln+tquM9befLevCcuDpwVOkh1wrAP7EkRQtL8x8lIadenQpHgXoeoNGGp7x10Dywlw2u6Hm4b0mGITu4P1JTf0O2mmDd jterry_gfw", - dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC61msySjQ7S9dKxuqg5V9erJJsUQm1fJCa6pwvZKrfaq1LrmLjvvAwdzOhVEXqQEYYAM00D2eSJyT74VKKdMtpAVnk24PtbtOUy54pqOA+pDuNVOUbL045ZOKqmmoD4omGHBj8jiowmV/zOI9Y1qtlSXoiIT8VQ/uCtKTsY4FMRhBuphpeAWQfEXLI0RfSrw/b7w4pI/zYjzg4mvN17LovS31ZpRWAGK/T6MVyDdeMjF4GEB1P+fjy7tGuKDCTXwGinVKnY8diUihCdyQqQY/Y/5P33NX890F0CX8IGeIWsayk1PNjTw7EJELnJgHVPRYEnz6+Tqru7KmlrVc8V5m7 dmannarino_gfw", + dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCLq0/1vhgRfispsHZHrX2H8Mz/HgtTSOiVlMmaUZE0xYPmTBf0cjpHggEN/vwM7FtAkoqozzkdA9PmlBXYye/7orNBGgOR/kXp2ssmyw80inrrCNgd5u6xKWwsydMXJZgvUHWu8PclM3xDNIkFr44ZwpUUJ4xoOzQNOoDjjL6te9rM6ZDXknQLYNf9gm6Isy584TP/kgtUGeS3megv0b+IE187AdLxllPRWCKp8rIWPBFFbP4TBiqWi5WJSJh+r8Z6DjfU/OTPPFgdiuaXjlHr/eGgKDx6merneLmt+rjb/dOxNbQErRzaCY0mZT9umod1vTZJS/4hV31ieXWr+ntF dmannarino_gfw", snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org", gtempus_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCEdC0wsDmfQ2OFazxOqOSMn4hULT91irwpqLHpXac4r2xwZD+w+IvdFUouaQKEyI01Gki8uWlLXjfj0HSBrL+PKIwS4KsXkvgnqi/TTh2pJuOUIowV7IyO36ZtTP9wTIBteaG7HtNPTk/KUkdlNg1NA9Ds720OhLkf0Y4x2EUxln7bTaruCPTEP1YrAlmDsjHR3saw+xYKaElZk0SO6FTqd96GLpZ1kNJx/85nV0vV19NoL7MU84XhaVp5D8fNrxw4G6tm5orrUCWdfOA6mCgcYWS2bY/Ukq/zTTFb26irwGUJDAoCSiFQ8ljUlhSW1qoLhITPAjtSszUiTpIPmAst gtempus_gfw" From 13e93b595c7fab1c3f46fc2838340800aff34d70 Mon Sep 17 00:00:00 2001 From: Daniel Mannarino Date: Fri, 19 Aug 2022 11:36:08 -0400 Subject: [PATCH 39/40] DO NOT MERGE UNTIL PLAN EXAMINED: Merge RDS, key changes from Dev -> Staging (#97) * Add globalforestwatch_new cert * Add code owners * Adding Luri * adding owens new ssh key * adding pub and ssh key * Add output for keypairs * Merge firewall changes * Remove duplicate security IDs * Add SSH keys and IPs for 3SC * chore: Ignore JetBrains IDE configs * chore: Add gtempus to CODEOWNERS file * Parameterising postgres version for production * chore: Update Postgres default version 12.7 is now the minimum supported minor version on AWS * chore: Remove Thomas and add Gary * chore: Allow rds version to be configured by environment GTC-1921 * Remove unnecessary SSL cert Co-authored-by: George Crosby Co-authored-by: Justin Terry Co-authored-by: gtempus Co-authored-by: Gary Tempus --- .github/workflows/terraform_build.yaml | 12 +++--- .github/workflows/terraform_plan.yaml | 12 +++--- .gitignore | 5 ++- CODEOWNERS | 2 +- README.md | 4 +- terraform.md | 43 +++++++++++----------- terraform/main.tf | 8 ++-- terraform/modules/postgresql/main.tf | 2 +- terraform/modules/postgresql/variables.tf | 7 +++- terraform/outputs.tf | 6 +-- terraform/standalone.tf | 23 ++++++++++-- terraform/variables.tf | 14 ++++--- terraform/vars/terraform-dev.tfvars | 1 + terraform/vars/terraform-production.tfvars | 1 + terraform/vars/terraform-staging.tfvars | 1 + 15 files changed, 83 insertions(+), 58 deletions(-) diff --git a/.github/workflows/terraform_build.yaml b/.github/workflows/terraform_build.yaml index 0efd5b1..45f84f0 100644 --- a/.github/workflows/terraform_build.yaml +++ b/.github/workflows/terraform_build.yaml @@ -25,10 +25,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -38,10 +38,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" ./scripts/infra apply @@ -58,10 +58,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -71,10 +71,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -92,10 +92,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -105,10 +105,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index d2ea270..2a34fc6 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -21,10 +21,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_production }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -34,10 +34,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -54,10 +54,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_staging }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -67,10 +67,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" @@ -87,10 +87,10 @@ jobs: RDS_PASSWORD_RO: ${{ secrets.rds_password_ro_dev }} GCS_GFW_GEE_EXPORT_KEY: ${{ secrets.gcs_gfw_gee_export_key }} PLANET_API_KEY: ${{secrets.planet_api_key }} - TMASCHLER_IP: ${{ secrets.tmaschler_ip }} JTERRY_IP: ${{ secrets.jterry_ip }} DMANNARINO_IP: ${{ secrets.dmannarino_ip }} SNEGUSSE_IP: ${{ secrets.snegusse_ip }} + GTEMPUS_IP: ${{ secrets.gtempus_ip }} OFFICE_3SC_IP: ${{ secrets.office_3sc_ip }} VPN_3SC_IP: ${{ secrets.vpn_3sc_ip }} run: | @@ -100,10 +100,10 @@ jobs: -var "rds_password_ro=${RDS_PASSWORD_RO}" \ -var "gfw-gee-export_key=${GCS_GFW_GEE_EXPORT_KEY}" \ -var "planet_api_key=${PLANET_API_KEY}" \ - -var "tmaschler_ip=${TMASCHLER_IP}" \ -var "jterry_ip=${JTERRY_IP}" \ -var "dmannarino_ip=${DMANNARINO_IP}" \ -var "snegusse_ip=${SNEGUSSE_IP}" \ + -var "gtempus_ip=${GTEMPUS_IP}" \ -var "office_3sc_ip=${OFFICE_3SC_IP}" \ -var "vpn_3sc_ip=${VPN_3SC_IP}" diff --git a/.gitignore b/.gitignore index 729f376..bb8c748 100644 --- a/.gitignore +++ b/.gitignore @@ -36,4 +36,7 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* -venv/* \ No newline at end of file +venv/* + +# IDE configurations +.idea diff --git a/CODEOWNERS b/CODEOWNERS index 20b2998..5f37091 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse \ No newline at end of file +* @gfw-api @tanderegg @jterry64 @dmannarino @solomon-negusse @gtempus \ No newline at end of file diff --git a/README.md b/README.md index 74701d8..a645126 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# GFW AWS Core Infrastructure +# GFW AWS Core Infrastructure This repo describes GFW's core infrastructure on AWS using Terraform framework. @@ -77,4 +77,4 @@ resource "aws_lambda_function" "default" { } } } -``` \ No newline at end of file +``` diff --git a/terraform.md b/terraform.md index 7655170..f236ad3 100644 --- a/terraform.md +++ b/terraform.md @@ -15,27 +15,27 @@ ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| application | Name of the current application | `string` | `"gfw-aws-core-infrastructure"` | no | -| aws\_region | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no | -| dev\_account\_number | Account number of production account | `string` | `"563860007740"` | no | -| dmannarino\_ip | Daniel's home IP address | `string` | n/a | yes | -| dynamo\_db\_lock\_table\_name | Name