From 93fee06e1c2a495cfd0ff244ab620c27aab520c2 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:24:41 +0000 Subject: [PATCH 01/13] BAU: Add commonly used shared resources to outputs We regularly use the account alias and slack SNS topic arn in other modules. We can make these available as outputs from the shared terraform, to reduce the number of data sources we need to define in other modules. --- ci/terraform/shared/account.tf | 5 +++++ ci/terraform/shared/sns-alerts.tf | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 ci/terraform/shared/account.tf diff --git a/ci/terraform/shared/account.tf b/ci/terraform/shared/account.tf new file mode 100644 index 0000000000..90ac6885ec --- /dev/null +++ b/ci/terraform/shared/account.tf @@ -0,0 +1,5 @@ +data "aws_iam_account_alias" "current" {} +output "aws_account_alias" { + description = "The alias of the current AWS account" + value = data.aws_iam_account_alias.current.account_alias +} diff --git a/ci/terraform/shared/sns-alerts.tf b/ci/terraform/shared/sns-alerts.tf index 27f81c449d..5d66da43ea 100644 --- a/ci/terraform/shared/sns-alerts.tf +++ b/ci/terraform/shared/sns-alerts.tf @@ -3,6 +3,11 @@ resource "aws_sns_topic" "slack_events" { lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn } +output "slack_event_sns_topic_arn" { + description = "The ARN of the SNS topic for Slack events" + value = aws_sns_topic.slack_events.arn +} + data "aws_iam_policy_document" "sns_topic_policy" { version = "2012-10-17" From 5cbb161710ef5f37e8cd62ea080c2a16c96b1d48 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:36:20 +0000 Subject: [PATCH 02/13] BAU: use dynatrace.tf with symlinks --- ci/terraform/account-management/dynatrace.tf | 14 +------------- ci/terraform/dynatrace.tf | 13 +++++++++++++ ci/terraform/interventions-api-stub/dynatrace.tf | 14 +------------- ci/terraform/oidc/dynatrace.tf | 14 +------------- ci/terraform/ticf-cri-stub/dynatrace.tf | 14 +------------- 5 files changed, 17 insertions(+), 52 deletions(-) mode change 100644 => 120000 ci/terraform/account-management/dynatrace.tf create mode 100644 ci/terraform/dynatrace.tf mode change 100644 => 120000 ci/terraform/interventions-api-stub/dynatrace.tf mode change 100644 => 120000 ci/terraform/oidc/dynatrace.tf mode change 100644 => 120000 ci/terraform/ticf-cri-stub/dynatrace.tf diff --git a/ci/terraform/account-management/dynatrace.tf b/ci/terraform/account-management/dynatrace.tf deleted file mode 100644 index 614b622577..0000000000 --- a/ci/terraform/account-management/dynatrace.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" - dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" - - dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) -} - -data "aws_secretsmanager_secret" "dynatrace_secret" { - arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret -} -data "aws_secretsmanager_secret_version" "dynatrace_secret" { - secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id -} diff --git a/ci/terraform/account-management/dynatrace.tf b/ci/terraform/account-management/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/account-management/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/dynatrace.tf b/ci/terraform/dynatrace.tf new file mode 100644 index 0000000000..614b622577 --- /dev/null +++ b/ci/terraform/dynatrace.tf @@ -0,0 +1,13 @@ +locals { + dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" + dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" + + dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) +} + +data "aws_secretsmanager_secret" "dynatrace_secret" { + arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret +} +data "aws_secretsmanager_secret_version" "dynatrace_secret" { + secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id +} diff --git a/ci/terraform/interventions-api-stub/dynatrace.tf b/ci/terraform/interventions-api-stub/dynatrace.tf deleted file mode 100644 index 614b622577..0000000000 --- a/ci/terraform/interventions-api-stub/dynatrace.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" - dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" - - dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) -} - -data "aws_secretsmanager_secret" "dynatrace_secret" { - arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret -} -data "aws_secretsmanager_secret_version" "dynatrace_secret" { - secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id -} diff --git a/ci/terraform/interventions-api-stub/dynatrace.tf b/ci/terraform/interventions-api-stub/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/interventions-api-stub/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/oidc/dynatrace.tf b/ci/terraform/oidc/dynatrace.tf deleted file mode 100644 index 614b622577..0000000000 --- a/ci/terraform/oidc/dynatrace.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" - dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" - - dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) -} - -data "aws_secretsmanager_secret" "dynatrace_secret" { - arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret -} -data "aws_secretsmanager_secret_version" "dynatrace_secret" { - secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id -} diff --git a/ci/terraform/oidc/dynatrace.tf b/ci/terraform/oidc/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/oidc/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/ticf-cri-stub/dynatrace.tf b/ci/terraform/ticf-cri-stub/dynatrace.tf deleted file mode 100644 index 614b622577..0000000000 --- a/ci/terraform/ticf-cri-stub/dynatrace.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" - dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" - - dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) -} - -data "aws_secretsmanager_secret" "dynatrace_secret" { - arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret -} -data "aws_secretsmanager_secret_version" "dynatrace_secret" { - secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id -} diff --git a/ci/terraform/ticf-cri-stub/dynatrace.tf b/ci/terraform/ticf-cri-stub/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/ticf-cri-stub/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file From 475e556987d4fc68f968a371e54a104cb65c6e9b Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:28:36 +0000 Subject: [PATCH 03/13] BAU: make inputs required --- ci/terraform/modules/endpoint-module-v2/README.md | 6 +++--- ci/terraform/modules/endpoint-module-v2/variables.tf | 3 --- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ci/terraform/modules/endpoint-module-v2/README.md b/ci/terraform/modules/endpoint-module-v2/README.md index 4d33aa237a..92578cf2ac 100644 --- a/ci/terraform/modules/endpoint-module-v2/README.md +++ b/ci/terraform/modules/endpoint-module-v2/README.md @@ -40,8 +40,10 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | The 'friendly-name' of the AWS account, eg. di-auth-development | `string` | n/a | yes | | [authentication\_vpc\_arn](#input\_authentication\_vpc\_arn) | n/a | `string` | n/a | yes | | [cloudwatch\_key\_arn](#input\_cloudwatch\_key\_arn) | The ARN of the KMS key to use log encryption | `string` | n/a | yes | +| [dynatrace\_secret](#input\_dynatrace\_secret) | JSON decoded dynatrace secret | 
object({
    JAVA_LAYER = string

    DT_CONNECTION_AUTH_TOKEN     = string
    DT_CONNECTION_BASE_URL       = string
    DT_CLUSTER_ID                = string
    DT_TENANT                    = string
    DT_LOG_COLLECTION_AUTH_TOKEN = string
  })