of the lock table in Dynamo DB | `string` | `"aws-locks"` | no | -| environment | An environment namespace for the infrastructure. | `string` | n/a | yes | -| gfw-gee-export\_key | GCS key for service account | `string` | n/a | yes | -| gfw\_api\_token | Access token for the GFW/RW API. | `string` | n/a | yes | -| jterry\_ip | Justin's home IP address | `string` | n/a | yes | -| log\_retention\_period | Time in days to keep log files | `number` | n/a | yes | -| production\_account\_number | Account number of production account | `string` | `"401951483516"` | no | -| project | A project namespace for the infrastructure. | `string` | `"Global Forest Watch"` | no | -| rds\_backup\_retention\_period | Time in days to keep RDS backup files | `number` | n/a | yes | -| rds\_instance\_class | RDS Aurora instance type for write node | `string` | n/a | yes | -| rds\_password | Superuser password for RDS Aurora database | `string` | n/a | yes | -| rds\_password\_ro | Read Only user password for RDS Aurora database | `string` | n/a | yes | -| slack\_data\_updates\_hook | Hook for Slack data-updates channel | `string` | n/a | yes | -| staging\_account\_number | Account number of production account | `string` | `"274931322839"` | no | -| tmaschler\_ip | Thomas' home IP address | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|--------------------------------|---------------------------------------------------------|------|---------|:--------:| +| application | Name of the current application | `string` | `"gfw-aws-core-infrastructure"` | no | +| aws\_region | A valid AWS region to configure the underlying AWS SDK. | `string` | `"us-east-1"` | no | +| dev\_account\_number | Account number of production account | `string` | `"563860007740"` | no | +| dmannarino\_ip | Daniel's home IP address | `string` | n/a | yes | +| dynamo\_db\_lock\_table\_name | Name of the lock table in Dynamo DB | `string` | `"aws-locks"` | no | +| environment | An environment namespace for the infrastructure. | `string` | n/a | yes | +| gfw-gee-export\_key | GCS key for service account | `string` | n/a | yes | +| gfw\_api\_token | Access token for the GFW/RW API. | `string` | n/a | yes | +| jterry\_ip | Justin's home IP address | `string` | n/a | yes | +| log\_retention\_period | Time in days to keep log files | `number` | n/a | yes | +| production\_account\_number | Account number of production account | `string` | `"401951483516"` | no | +| project | A project namespace for the infrastructure. | `string` | `"Global Forest Watch"` | no | +| rds\_backup\_retention\_period | Time in days to keep RDS backup files | `number` | n/a | yes | +| rds\_instance\_class | RDS Aurora instance type for write node | `string` | n/a | yes | +| rds\_password | Superuser password for RDS Aurora database | `string` | n/a | yes | +| rds\_password\_ro | Read Only user password for RDS Aurora database | `string` | n/a | yes | +| slack\_data\_updates\_hook | Hook for Slack data-updates channel | `string` | n/a | yes | +| staging\_account\_number | Account number of production account | `string` | `"274931322839"` | no | +| gtempus\_ip | Gary's home IP address | `string` | n/a | yes | ## Outputs @@ -53,7 +53,6 @@ | environment | Environment of current state. | | iam\_policy\_s3\_write\_data-lake\_arn | n/a | | iam\_policy\_s3\_write\_pipelines\_arn | n/a | -| key\_pair\_tmaschler\_gfw | n/a | | nat\_gateway\_ips | n/a | | pipelines\_bucket | n/a | | postgresql\_security\_group\_id | Security group ID to access postgresql database | diff --git a/terraform/main.tf b/terraform/main.tf index 2ad50fe..405a15d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -31,7 +31,6 @@ module "vpc" { // keys = concat(values(aws_key_pair.all)[*].public_key, data.terraform_remote_state.fw_core.outputs.public_keys) } - module "postgresql" { source = "./modules/postgresql" availability_zone_names = [module.vpc.private_subnets[0].availability_zone, module.vpc.private_subnets[1].availability_zone, module.vpc.private_subnets[3].availability_zone] @@ -40,6 +39,7 @@ module "postgresql" { project = var.project_prefix rds_backup_retention_period = var.backup_retention_period rds_db_name = "geostore" + rds_version = var.rds_version rds_instance_class = var.rds_instance_class rds_instance_count = var.rds_instance_count rds_password = var.rds_password @@ -102,7 +102,7 @@ module "pipeline_bucket" { enabled = true prefix = "geotrellis/results/" transition = [{ - days = 30 # initally set to 7 days but this is somehow no longer possible + days = 30 # initially set to 7 days but this is somehow no longer possible storage_class = "STANDARD_IA" # or "ONEZONE_IA" }, { days = 60 @@ -138,8 +138,8 @@ module "pipeline-test-bucket" { module "firewall" { source = "./modules/firewall" project = var.project_prefix - ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.tmaschler_ip}/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] - description = ["3SC Office VPN", "Office", "Thomas", "Justin", "Daniel", "Solomon", "Dockerised", "Dockerised2", "Owen", "Edward"] + ssh_cidr_blocks = ["54.173.196.8/32", "216.70.220.184/32", "${var.jterry_ip}/32", "${var.dmannarino_ip}/32", "${var.snegusse_ip}/32", "${var.gtempus_ip}/32", "86.143.108.56/32", "92.234.149.30/32", "212.35.238.28/32", "90.206.63.59/32"] + description = ["3SC Office VPN", "Office", "Justin", "Daniel", "Solomon", "Gary", "Dockerised", "Dockerised2", "Owen", "Edward"] tags = merge({ Job = "Firewall" }, local.tags) vpc_cidre_block = module.vpc.cidr_block vpc_id = module.vpc.id diff --git a/terraform/modules/postgresql/main.tf b/terraform/modules/postgresql/main.tf index 3ae9e1f..1a84b0c 100644 --- a/terraform/modules/postgresql/main.tf +++ b/terraform/modules/postgresql/main.tf @@ -7,7 +7,7 @@ resource "aws_rds_cluster" "aurora_cluster" { cluster_identifier = "gfw-aurora" # "${var.project}-aurora-cluster" engine = "aurora-postgresql" - engine_version = "12.8" + engine_version = var.rds_version database_name = var.rds_db_name master_username = var.rds_user_name master_password = var.rds_password diff --git a/terraform/modules/postgresql/variables.tf b/terraform/modules/postgresql/variables.tf index 41bb2b8..8f186a9 100644 --- a/terraform/modules/postgresql/variables.tf +++ b/terraform/modules/postgresql/variables.tf @@ -42,6 +42,11 @@ variable "rds_password_ro" { type = string description = "RDS read_only