| n/a | yes | | [endpoint\_method](#input\_endpoint\_method) | n/a | `list(string)` | n/a | yes | | [endpoint\_name](#input\_endpoint\_name) | n/a | `string` | n/a | yes | | [environment](#input\_environment) | n/a | `string` | n/a | yes | @@ -57,15 +59,14 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current | [rest\_api\_id](#input\_rest\_api\_id) | n/a | `string` | n/a | yes | | [root\_resource\_id](#input\_root\_resource\_id) | n/a | `string` | n/a | yes | | [security\_group\_ids](#input\_security\_group\_ids) | The list of security group IDs to apply to the lambda | `list(string)` | n/a | yes | +| [slack\_event\_topic\_arn](#input\_slack\_event\_topic\_arn) | The ARN of the slack event topic | `string` | n/a | yes | | [source\_bucket](#input\_source\_bucket) | n/a | `string` | n/a | yes | | [subnet\_id](#input\_subnet\_id) | The id of the subnets for the lambda | `list(string)` | n/a | yes | -| [account\_alias](#input\_account\_alias) | The 'friendly-name' of the AWS account, eg. di-auth-development | `string` | `null` | no | | [api\_key\_required](#input\_api\_key\_required) | n/a | `bool` | `false` | no | | [authorizer\_id](#input\_authorizer\_id) | n/a | `string` | `null` | no | | [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | The number of day to retain Cloudwatch logs for | `number` | `30` | no | | [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | n/a | `any` | `null` | no | | [create\_endpoint](#input\_create\_endpoint) | n/a | `bool` | `true` | no | -| [dynatrace\_secret](#input\_dynatrace\_secret) | JSON decoded dynatrace secret | 
object({
    JAVA_LAYER = string

    DT_CONNECTION_AUTH_TOKEN     = string
    DT_CONNECTION_BASE_URL       = string
    DT_CLUSTER_ID                = string
    DT_TENANT                    = string
    DT_LOG_COLLECTION_AUTH_TOKEN = string
  })
| `null` | no | | [extra\_tags](#input\_extra\_tags) | Extra tags to apply to resources | `map(string)` | `{}` | no | | [handler\_runtime](#input\_handler\_runtime) | n/a | `string` | `"java17"` | no | | [integration\_request\_parameters](#input\_integration\_request\_parameters) | n/a | `map(string)` | `{}` | no | @@ -79,7 +80,6 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current | [method\_request\_parameters](#input\_method\_request\_parameters) | n/a | `map(bool)` | `{}` | no | | [provisioned\_concurrency](#input\_provisioned\_concurrency) | n/a | `number` | `0` | no | | [scaling\_trigger](#input\_scaling\_trigger) | n/a | `number` | `0.7` | no | -| [slack\_event\_topic\_arn](#input\_slack\_event\_topic\_arn) | The ARN of the slack event topic | `string` | `null` | no | ## Outputs diff --git a/ci/terraform/modules/endpoint-module-v2/variables.tf b/ci/terraform/modules/endpoint-module-v2/variables.tf index ba8d669603..ab8f6406d7 100644 --- a/ci/terraform/modules/endpoint-module-v2/variables.tf +++ b/ci/terraform/modules/endpoint-module-v2/variables.tf @@ -173,13 +173,11 @@ variable "scaling_trigger" { variable "slack_event_topic_arn" { description = "The ARN of the slack event topic" type = string - default = null } variable "account_alias" { description = "The 'friendly-name' of the AWS account, eg. di-auth-development" type = string - default = null } variable "dynatrace_secret" { @@ -195,5 +193,4 @@ variable "dynatrace_secret" { DT_LOG_COLLECTION_AUTH_TOKEN = string }) sensitive = true - default = null } From 13e4d2a5fa548045b781a96a1c37096bc2dbfa94 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:27:04 +0000 Subject: [PATCH 04/13] BAU: xAPI: migrate to endpoint-module-v2 --- ci/terraform/auth-external-api/dynatrace.tf | 1 + ci/terraform/auth-external-api/shared.tf | 3 +++ ci/terraform/auth-external-api/token.tf | 6 +++++- ci/terraform/auth-external-api/userinfo.tf | 6 +++++- 4 files changed, 14 insertions(+), 2 deletions(-) create mode 120000 ci/terraform/auth-external-api/dynatrace.tf diff --git a/ci/terraform/auth-external-api/dynatrace.tf b/ci/terraform/auth-external-api/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/auth-external-api/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/auth-external-api/shared.tf b/ci/terraform/auth-external-api/shared.tf index 94992c3048..3609112aa1 100644 --- a/ci/terraform/auth-external-api/shared.tf +++ b/ci/terraform/auth-external-api/shared.tf @@ -32,4 +32,7 @@ locals { redis_ssm_parameter_policy = data.terraform_remote_state.shared.outputs.redis_ssm_parameter_policy authentication_oidc_redis_security_group_id = data.terraform_remote_state.shared.outputs.authentication_oidc_redis_security_group_id redis_key = "session" + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } diff --git a/ci/terraform/auth-external-api/token.tf b/ci/terraform/auth-external-api/token.tf index b0575d8054..33c12d7e81 100644 --- a/ci/terraform/auth-external-api/token.tf +++ b/ci/terraform/auth-external-api/token.tf @@ -22,7 +22,7 @@ module "auth_token_role" { } module "auth_token" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "auth-token" path_part = "token" @@ -68,6 +68,10 @@ module "auth_token" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + dynatrace_secret = local.dynatrace_secret + slack_event_topic_arn = local.slack_event_sns_topic_arn + account_alias = local.aws_account_alias + depends_on = [ aws_api_gateway_rest_api.di_auth_ext_api, ] diff --git a/ci/terraform/auth-external-api/userinfo.tf b/ci/terraform/auth-external-api/userinfo.tf index bfe596cca3..3374f0faaa 100644 --- a/ci/terraform/auth-external-api/userinfo.tf +++ b/ci/terraform/auth-external-api/userinfo.tf @@ -23,7 +23,7 @@ module "auth_userinfo_role" { } module "auth_userinfo" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "auth-userinfo" path_part = "userinfo" @@ -65,6 +65,10 @@ module "auth_userinfo" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + dynatrace_secret = local.dynatrace_secret + slack_event_topic_arn = local.slack_event_sns_topic_arn + account_alias = local.aws_account_alias + depends_on = [ aws_api_gateway_rest_api.di_auth_ext_api, ] From e8caa0d59b854192fb1069dff214eb91a455bf87 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:31:29 +0000 Subject: [PATCH 05/13] BAU: am: use values from shared --- ci/terraform/account-management/account.tf | 1 - ci/terraform/account-management/alerts.tf | 8 ++------ ci/terraform/account-management/authenticate.tf | 4 ++-- ci/terraform/account-management/authorizer.tf | 8 ++++---- ci/terraform/account-management/delete-account.tf | 4 ++-- ci/terraform/account-management/redis.tf | 2 +- ci/terraform/account-management/send-otp-notification.tf | 4 ++-- ci/terraform/account-management/shared.tf | 3 +++ ci/terraform/account-management/update-email.tf | 4 ++-- ci/terraform/account-management/update-password.tf | 4 ++-- ci/terraform/account-management/update-phone-number.tf | 4 ++-- 11 files changed, 22 insertions(+), 24 deletions(-) delete mode 100644 ci/terraform/account-management/account.tf diff --git a/ci/terraform/account-management/account.tf b/ci/terraform/account-management/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/account-management/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/account-management/alerts.tf b/ci/terraform/account-management/alerts.tf index 5db1c53dcb..6cfae52e81 100644 --- a/ci/terraform/account-management/alerts.tf +++ b/ci/terraform/account-management/alerts.tf @@ -12,7 +12,7 @@ resource "aws_cloudwatch_metric_alarm" "sqs_deadletter_cloudwatch_alarm" { QueueName = aws_sqs_queue.email_dead_letter_queue.name } alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.email_dead_letter_queue.name}" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_actions = [local.slack_event_sns_topic_arn] } moved { from = aws_cloudwatch_metric_alarm.sqs_deadletter_cloudwatch_alarm[0] @@ -37,9 +37,5 @@ moved { # } # # alarm_description = "${var.waf_alarm_blocked_reqeuest_threshold} or more blocked requests have been received by the ${aws_wafv2_web_acl.wafregional_web_acl_am_api[count.index].name} in the last 5 minutes" -# alarm_actions = [data.aws_sns_topic.slack_events.arn] +# alarm_actions = [local.slack_event_sns_topic_arn] #} - -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} diff --git a/ci/terraform/account-management/authenticate.tf b/ci/terraform/account-management/authenticate.tf index 96a673e3d3..ba08ebfb88 100644 --- a/ci/terraform/account-management/authenticate.tf +++ b/ci/terraform/account-management/authenticate.tf @@ -57,8 +57,8 @@ module "authenticate" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret diff --git a/ci/terraform/account-management/authorizer.tf b/ci/terraform/account-management/authorizer.tf index 73d6892408..b7b9d4a22a 100644 --- a/ci/terraform/account-management/authorizer.tf +++ b/ci/terraform/account-management/authorizer.tf @@ -135,8 +135,8 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_cloudwatch_alarm period = "3600" statistic = "Sum" threshold = local.alert_error_threshold - alarm_description = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_description = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda. ACCOUNT: ${local.aws_account_alias}" + alarm_actions = [local.slack_event_sns_topic_arn] } resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_alarm" { @@ -144,7 +144,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_ comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" threshold = local.alert_error_rate_threshold - alarm_description = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" + alarm_description = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda.ACCOUNT: ${local.aws_account_alias}" metric_query { id = "e1" @@ -181,5 +181,5 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_ } } } - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_actions = [local.slack_event_sns_topic_arn] } diff --git a/ci/terraform/account-management/delete-account.tf b/ci/terraform/account-management/delete-account.tf index d79c862d92..5e4423e993 100644 --- a/ci/terraform/account-management/delete-account.tf +++ b/ci/terraform/account-management/delete-account.tf @@ -60,8 +60,8 @@ module "delete_account" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret depends_on = [module.account_management_api_remove_account_role] diff --git a/ci/terraform/account-management/redis.tf b/ci/terraform/account-management/redis.tf index d47d480526..2e700e1983 100644 --- a/ci/terraform/account-management/redis.tf +++ b/ci/terraform/account-management/redis.tf @@ -30,7 +30,7 @@ resource "aws_elasticache_replication_group" "account_management_sessions_store" parameter_group_name = "default.redis6.x" port = local.redis_port_number maintenance_window = "tue:22:00-tue:23:00" - notification_topic_arn = data.aws_sns_topic.slack_events.arn + notification_topic_arn = local.slack_event_sns_topic_arn multi_az_enabled = true diff --git a/ci/terraform/account-management/send-otp-notification.tf b/ci/terraform/account-management/send-otp-notification.tf index 0135ab8dc6..e92683b5d0 100644 --- a/ci/terraform/account-management/send-otp-notification.tf +++ b/ci/terraform/account-management/send-otp-notification.tf @@ -73,8 +73,8 @@ module "send_otp_notification" { lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn authorizer_id = aws_api_gateway_authorizer.di_account_management_api.id - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret depends_on = [ diff --git a/ci/terraform/account-management/shared.tf b/ci/terraform/account-management/shared.tf index 55c61963d9..b2f882285f 100644 --- a/ci/terraform/account-management/shared.tf +++ b/ci/terraform/account-management/shared.tf @@ -19,4 +19,7 @@ locals { client_registry_encryption_key_arn = data.terraform_remote_state.shared.outputs.client_registry_encryption_key_arn user_profile_kms_key_arn = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn email_check_results_encryption_policy_arn = data.terraform_remote_state.shared.outputs.email_check_results_encryption_policy_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } diff --git a/ci/terraform/account-management/update-email.tf b/ci/terraform/account-management/update-email.tf index 8ac52f2aa3..f3ecb520b9 100644 --- a/ci/terraform/account-management/update-email.tf +++ b/ci/terraform/account-management/update-email.tf @@ -64,8 +64,8 @@ module "update_email" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret depends_on = [module.account_management_api_update_email_role] diff --git a/ci/terraform/account-management/update-password.tf b/ci/terraform/account-management/update-password.tf index 2b10c6aef3..dd5d996cde 100644 --- a/ci/terraform/account-management/update-password.tf +++ b/ci/terraform/account-management/update-password.tf @@ -60,8 +60,8 @@ module "update_password" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret depends_on = [module.account_management_api_update_password_role] diff --git a/ci/terraform/account-management/update-phone-number.tf b/ci/terraform/account-management/update-phone-number.tf index e4ba565a76..d112aca592 100644 --- a/ci/terraform/account-management/update-phone-number.tf +++ b/ci/terraform/account-management/update-phone-number.tf @@ -60,8 +60,8 @@ module "update_phone_number" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn dynatrace_secret = local.dynatrace_secret depends_on = [module.account_management_api_update_phone_number_role] From 3668705637c3f3f4dbec9388a631555d083a2530 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:35:49 +0000 Subject: [PATCH 06/13] BAU: dr: use endpoint-module-v2 --- ci/terraform/delivery-receipts/dynatrace.tf | 1 + ci/terraform/delivery-receipts/notify-callback.tf | 6 +++++- ci/terraform/delivery-receipts/shared.tf | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 120000 ci/terraform/delivery-receipts/dynatrace.tf diff --git a/ci/terraform/delivery-receipts/dynatrace.tf b/ci/terraform/delivery-receipts/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/delivery-receipts/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/delivery-receipts/notify-callback.tf b/ci/terraform/delivery-receipts/notify-callback.tf index 2869bfe560..9b1be0a92a 100644 --- a/ci/terraform/delivery-receipts/notify-callback.tf +++ b/ci/terraform/delivery-receipts/notify-callback.tf @@ -15,7 +15,7 @@ module "delivery_receipts_api_notify_callback_role" { } module "notify_callback" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "notify-callback" path_part = "notify-callback" @@ -50,6 +50,10 @@ module "notify_callback" { lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn api_key_required = false + dynatrace_secret = local.dynatrace_secret + slack_event_topic_arn = local.slack_event_sns_topic_arn + account_alias = local.aws_account_alias + depends_on = [ aws_api_gateway_rest_api.di_authentication_delivery_receipts_api, ] diff --git a/ci/terraform/delivery-receipts/shared.tf b/ci/terraform/delivery-receipts/shared.tf index f4258811fb..b2d4fa82de 100644 --- a/ci/terraform/delivery-receipts/shared.tf +++ b/ci/terraform/delivery-receipts/shared.tf @@ -14,4 +14,7 @@ locals { bulk_user_email_table_encryption_key_arn = data.terraform_remote_state.shared.outputs.bulk_user_email_table_encryption_key_arn user_profile_encryption_policy_arn = data.terraform_remote_state.shared.outputs.user_profile_encryption_policy_arn user_profile_kms_key_arn = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } From cc61d62bca28208e3697361c67e69163963e66dd Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 14:45:47 +0000 Subject: [PATCH 07/13] BAU: ias: use shared resources --- ci/terraform/interventions-api-stub/account.tf | 1 - ci/terraform/interventions-api-stub/alerts.tf | 3 --- ci/terraform/interventions-api-stub/lambda.tf | 7 ++++--- ci/terraform/interventions-api-stub/shared.tf | 3 +++ 4 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 ci/terraform/interventions-api-stub/account.tf delete mode 100644 ci/terraform/interventions-api-stub/alerts.tf diff --git a/ci/terraform/interventions-api-stub/account.tf b/ci/terraform/interventions-api-stub/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/interventions-api-stub/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/interventions-api-stub/alerts.tf b/ci/terraform/interventions-api-stub/alerts.tf deleted file mode 100644 index b25f4f919b..0000000000 --- a/ci/terraform/interventions-api-stub/alerts.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} diff --git a/ci/terraform/interventions-api-stub/lambda.tf b/ci/terraform/interventions-api-stub/lambda.tf index 2e1c4fb2e2..a5432584df 100644 --- a/ci/terraform/interventions-api-stub/lambda.tf +++ b/ci/terraform/interventions-api-stub/lambda.tf @@ -44,7 +44,8 @@ module "account_interventions_stub_lambda" { cloudwatch_key_arn = data.terraform_remote_state.shared.outputs.cloudwatch_encryption_key_arn cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn - dynatrace_secret = local.dynatrace_secret + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } diff --git a/ci/terraform/interventions-api-stub/shared.tf b/ci/terraform/interventions-api-stub/shared.tf index fdec321fbd..d3d65318fb 100644 --- a/ci/terraform/interventions-api-stub/shared.tf +++ b/ci/terraform/interventions-api-stub/shared.tf @@ -21,4 +21,7 @@ locals { authentication_security_group_id = data.terraform_remote_state.shared.outputs.authentication_security_group_id authentication_private_subnet_ids = data.terraform_remote_state.shared.outputs.authentication_private_subnet_ids lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } From 10329d598e5999611ae5a5e9c8672ca5cb614500 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:05:43 +0000 Subject: [PATCH 08/13] BAU: bring endpoint-module-v2 up to date --- .../modules/endpoint-lambda/README.md | 2 +- .../modules/endpoint-lambda/alerts.tf | 4 ++-- .../modules/endpoint-lambda/variables.tf | 4 ++-- .../modules/endpoint-module-v2/README.md | 4 ++++ .../modules/endpoint-module-v2/alerts.tf | 4 ++-- .../endpoint-module-v2/endpoint-lambda.tf | 2 ++ .../modules/endpoint-module-v2/lambda.tf | 7 ++++++- .../modules/endpoint-module-v2/variables.tf | 21 +++++++++++++++++++ 8 files changed, 40 insertions(+), 8 deletions(-) diff --git a/ci/terraform/modules/endpoint-lambda/README.md b/ci/terraform/modules/endpoint-lambda/README.md index 2504357c5b..ec3155cd67 100644 --- a/ci/terraform/modules/endpoint-lambda/README.md +++ b/ci/terraform/modules/endpoint-lambda/README.md @@ -79,7 +79,7 @@ No modules. | [logging\_endpoint\_enabled](#input\_logging\_endpoint\_enabled) | Whether the Lambda should ship its logs to the `logging_endpoint_arn` | `bool` | `false` | no | | [max\_provisioned\_concurrency](#input\_max\_provisioned\_concurrency) | n/a | `number` | `5` | no | | [provisioned\_concurrency](#input\_provisioned\_concurrency) | n/a | `number` | `0` | no | -| [runbook\_link](#input\_runbook\_link) | A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm | `string` | `""` | no | +| [runbook\_link](#input\_runbook\_link) | A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm | `string` | `null` | no | | [scaling\_trigger](#input\_scaling\_trigger) | n/a | `number` | `0.7` | no | | [snapstart](#input\_snapstart) | n/a | `bool` | `false` | no | | [wait\_for\_alias\_timeout](#input\_wait\_for\_alias\_timeout) | The number of seconds to wait for the alias to be created | `number` | `300` | no | diff --git a/ci/terraform/modules/endpoint-lambda/alerts.tf b/ci/terraform/modules/endpoint-lambda/alerts.tf index 5d35f0474f..eae98fc736 100644 --- a/ci/terraform/modules/endpoint-lambda/alerts.tf +++ b/ci/terraform/modules/endpoint-lambda/alerts.tf @@ -1,8 +1,8 @@ locals { base_error_alarm_description = "${var.lambda_log_alarm_threshold} or more errors have occurred in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${var.account_alias}" - error_alarm_description = var.runbook_link == "" ? local.base_error_alarm_description : "${local.base_error_alarm_description}. Runbook: ${var.runbook_link}" + error_alarm_description = var.runbook_link == null ? local.base_error_alarm_description : "${local.base_error_alarm_description}. Runbook: ${var.runbook_link}" base_error_rate_alarm_description = "Lambda error rate of ${var.lambda_log_alarm_error_rate_threshold} has been reached in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${var.account_alias}" - error_rate_alarm_description = var.runbook_link == "" ? local.base_error_rate_alarm_description : "${local.base_error_rate_alarm_description}. Runbook: ${var.runbook_link}" + error_rate_alarm_description = var.runbook_link == null ? local.base_error_rate_alarm_description : "${local.base_error_rate_alarm_description}. Runbook: ${var.runbook_link}" } resource "aws_cloudwatch_log_metric_filter" "lambda_error_metric_filter" { diff --git a/ci/terraform/modules/endpoint-lambda/variables.tf b/ci/terraform/modules/endpoint-lambda/variables.tf index a4b6fe076a..710e51899f 100644 --- a/ci/terraform/modules/endpoint-lambda/variables.tf +++ b/ci/terraform/modules/endpoint-lambda/variables.tf @@ -175,7 +175,7 @@ variable "wait_for_alias_timeout" { } variable "runbook_link" { - type = string description = "A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm" - default = "" + type = string + default = null } diff --git a/ci/terraform/modules/endpoint-module-v2/README.md b/ci/terraform/modules/endpoint-module-v2/README.md index 92578cf2ac..6ff46415d8 100644 --- a/ci/terraform/modules/endpoint-module-v2/README.md +++ b/ci/terraform/modules/endpoint-module-v2/README.md @@ -63,6 +63,7 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current | [source\_bucket](#input\_source\_bucket) | n/a | `string` | n/a | yes | | [subnet\_id](#input\_subnet\_id) | The id of the subnets for the lambda | `list(string)` | n/a | yes | | [api\_key\_required](#input\_api\_key\_required) | n/a | `bool` | `false` | no | +| [architectures](#input\_architectures) | n/a | `list(string)` | 
[
  "x86_64"
]
| no | | [authorizer\_id](#input\_authorizer\_id) | n/a | `string` | `null` | no | | [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | The number of day to retain Cloudwatch logs for | `number` | `30` | no | | [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | n/a | `any` | `null` | no | @@ -79,7 +80,10 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current | [max\_provisioned\_concurrency](#input\_max\_provisioned\_concurrency) | n/a | `number` | `5` | no | | [method\_request\_parameters](#input\_method\_request\_parameters) | n/a | `map(bool)` | `{}` | no | | [provisioned\_concurrency](#input\_provisioned\_concurrency) | n/a | `number` | `0` | no | +| [runbook\_link](#input\_runbook\_link) | A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm | `string` | `null` | no | | [scaling\_trigger](#input\_scaling\_trigger) | n/a | `number` | `0.7` | no | +| [snapstart](#input\_snapstart) | n/a | `bool` | `false` | no | +| [wait\_for\_alias\_timeout](#input\_wait\_for\_alias\_timeout) | The number of seconds to wait for the alias to be created | `number` | `300` | no | ## Outputs diff --git a/ci/terraform/modules/endpoint-module-v2/alerts.tf b/ci/terraform/modules/endpoint-module-v2/alerts.tf index 103a386dcd..d5cb5c8186 100644 --- a/ci/terraform/modules/endpoint-module-v2/alerts.tf +++ b/ci/terraform/modules/endpoint-module-v2/alerts.tf @@ -1,10 +1,10 @@ moved { - from = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter[0] + from = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter to = module.endpoint_lambda.aws_cloudwatch_log_metric_filter.lambda_error_metric_filter } moved { - from = aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm[0] + from = aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm to = module.endpoint_lambda.aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm } diff --git a/ci/terraform/modules/endpoint-module-v2/endpoint-lambda.tf b/ci/terraform/modules/endpoint-module-v2/endpoint-lambda.tf index 0a01ff7dd2..98b955fca0 100644 --- a/ci/terraform/modules/endpoint-module-v2/endpoint-lambda.tf +++ b/ci/terraform/modules/endpoint-module-v2/endpoint-lambda.tf @@ -31,4 +31,6 @@ module "endpoint_lambda" { slack_event_topic_arn = var.slack_event_topic_arn account_alias = var.account_alias dynatrace_secret = var.dynatrace_secret + runbook_link = var.runbook_link + snapstart = var.snapstart } diff --git a/ci/terraform/modules/endpoint-module-v2/lambda.tf b/ci/terraform/modules/endpoint-module-v2/lambda.tf index b85de454a9..1600fd11ee 100644 --- a/ci/terraform/modules/endpoint-module-v2/lambda.tf +++ b/ci/terraform/modules/endpoint-module-v2/lambda.tf @@ -4,7 +4,7 @@ moved { } moved { - from = aws_cloudwatch_log_group.lambda_log_group[0] + from = aws_cloudwatch_log_group.lambda_log_group to = module.endpoint_lambda.aws_cloudwatch_log_group.lambda_log_group } @@ -32,3 +32,8 @@ moved { from = aws_appautoscaling_policy.provisioned-concurrency-policy to = module.endpoint_lambda.aws_appautoscaling_policy.provisioned-concurrency-policy } + +moved { + from = terraform_data.wait_for_alias + to = module.endpoint_lambda.terraform_data.wait_for_alias +} diff --git a/ci/terraform/modules/endpoint-module-v2/variables.tf b/ci/terraform/modules/endpoint-module-v2/variables.tf index ab8f6406d7..89f9249da2 100644 --- a/ci/terraform/modules/endpoint-module-v2/variables.tf +++ b/ci/terraform/modules/endpoint-module-v2/variables.tf @@ -194,3 +194,24 @@ variable "dynatrace_secret" { }) sensitive = true } + +variable "snapstart" { + type = bool + default = false +} +variable "architectures" { + type = list(string) + default = ["x86_64"] +} + +variable "wait_for_alias_timeout" { + type = number + description = "The number of seconds