password" } +variable "rds_version" { + type = string + description = "RDS Aurora database engine version. eg. 12.7" + default = "12.7" +} variable "rds_backup_retention_period" { type = number @@ -76,4 +81,4 @@ variable "rds_instance_class" { variable "rds_port" { type = string description = "Port to access RDS database" -} \ No newline at end of file +} diff --git a/terraform/outputs.tf b/terraform/outputs.tf index eb3c0c6..0214cd1 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -51,10 +51,6 @@ output "key_pairs" { value = aws_key_pair.all } -output "key_pair_tmaschler_gfw" { - value = aws_key_pair.all["tmaschler_gfw"].key_name -} - output "key_pair_jterry_gfw" { value = aws_key_pair.all["jterry_gfw"].key_name } @@ -138,7 +134,7 @@ output "secrets_planet_api_key_policy_arn" { } output "acm_certificate" { - value = aws_acm_certificate.globalforestwatch[0].arn + value = aws_acm_certificate.globalforestwatch_new[0].arn } output "aurora_cluster_instance_class" { diff --git a/terraform/standalone.tf b/terraform/standalone.tf index 26c932c..fc7b296 100644 --- a/terraform/standalone.tf +++ b/terraform/standalone.tf @@ -1,5 +1,6 @@ # We generate certificates outside of AWS and manually registered it with the account. # We imported the existing certificate into TF state +# I suspect ^ is only true of staging/prod, not dev - Daniel resource "aws_acm_certificate" "globalforestwatch" { domain_name = "*.globalforestwatch.org" @@ -16,15 +17,30 @@ resource "aws_acm_certificate" "globalforestwatch" { count = 1 } +resource "aws_acm_certificate" "globalforestwatch_new" { + domain_name = "*.globalforestwatch.org" + validation_method = "DNS" + + tags = merge({ + "Name" = "Global Forest Watch Wildcard" + }, + local.tags) + + lifecycle { + create_before_destroy = true + } + count = 1 +} + # Need to create new private keys outside of TF and AWS # Note: Adding new keys will destroy the Bastion host and recreate it with new user data resource "aws_key_pair" "all" { for_each = { - tmaschler_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCGI+i2fgsYXajjgKPPv3prXdEuFEQXrgtM6mVCK6nZeziuSW/3F0Y1JTCPp/SOw0p5I6ila0f1pzofeCeH+0MSwQ4q+tg66a6ZkgV16LWo0VYptBTIbDTUdp/O0KjxCviQLcZByvDd0AJAX81Cu7ChmZen0dq6U3lp9XWCQ/Lt3z2D8avikHvvtc9DZr6AmUD+fGEMBjKJI2KG7OizLJTLB2tvNJ5teEGNRVNI7ZiSgVg98Z0OeOODIM2QuVvU6xb6iCdGKdLRiNGf4Eq4Z71eiph+noaItziABWkiGha4EFbIWf4lKlH45mQn6BYhVtwtLnx6qsVA+PaErJuticnd tmaschler_gfw", jterry_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOGcXvYQel176C7gXPPsz8/tOotAJ8yfj4I2e1Uw0KMLgMao/9Yl9DZg9obBO7nG1DiDW9YUt2hpQkB2PpzP5N9yMriL4WXEhLroCWKj/vljRIDZjS3ZG+pPLs2Li9eFLDc0WGb9D+dxVG7Emwg8O/mTVbaAdklC4D1cwKQx7V7kU19K4jTTCA7aqagtI7X6FNh0fJGfVz0aQ01ECZmUNCkVZy+LYhk2wxSDuXV9DIha0akPXZCWqOtICPln+tquM9befLevCcuDpwVOkh1wrAP7EkRQtL8x8lIadenQpHgXoeoNGGp7x10Dywlw2u6Hm4b0mGITu4P1JTf0O2mmDd jterry_gfw", dmannarino_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCLq0/1vhgRfispsHZHrX2H8Mz/HgtTSOiVlMmaUZE0xYPmTBf0cjpHggEN/vwM7FtAkoqozzkdA9PmlBXYye/7orNBGgOR/kXp2ssmyw80inrrCNgd5u6xKWwsydMXJZgvUHWu8PclM3xDNIkFr44ZwpUUJ4xoOzQNOoDjjL6te9rM6ZDXknQLYNf9gm6Isy584TP/kgtUGeS3megv0b+IE187AdLxllPRWCKp8rIWPBFFbP4TBiqWi5WJSJh+r8Z6DjfU/OTPPFgdiuaXjlHr/eGgKDx6merneLmt+rjb/dOxNbQErRzaCY0mZT9umod1vTZJS/4hV31ieXWr+ntF