to wait for the alias to be created" + default = 300 +} + +variable "runbook_link" { + description = "A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm" + type = string + default = null +} From c3e915e19c077a3e6e355e5c0f9dd39b0499baf7 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:06:41 +0000 Subject: [PATCH 09/13] BAU: oidc: use endpoint-module-v2 --- .../oidc/account-interventions-alerts.tf | 4 ++-- ci/terraform/oidc/account-interventions.tf | 6 +++++- ci/terraform/oidc/account-recovery.tf | 6 +++++- ci/terraform/oidc/account.tf | 1 - ci/terraform/oidc/alerts.tf | 20 +++++++++---------- ci/terraform/oidc/auth-code.tf | 6 +++++- ci/terraform/oidc/authentication-auth-code.tf | 6 +++++- ci/terraform/oidc/authentication-callback.tf | 6 +++++- ci/terraform/oidc/authorize.tf | 6 +++++- ci/terraform/oidc/authorizer-orch-frontend.tf | 8 ++++---- ci/terraform/oidc/check-email-fraud-block.tf | 6 +++++- ci/terraform/oidc/check-reauth-user.tf | 6 +++++- ci/terraform/oidc/doc-app-callback.tf | 6 +++++- ci/terraform/oidc/identity-progress.tf | 6 +++++- ci/terraform/oidc/ipv-callback.tf | 6 +++++- ci/terraform/oidc/ipv-capacity.tf | 6 +++++- ci/terraform/oidc/ipv-handback-alerts.tf | 4 ++-- ci/terraform/oidc/jwks.tf | 6 +++++- ci/terraform/oidc/login.tf | 6 +++++- ci/terraform/oidc/logout.tf | 6 +++++- ci/terraform/oidc/mfa-reset-authorize.tf | 6 +++++- ci/terraform/oidc/mfa-reset-jar-jwk.tf | 6 +++++- .../oidc/mfa-reset-storage-token-jwk.tf | 6 +++++- ci/terraform/oidc/mfa.tf | 6 +++++- ci/terraform/oidc/processing-identity.tf | 6 +++++- ci/terraform/oidc/register.tf | 6 +++++- ci/terraform/oidc/reset-password-request.tf | 6 +++++- ci/terraform/oidc/reset_password.tf | 6 +++++- ci/terraform/oidc/reverification-result.tf | 6 +++++- ci/terraform/oidc/send_notification.tf | 6 +++++- ci/terraform/oidc/shared.tf | 3 +++ ci/terraform/oidc/signup.tf | 6 +++++- ci/terraform/oidc/sns.tf | 4 ---- ci/terraform/oidc/start.tf | 6 +++++- ci/terraform/oidc/storage-token-jwk.tf | 6 +++++- ci/terraform/oidc/ticf-cri.tf | 7 ++++--- ci/terraform/oidc/token.tf | 6 +++++- ci/terraform/oidc/trustmarks.tf | 6 +++++- ci/terraform/oidc/update.tf | 6 +++++- ci/terraform/oidc/update_profile.tf | 6 +++++- ci/terraform/oidc/userexists.tf | 6 +++++- ci/terraform/oidc/userinfo.tf | 6 +++++- ci/terraform/oidc/verify_code.tf | 6 +++++- ci/terraform/oidc/verify_mfa_code.tf | 6 +++++- ci/terraform/oidc/wellknown.tf | 6 +++++- 45 files changed, 210 insertions(+), 63 deletions(-) delete mode 100644 ci/terraform/oidc/account.tf diff --git a/ci/terraform/oidc/account-interventions-alerts.tf b/ci/terraform/oidc/account-interventions-alerts.tf index 8f7597e4e0..98656fb239 100644 --- a/ci/terraform/oidc/account-interventions-alerts.tf +++ b/ci/terraform/oidc/account-interventions-alerts.tf @@ -35,8 +35,8 @@ resource "aws_cloudwatch_metric_alarm" "account_interventions_p1_cloudwatch_alar period = var.account_interventions_p1_alarm_error_time_period statistic = "Sum" threshold = var.account_interventions_p1_alarm_error_threshold - alarm_description = "${var.account_interventions_p1_alarm_error_threshold} or more Account Interventions errors have occurred in ${var.environment}.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - alarm_actions = [local.isP1Alarm ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : data.aws_sns_topic.slack_events.arn] + alarm_description = "${var.account_interventions_p1_alarm_error_threshold} or more Account Interventions errors have occurred in ${var.environment}.ACCOUNT: ${local.aws_account_alias}" + alarm_actions = [local.isP1Alarm ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : local.slack_event_sns_topic_arn] } moved { from = aws_cloudwatch_metric_alarm.account_interventions_p1_cloudwatch_alarm[0] diff --git a/ci/terraform/oidc/account-interventions.tf b/ci/terraform/oidc/account-interventions.tf index 35f5611b5a..ab4ec362d9 100644 --- a/ci/terraform/oidc/account-interventions.tf +++ b/ci/terraform/oidc/account-interventions.tf @@ -24,7 +24,7 @@ module "frontend_api_account_interventions_role" { module "account_interventions" { count = local.deploy_account_interventions_count - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "account-interventions" path_part = "account-interventions" @@ -73,4 +73,8 @@ module "account_interventions" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } diff --git a/ci/terraform/oidc/account-recovery.tf b/ci/terraform/oidc/account-recovery.tf index e89b3a7ac1..82beea68a3 100644 --- a/ci/terraform/oidc/account-recovery.tf +++ b/ci/terraform/oidc/account-recovery.tf @@ -24,7 +24,7 @@ module "frontend_api_account_recovery_role" { module "account_recovery" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "account-recovery" path_part = "account-recovery" @@ -66,4 +66,8 @@ module "account_recovery" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } diff --git a/ci/terraform/oidc/account.tf b/ci/terraform/oidc/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/oidc/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/oidc/alerts.tf b/ci/terraform/oidc/alerts.tf index 75b4da4e00..0723dc1c1d 100644 --- a/ci/terraform/oidc/alerts.tf +++ b/ci/terraform/oidc/alerts.tf @@ -11,8 +11,8 @@ resource "aws_cloudwatch_metric_alarm" "sqs_deadletter_cloudwatch_alarm" { dimensions = { QueueName = aws_sqs_queue.email_dead_letter_queue.name } - alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.email_dead_letter_queue.name}. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}. Runbook: https://govukverify.atlassian.net/wiki/spaces/LO/pages/4164649233/BAU+Daytime+Support+Hygiene+and+Optimisation+Rota#SUP-7%3A-Resolve-DLQ-messages" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.email_dead_letter_queue.name}. ACCOUNT: ${local.aws_account_alias}. Runbook: https://govukverify.atlassian.net/wiki/spaces/LO/pages/4164649233/BAU+Daytime+Support+Hygiene+and+Optimisation+Rota#SUP-7%3A-Resolve-DLQ-messages" + alarm_actions = [local.slack_event_sns_topic_arn] } moved { from = aws_cloudwatch_metric_alarm.sqs_deadletter_cloudwatch_alarm[0] @@ -32,8 +32,8 @@ resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_dlq_cloudwatch_alarm" { dimensions = { QueueName = aws_sqs_queue.spot_request_dead_letter_queue.name } - alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.spot_request_dead_letter_queue.name}. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/DYDMBgE" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.spot_request_dead_letter_queue.name}. ACCOUNT: ${local.aws_account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/DYDMBgE" + alarm_actions = [local.slack_event_sns_topic_arn] } moved { from = aws_cloudwatch_metric_alarm.spot_request_sqs_dlq_cloudwatch_alarm[0] @@ -53,8 +53,8 @@ resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_cloudwatch_alarm" { dimensions = { QueueName = aws_sqs_queue.spot_request_queue.name } - alarm_description = "Age of the oldest message on ${aws_sqs_queue.spot_request_queue.name} exceeds 10 seconds. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/VIFoCAE" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_description = "Age of the oldest message on ${aws_sqs_queue.spot_request_queue.name} exceeds 10 seconds. ACCOUNT: ${local.aws_account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/VIFoCAE" + alarm_actions = [local.slack_event_sns_topic_arn] } resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_cloudwatch_p1_alarm" { @@ -70,8 +70,8 @@ resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_cloudwatch_p1_alarm" { dimensions = { QueueName = aws_sqs_queue.spot_request_queue.name } - alarm_description = "Age of the oldest message on ${aws_sqs_queue.spot_request_queue.name} exceeds 60 seconds. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/VIFoCAE" - alarm_actions = [var.environment == "production" ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : data.aws_sns_topic.slack_events.arn] + alarm_description = "Age of the oldest message on ${aws_sqs_queue.spot_request_queue.name} exceeds 60 seconds. ACCOUNT: ${local.aws_account_alias}. Runbook: https://govukverify.atlassian.net/wiki/x/VIFoCAE" + alarm_actions = [var.environment == "production" ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : local.slack_event_sns_topic_arn] } @@ -93,7 +93,7 @@ resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_cloudwatch_p1_alarm" { # } # # alarm_description = "${var.waf_alarm_blocked_reqeuest_threshold} or more blocked requests have been received by the ${aws_wafv2_web_acl.wafregional_web_acl_oidc_api[count.index].name} in the last 5 minutes" -# alarm_actions = [data.aws_sns_topic.slack_events.arn] +# alarm_actions = [local.slack_event_sns_topic_arn] #} # Turning WAF blocked alerts off until we figure out how best to utilise them @@ -114,5 +114,5 @@ resource "aws_cloudwatch_metric_alarm" "spot_request_sqs_cloudwatch_p1_alarm" { # } # # alarm_description = "${var.waf_alarm_blocked_reqeuest_threshold} or more blocked requests have been received by the ${aws_wafv2_web_acl.wafregional_web_acl_frontend_api[count.index].name} in the last 5 minutes" -# alarm_actions = [data.aws_sns_topic.slack_events.arn] +# alarm_actions = [local.slack_event_sns_topic_arn] #} diff --git a/ci/terraform/oidc/auth-code.tf b/ci/terraform/oidc/auth-code.tf index 99b47c2063..d701c57c86 100644 --- a/ci/terraform/oidc/auth-code.tf +++ b/ci/terraform/oidc/auth-code.tf @@ -21,7 +21,7 @@ module "oidc_auth_code_role" { } module "auth-code" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "auth-code" path_part = var.orch_auth_code_enabled ? "auth-code-auth" : "auth-code" @@ -60,6 +60,10 @@ module "auth-code" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/authentication-auth-code.tf b/ci/terraform/oidc/authentication-auth-code.tf index 877ce8d391..cb5640f992 100644 --- a/ci/terraform/oidc/authentication-auth-code.tf +++ b/ci/terraform/oidc/authentication-auth-code.tf @@ -26,7 +26,7 @@ module "frontend_api_orch_auth_code_role" { } module "orch_auth_code" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "orch-auth-code" path_part = "orch-auth-code" @@ -69,6 +69,10 @@ module "orch_auth_code" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/authentication-callback.tf b/ci/terraform/oidc/authentication-callback.tf index ef599f8405..591c5d605f 100644 --- a/ci/terraform/oidc/authentication-callback.tf +++ b/ci/terraform/oidc/authentication-callback.tf @@ -25,7 +25,7 @@ module "oidc_api_authentication_callback_role" { module "authentication_callback" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "orchestration-redirect" path_part = var.orch_authentication_callback_enabled ? "orchestration-redirect-auth" : "orchestration-redirect" @@ -83,6 +83,10 @@ module "authentication_callback" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = false + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api ] diff --git a/ci/terraform/oidc/authorize.tf b/ci/terraform/oidc/authorize.tf index 74a93e5d2d..bd504e67e1 100644 --- a/ci/terraform/oidc/authorize.tf +++ b/ci/terraform/oidc/authorize.tf @@ -26,7 +26,7 @@ module "oidc_authorize_role" { } module "authorize" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "authorize" path_part = var.orch_authorisation_enabled ? "authorize-auth" : "authorize" @@ -88,6 +88,10 @@ module "authorize" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/authorizer-orch-frontend.tf b/ci/terraform/oidc/authorizer-orch-frontend.tf index f2a18a4873..00c5069389 100644 --- a/ci/terraform/oidc/authorizer-orch-frontend.tf +++ b/ci/terraform/oidc/authorizer-orch-frontend.tf @@ -159,8 +159,8 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_cloudwatch_alarm period = "3600" statistic = "Sum" threshold = local.alert_error_threshold - alarm_description = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.orch_frontend_authorizer.function_name} lambda. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_description = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.orch_frontend_authorizer.function_name} lambda. ACCOUNT: ${local.aws_account_alias}" + alarm_actions = [local.slack_event_sns_topic_arn] tags = { Service = "orch-frontend-authorizer" } @@ -171,7 +171,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_ comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" threshold = local.alert_error_rate_threshold - alarm_description = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.orch_frontend_authorizer.function_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" + alarm_description = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.orch_frontend_authorizer.function_name} lambda.ACCOUNT: ${local.aws_account_alias}" metric_query { id = "e1" @@ -208,7 +208,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_ } } } - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_actions = [local.slack_event_sns_topic_arn] tags = { Service = "orch-frontend-authorizer" } diff --git a/ci/terraform/oidc/check-email-fraud-block.tf b/ci/terraform/oidc/check-email-fraud-block.tf index 2dea4f0cf1..6112a941ab 100644 --- a/ci/terraform/oidc/check-email-fraud-block.tf +++ b/ci/terraform/oidc/check-email-fraud-block.tf @@ -22,7 +22,7 @@ module "frontend_api_check_email_fraud_block_role" { module "check_email_fraud_block" { count = local.deploy_check_email_fraud_block_count - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "check-email-fraud-block" path_part = "check-email-fraud-block" @@ -68,6 +68,10 @@ module "check_email_fraud_block" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/check-reauth-user.tf b/ci/terraform/oidc/check-reauth-user.tf index e00de2fdb2..0fbacf7a03 100644 --- a/ci/terraform/oidc/check-reauth-user.tf +++ b/ci/terraform/oidc/check-reauth-user.tf @@ -23,7 +23,7 @@ module "frontend_api_check_reauth_user_role" { module "check_reauth_user" { count = local.deploy_reauth_user_count - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "check-reauth-user" path_part = "check-reauth-user" @@ -71,6 +71,10 @@ module "check_reauth_user" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/doc-app-callback.tf b/ci/terraform/oidc/doc-app-callback.tf index a36374905d..fe142e6474 100644 --- a/ci/terraform/oidc/doc-app-callback.tf +++ b/ci/terraform/oidc/doc-app-callback.tf @@ -21,7 +21,7 @@ module "doc_app_callback_role" { } module "doc-app-callback" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "doc-app-callback" path_part = var.orch_doc_app_callback_enabled ? "doc-app-callback-auth" : "doc-app-callback" endpoint_method = ["GET"] @@ -72,6 +72,10 @@ module "doc-app-callback" { api_key_required = false lambda_log_alarm_threshold = 10 + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, ] diff --git a/ci/terraform/oidc/identity-progress.tf b/ci/terraform/oidc/identity-progress.tf index cff5dcb4e9..6aa7b6202c 100644 --- a/ci/terraform/oidc/identity-progress.tf +++ b/ci/terraform/oidc/identity-progress.tf @@ -18,7 +18,7 @@ module "identity_progress_role" { } module "identity_progress" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "identity-progress" path_part = "identity-progress" @@ -61,6 +61,10 @@ module "identity_progress" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, ] diff --git a/ci/terraform/oidc/ipv-callback.tf b/ci/terraform/oidc/ipv-callback.tf index 9752aa0d41..af63faff2e 100644 --- a/ci/terraform/oidc/ipv-callback.tf +++ b/ci/terraform/oidc/ipv-callback.tf @@ -28,7 +28,7 @@ module "ipv_callback_role" { } module "ipv-callback" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "ipv-callback" path_part = var.orch_ipv_callback_enabled ? "ipv-callback-auth" : "ipv-callback" @@ -83,6 +83,10 @@ module "ipv-callback" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/ipv-capacity.tf b/ci/terraform/oidc/ipv-capacity.tf index 8d0ca3942a..ddeb9190da 100644 --- a/ci/terraform/oidc/ipv-capacity.tf +++ b/ci/terraform/oidc/ipv-capacity.tf @@ -16,7 +16,7 @@ module "ipv_capacity_role" { } module "ipv-capacity" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "ipv-capacity" path_part = "ipv-capacity" @@ -61,6 +61,10 @@ module "ipv-capacity" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/ipv-handback-alerts.tf b/ci/terraform/oidc/ipv-handback-alerts.tf index 028a41e9cd..92fa6ce1ab 100644 --- a/ci/terraform/oidc/ipv-handback-alerts.tf +++ b/ci/terraform/oidc/ipv-handback-alerts.tf @@ -90,8 +90,8 @@ resource "aws_cloudwatch_metric_alarm" "ipv_handback_p1_cloudwatch_alarm" { period = var.ipv_p1_alarm_error_time_period statistic = "Sum" threshold = var.ipv_p1_alarm_error_threshold - alarm_description = "${var.ipv_p1_alarm_error_threshold} or more IPV handback errors have occurred in ${var.environment}.