dmannarino_gfw", - snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org" + snegusse_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHwKzgoKejAQHhT9Uw8WcXoq8e8YkJ9N4L/fCRkNqarvZfn6uo+u4iq5W0UEVOnjBgANCrCtkmV/z6xlZ6P+ncrqJbimYSfNxE5KAkSvfsCKOfxcKI3y3uoM+SSSC61A4IK4/RgckYcR71KZeQ21/2WyPTnqyJSweseDvyp26fAoGcFjErUJdfU/bYC5PkQ6rg3F2yfVufCvRIRVUf5ZM4tFDgGAosut3sB7xjiplz2vEZAmA9l6f3IcKFEFHAHuje+FFy9lLtG/i3PZD3WICrcAboprw42tnPHXqgP++UTYZHknw5DFfZPtcXV+OON97ObdmgRuWLCDbHFpuuvpOjZ8EiBAHL7gNTcrmx38rsHtWD/yIFBuXFkpHKfGPHrXNBYEaQwKnCBhs5GKuFNNkCPx1M1gOlIAuTDowOcvEjULIeCNdrOVVjVVxkcls00/G6bTmmZIZIOz3v3SqtJBp/0id9P8xPVwMeqkVhH7RvGoSPoYgg2FUkvr/vM5owlb0= solomon.negusse@wri.org", + gtempus_gfw = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCEdC0wsDmfQ2OFazxOqOSMn4hULT91irwpqLHpXac4r2xwZD+w+IvdFUouaQKEyI01Gki8uWlLXjfj0HSBrL+PKIwS4KsXkvgnqi/TTh2pJuOUIowV7IyO36ZtTP9wTIBteaG7HtNPTk/KUkdlNg1NA9Ds720OhLkf0Y4x2EUxln7bTaruCPTEP1YrAlmDsjHR3saw+xYKaElZk0SO6FTqd96GLpZ1kNJx/85nV0vV19NoL7MU84XhaVp5D8fNrxw4G6tm5orrUCWdfOA6mCgcYWS2bY/Ukq/zTTFb26irwGUJDAoCSiFQ8ljUlhSW1qoLhITPAjtSszUiTpIPmAst gtempus_gfw" // TODO: Same keys are also define in the FW Core Infrastructure State. Due to circular dependencies, and TF version conflicts I could not import those keys into this state // we only need the keys here to add them to the bastion host. An alternative would be to create a separate bastion host for 3SC in their repo @@ -48,5 +64,4 @@ resource "aws_key_pair" "all" { resource "aws_cloudwatch_log_group" "batch_job" { name = "/aws/batch/job" retention_in_days = 30 -} - +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index ec33b41..76e0ef9 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -91,6 +91,11 @@ variable "rds_password_ro" { description = "Read Only user password for RDS Aurora database" } +variable "rds_version" { + type = string + description = "RDS engine version" +} + variable "db_instance_class" { type = string } @@ -121,10 +126,6 @@ variable "gfw-gee-export_key" { type = string description = "GCS key for service account" } -variable "tmaschler_ip" { - type = string - description = "Thomas' home IP address" -} variable "jterry_ip" { type = string description = "Justin's home IP address" @@ -137,7 +138,10 @@ variable "snegusse_ip" { type = string description = "Solomon's home IP address" } - +variable "gtempus_ip" { + type = string + description = "Gary's home IP address" +} variable "office_3sc_ip" { type = string } diff --git a/terraform/vars/terraform-dev.tfvars b/terraform/vars/terraform-dev.tfvars index 51e8010..b79e543 100644 --- a/terraform/vars/terraform-dev.tfvars +++ b/terraform/vars/terraform-dev.tfvars @@ -1,6 +1,7 @@ environment = "dev" backup_retention_period = 1 log_retention_period = 7 +rds_version = "12.8" rds_instance_class = "db.t3.medium" rds_instance_count = 1 db_instance_class = "db.t3.medium" diff --git a/terraform/vars/terraform-production.tfvars b/terraform/vars/terraform-production.tfvars index 8b34a06..a04be6a 100644 --- a/terraform/vars/terraform-production.tfvars +++ b/terraform/vars/terraform-production.tfvars @@ -1,6 +1,7 @@ environment = "production" backup_retention_period = 7 log_retention_period = 30 +rds_version = "12.8" rds_instance_class = "db.r6g.large" rds_instance_count = 2 db_instance_class = "db.t3.medium" diff --git a/terraform/vars/terraform-staging.tfvars b/terraform/vars/terraform-staging.tfvars index 3442a45..b56f80b 100644 --- a/terraform/vars/terraform-staging.tfvars +++ b/terraform/vars/terraform-staging.tfvars @@ -1,6 +1,7 @@ environment = "staging" backup_retention_period = 1 log_retention_period = 7 +rds_version = "12.8" rds_instance_class = "db.t3.medium" rds_instance_count = 1 db_instance_class = "db.t3.medium" From c87bb93c0d9ada0f09b3b23cedb473aa15356e2e Mon Sep 17 00:00:00 2001 From: Gary Tempus Date: Mon, 22 Aug 2022 15:45:45 -0400 Subject: [PATCH 40/40] feat: Remove Forest Watcher specific infrastructure (#101) --- terraform/apigw.tf | 96 ---------------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 terraform/apigw.tf diff --git a/terraform/apigw.tf b/terraform/apigw.tf deleted file mode 100644 index acc65aa..0000000 --- a/terraform/apigw.tf +++ /dev/null @@ -1,96 +0,0 @@ -data "aws_ami" "amazon_linux_ami" { - most_recent = true - owners = [ - "amazon"] - - filter { - name = "name" - values = [ - "amzn2-ami-hvm*"] - } -} - -resource "aws_security_group" "apigw" { - vpc_id = module.vpc.id - name = "${var.project_prefix}-apigw" - tags = merge( - { - Name = "${var.project_prefix}-apigw" - }, - local.tags - ) -} - -resource "aws_security_group_rule" "apigw_http_ingress" { - type = "ingress" - from_port = "80" - to_port = "80" - protocol = "tcp" - cidr_blocks = [module.vpc.cidr_block] - - security_group_id = aws_security_group.apigw.id -} -resource "aws_security_group_rule" "apigw_https_ingress" { - type = "ingress" - from_port = "443" - to_port = "443" - protocol = "tcp" - cidr_blocks = [module.vpc.cidr_block] - - security_group_id = aws_security_group.apigw.id -} - -# User data script to bootstrap authorized ssh keys -data "template_file" "apigw_setup" { - template = file("${path.module}/user_data/bastion_setup.sh.tpl") - vars = { - user = "ec2-user" - authorized_ssh_keys = <> /home/ec2-user/.ssh/authorized_keys", values(aws_key_pair.all)[*].public_key)~} -${row} -%{endfor~} -EOT - } -} - -resource "aws_instance" "apigw" { - ami = data.aws_ami.amazon_linux_ami.id - availability_zone = module.vpc.public_subnet_az[0] - ebs_optimized = true - instance_type = "t3.large" - monitoring = true - subnet_id = module.vpc.public_subnets[0].id - vpc_security_group_ids = [module.firewall.default_security_group_id, aws_security_group.apigw.id] - associate_public_ip_address = true - user_data = data.template_file.apigw_setup.rendered - - lifecycle { - ignore_changes = [ami] - } - - tags = merge( - { - Name = "${var.project}-ApiGW" - }, - local.tags - ) -} - -resource "aws_eip" "apigw" { - vpc = true -} - -resource "aws_eip_association" "eip_assoc" { - instance_id = aws_instance.apigw.id - allocation_id = aws_eip.apigw.id -} - -output "api_gw_hostname" { - value = aws_instance.apigw.public_dns -} -output "api_gw_public_ip" { - value = aws_instance.apigw.public_ip -} -output "api_gw_instance_arn" { - value = aws_instance.apigw.arn -} \ No newline at end of file