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - alarm_actions = [var.environment == "production" ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : data.aws_sns_topic.slack_events.arn] + alarm_description = "${var.ipv_p1_alarm_error_threshold} or more IPV handback errors have occurred in ${var.environment}.ACCOUNT: ${local.aws_account_alias}" + alarm_actions = [var.environment == "production" ? data.aws_sns_topic.pagerduty_p1_alerts[0].arn : local.slack_event_sns_topic_arn] treat_missing_data = "notBreaching" } moved { diff --git a/ci/terraform/oidc/jwks.tf b/ci/terraform/oidc/jwks.tf index e49a565a42..fe454fb6dd 100644 --- a/ci/terraform/oidc/jwks.tf +++ b/ci/terraform/oidc/jwks.tf @@ -15,7 +15,7 @@ module "oidc_jwks_role" { } module "jwks" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "jwks.json" path_part = var.orch_jwks_enabled ? "jwks-auth.json" : "jwks.json" @@ -50,6 +50,10 @@ module "jwks" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/login.tf b/ci/terraform/oidc/login.tf index d9342186b2..4e35f28856 100644 --- a/ci/terraform/oidc/login.tf +++ b/ci/terraform/oidc/login.tf @@ -32,7 +32,7 @@ module "frontend_api_login_role" { module "login" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "login" path_part = "login" @@ -81,4 +81,8 @@ module "login" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } diff --git a/ci/terraform/oidc/logout.tf b/ci/terraform/oidc/logout.tf index 7677e6bc00..a90f999e5e 100644 --- a/ci/terraform/oidc/logout.tf +++ b/ci/terraform/oidc/logout.tf @@ -22,7 +22,7 @@ module "oidc_logout_role" { } module "logout" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "logout" path_part = var.orch_logout_enabled ? "logout-auth" : "logout" @@ -64,6 +64,10 @@ module "logout" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/mfa-reset-authorize.tf b/ci/terraform/oidc/mfa-reset-authorize.tf index bcb8a4415a..b9abc40324 100644 --- a/ci/terraform/oidc/mfa-reset-authorize.tf +++ b/ci/terraform/oidc/mfa-reset-authorize.tf @@ -20,7 +20,7 @@ module "mfa_reset_authorize_role" { module "mfa_reset_authorize" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "mfa-reset-authorize" path_part = "mfa-reset-authorize" @@ -70,6 +70,10 @@ module "mfa_reset_authorize" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api ] diff --git a/ci/terraform/oidc/mfa-reset-jar-jwk.tf b/ci/terraform/oidc/mfa-reset-jar-jwk.tf index d6db4150bb..71d1c44ad0 100644 --- a/ci/terraform/oidc/mfa-reset-jar-jwk.tf +++ b/ci/terraform/oidc/mfa-reset-jar-jwk.tf @@ -17,7 +17,7 @@ module "mfa_reset_jar_signing_jwk_role" { } module "mfa_reset_jar_signing_jwk" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = local.reverification_jwk_json_endpoint_name path_part = "reverification-jwk.json" @@ -53,6 +53,10 @@ module "mfa_reset_jar_signing_jwk" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.auth_frontend_wellknown_resource, diff --git a/ci/terraform/oidc/mfa-reset-storage-token-jwk.tf b/ci/terraform/oidc/mfa-reset-storage-token-jwk.tf index f2b0a156c4..2ce1c67ebe 100644 --- a/ci/terraform/oidc/mfa-reset-storage-token-jwk.tf +++ b/ci/terraform/oidc/mfa-reset-storage-token-jwk.tf @@ -13,7 +13,7 @@ module "mfa_reset_storage_token_jwk_role" { } module "mfa_reset_storage_token_jwk" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "mfa-reset-jwk.json" path_part = "mfa-reset-jwk.json" @@ -50,6 +50,10 @@ module "mfa_reset_storage_token_jwk" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.auth_frontend_wellknown_resource, diff --git a/ci/terraform/oidc/mfa.tf b/ci/terraform/oidc/mfa.tf index 3d1bb279c5..70dec9aaa8 100644 --- a/ci/terraform/oidc/mfa.tf +++ b/ci/terraform/oidc/mfa.tf @@ -21,7 +21,7 @@ module "frontend_api_mfa_role" { } module "mfa" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "mfa" path_part = "mfa" @@ -70,6 +70,10 @@ module "mfa" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/processing-identity.tf b/ci/terraform/oidc/processing-identity.tf index d475de65c5..35e544643e 100644 --- a/ci/terraform/oidc/processing-identity.tf +++ b/ci/terraform/oidc/processing-identity.tf @@ -55,7 +55,7 @@ moved { } module "processing-identity" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "processing-identity" path_part = "processing-identity" @@ -109,6 +109,10 @@ module "processing-identity" { api_key_required = true runbook_link = "https://govukverify.atlassian.net/wiki/x/JoD2FwE" + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, ] diff --git a/ci/terraform/oidc/register.tf b/ci/terraform/oidc/register.tf index 0485d5fd8a..7134afc564 100644 --- a/ci/terraform/oidc/register.tf +++ b/ci/terraform/oidc/register.tf @@ -19,7 +19,7 @@ module "client_registry_role" { module "register" { count = var.client_registry_api_enabled ? 1 : 0 - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "register" path_part = var.orch_register_enabled ? "register-auth" : "register" @@ -54,6 +54,10 @@ module "register" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/reset-password-request.tf b/ci/terraform/oidc/reset-password-request.tf index 6f0578d2cd..86e0a24d54 100644 --- a/ci/terraform/oidc/reset-password-request.tf +++ b/ci/terraform/oidc/reset-password-request.tf @@ -20,7 +20,7 @@ module "frontend_api_reset_password_request_role" { } module "reset-password-request" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "reset-password-request" path_part = "reset-password-request" @@ -68,6 +68,10 @@ module "reset-password-request" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/reset_password.tf b/ci/terraform/oidc/reset_password.tf index 9ac74b24d4..f4714a65b0 100644 --- a/ci/terraform/oidc/reset_password.tf +++ b/ci/terraform/oidc/reset_password.tf @@ -26,7 +26,7 @@ module "frontend_api_reset_password_role" { } module "reset_password" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "reset-password" path_part = "reset-password" @@ -72,6 +72,10 @@ module "reset_password" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/reverification-result.tf b/ci/terraform/oidc/reverification-result.tf index de52572cbf..de39ff1122 100644 --- a/ci/terraform/oidc/reverification-result.tf +++ b/ci/terraform/oidc/reverification-result.tf @@ -18,7 +18,7 @@ module "reverification_result_role" { } module "reverification_result" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "reverification-result" path_part = "reverification-result" @@ -66,6 +66,10 @@ module "reverification_result" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api ] diff --git a/ci/terraform/oidc/send_notification.tf b/ci/terraform/oidc/send_notification.tf index 37bd68921d..b2915b6c8c 100644 --- a/ci/terraform/oidc/send_notification.tf +++ b/ci/terraform/oidc/send_notification.tf @@ -25,7 +25,7 @@ module "frontend_api_send_notification_role" { } module "send_notification" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "send-notification" path_part = "send-notification" @@ -76,6 +76,10 @@ module "send_notification" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/shared.tf b/ci/terraform/oidc/shared.tf index f3bae9792b..debb3e6b43 100644 --- a/ci/terraform/oidc/shared.tf +++ b/ci/terraform/oidc/shared.tf @@ -78,4 +78,7 @@ locals { experian_phone_check_sqs_queue_id = data.terraform_remote_state.contra.outputs.aws_experian_phone_check_sqs_id experian_phone_check_sqs_queue_policy_arn = data.terraform_remote_state.contra.outputs.aws_experian_phone_check_sqs_policy_arn secure_pipelines_environment = var.environment == "sandpit" ? "dev" : var.environment + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } diff --git a/ci/terraform/oidc/signup.tf b/ci/terraform/oidc/signup.tf index ab51316656..dfa073675f 100644 --- a/ci/terraform/oidc/signup.tf +++ b/ci/terraform/oidc/signup.tf @@ -26,7 +26,7 @@ module "frontend_api_signup_role" { } module "signup" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "signup" path_part = "signup" @@ -69,6 +69,10 @@ module "signup" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/sns.tf b/ci/terraform/oidc/sns.tf index 1d9d01d662..e0eda9d62c 100644 --- a/ci/terraform/oidc/sns.tf +++ b/ci/terraform/oidc/sns.tf @@ -2,7 +2,3 @@ data "aws_sns_topic" "pagerduty_p1_alerts" { count = var.environment == "production" ? 1 : 0 name = "${var.environment}-pagerduty-p1-alerts" } - -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} diff --git a/ci/terraform/oidc/start.tf b/ci/terraform/oidc/start.tf index 06f8043bce..6cdfc9181b 100644 --- a/ci/terraform/oidc/start.tf +++ b/ci/terraform/oidc/start.tf @@ -25,7 +25,7 @@ module "frontend_api_start_role" { } module "start" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "start" path_part = "start" @@ -72,6 +72,10 @@ module "start" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/storage-token-jwk.tf b/ci/terraform/oidc/storage-token-jwk.tf index ee05b29ebd..e800d6364a 100644 --- a/ci/terraform/oidc/storage-token-jwk.tf +++ b/ci/terraform/oidc/storage-token-jwk.tf @@ -13,7 +13,7 @@ module "oidc_storage_token_jwk_role" { } module "storage_token_jwk" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "storage-token-jwk.json" path_part = var.orch_storage_token_jwk_enabled ? "storage-token-jwk-auth.json" : "storage-token-jwk.json" @@ -47,6 +47,10 @@ module "storage_token_jwk" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/ticf-cri.tf b/ci/terraform/oidc/ticf-cri.tf index 4f8634694b..edfbcddf85 100644 --- a/ci/terraform/oidc/ticf-cri.tf +++ b/ci/terraform/oidc/ticf-cri.tf @@ -53,9 +53,10 @@ module "ticf_cri_lambda" { cloudwatch_key_arn = data.terraform_remote_state.shared.outputs.cloudwatch_encryption_key_arn cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn - dynatrace_secret = local.dynatrace_secret + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } moved { from = aws_lambda_function.ticf_cri_lambda[0] diff --git a/ci/terraform/oidc/token.tf b/ci/terraform/oidc/token.tf index d20124c8e2..d38a0e6d5c 100644 --- a/ci/terraform/oidc/token.tf +++ b/ci/terraform/oidc/token.tf @@ -53,7 +53,7 @@ resource "aws_iam_policy" "oidc_token_kms_signing_policy" { } module "token" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = local.oidc_token_endpoint_name path_part = var.orch_token_enabled ? "token-auth" : "token" @@ -94,6 +94,10 @@ module "token" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/trustmarks.tf b/ci/terraform/oidc/trustmarks.tf index d8cfe002a7..c06d064027 100644 --- a/ci/terraform/oidc/trustmarks.tf +++ b/ci/terraform/oidc/trustmarks.tf @@ -10,7 +10,7 @@ module "oidc_trustmarks_role" { } module "trustmarks" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "trustmark" path_part = var.orch_trustmark_enabled ? "trustmark-auth" : "trustmark" @@ -43,6 +43,10 @@ module "trustmarks" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/update.tf b/ci/terraform/oidc/update.tf index eb9bc317eb..1f785b9dbf 100644 --- a/ci/terraform/oidc/update.tf +++ b/ci/terraform/oidc/update.tf @@ -19,7 +19,7 @@ module "client_update_role" { module "update" { count = var.client_registry_api_enabled ? 1 : 0 - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" path_part = "{clientId}" endpoint_name = "update-client-info" @@ -62,6 +62,10 @@ module "update" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/update_profile.tf b/ci/terraform/oidc/update_profile.tf index 2a11724801..206985dbd9 100644 --- a/ci/terraform/oidc/update_profile.tf +++ b/ci/terraform/oidc/update_profile.tf @@ -22,7 +22,7 @@ module "frontend_api_update_profile_role" { } module "update_profile" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "update-profile" path_part = "update-profile" @@ -66,6 +66,10 @@ module "update_profile" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/userexists.tf b/ci/terraform/oidc/userexists.tf index 7e67e0aca7..8e824185a7 100644 --- a/ci/terraform/oidc/userexists.tf +++ b/ci/terraform/oidc/userexists.tf @@ -23,7 +23,7 @@ module "frontend_api_user_exists_role" { } module "userexists" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "user-exists" path_part = "user-exists" @@ -66,6 +66,10 @@ module "userexists" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/userinfo.tf b/ci/terraform/oidc/userinfo.tf index 1420c8f93f..23ea4e7fe0 100644 --- a/ci/terraform/oidc/userinfo.tf +++ b/ci/terraform/oidc/userinfo.tf @@ -26,7 +26,7 @@ module "oidc_userinfo_role" { } module "userinfo" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "userinfo" path_part = var.orch_userinfo_enabled ? "userinfo-auth" : "userinfo" @@ -67,6 +67,10 @@ module "userinfo" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/verify_code.tf b/ci/terraform/oidc/verify_code.tf index 04cb9476c4..cf5d1e8cfe 100644 --- a/ci/terraform/oidc/verify_code.tf +++ b/ci/terraform/oidc/verify_code.tf @@ -29,7 +29,7 @@ module "frontend_api_verify_code_role" { } module "verify_code" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "verify-code" path_part = "verify-code" @@ -84,6 +84,10 @@ module "verify_code" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, aws_api_gateway_resource.connect_resource, diff --git a/ci/terraform/oidc/verify_mfa_code.tf b/ci/terraform/oidc/verify_mfa_code.tf index a80038c612..f355caf5dd 100644 --- a/ci/terraform/oidc/verify_mfa_code.tf +++ b/ci/terraform/oidc/verify_mfa_code.tf @@ -29,7 +29,7 @@ module "frontend_api_verify_mfa_code_role" { } module "verify_mfa_code" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = "verify-mfa-code" path_part = "verify-mfa-code" @@ -84,6 +84,10 @@ module "verify_mfa_code" { lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_frontend_api, ] diff --git a/ci/terraform/oidc/wellknown.tf b/ci/terraform/oidc/wellknown.tf index 5d36ffb665..05c44684e8 100644 --- a/ci/terraform/oidc/wellknown.tf +++ b/ci/terraform/oidc/wellknown.tf @@ -14,7 +14,7 @@ module "openid_configuration_role" { } module "openid_configuration_discovery" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = local.openid_configuration_endpoint_name path_part = var.orch_openid_configuration_enabled ? "openid-configuration-auth" : "openid-configuration" @@ -47,6 +47,10 @@ module "openid_configuration_discovery" { cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_api, aws_api_gateway_resource.connect_resource, From e0dfef7f16a8f02432e5fb70ea92641257e4da19 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:10:14 +0000 Subject: [PATCH 10/13] BAU: ts: use endpoint-module-v2 --- ci/terraform/test-services/delete-synthetics-user.tf | 6 +++++- ci/terraform/test-services/dynatrace.tf | 1 + ci/terraform/test-services/shared.tf | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 120000 ci/terraform/test-services/dynatrace.tf diff --git a/ci/terraform/test-services/delete-synthetics-user.tf b/ci/terraform/test-services/delete-synthetics-user.tf index 1a1df80942..cd540f8a66 100644 --- a/ci/terraform/test-services/delete-synthetics-user.tf +++ b/ci/terraform/test-services/delete-synthetics-user.tf @@ -18,7 +18,7 @@ module "test_services_api_delete-synthetics-user_role" { } module "delete-synthetics-user" { - source = "../modules/endpoint-module" + source = "../modules/endpoint-module-v2" endpoint_name = local.test_services_api_delete-synthetics_endpoint_name path_part = "synthetics-user" @@ -55,6 +55,10 @@ module "delete-synthetics-user" { lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn api_key_required = true + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret + depends_on = [ aws_api_gateway_rest_api.di_authentication_test_services_api, ] diff --git a/ci/terraform/test-services/dynatrace.tf b/ci/terraform/test-services/dynatrace.tf new file mode 120000 index 0000000000..51ee75e4c0 --- /dev/null +++ b/ci/terraform/test-services/dynatrace.tf @@ -0,0 +1 @@ +../dynatrace.tf \ No newline at end of file diff --git a/ci/terraform/test-services/shared.tf b/ci/terraform/test-services/shared.tf index b11b554c7c..d15aefd3ce 100644 --- a/ci/terraform/test-services/shared.tf +++ b/ci/terraform/test-services/shared.tf @@ -15,4 +15,7 @@ locals { authentication_private_subnet_ids = data.terraform_remote_state.shared.outputs.authentication_private_subnet_ids authentication_security_group_id = data.terraform_remote_state.shared.outputs.authentication_security_group_id user_profile_kms_key_arn = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } From 5aa3416a3e55a6a0b6aa29fe91a490164afcaf4d Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:13:07 +0000 Subject: [PATCH 11/13] BAU: ticf-stub: use shared resources --- ci/terraform/ticf-cri-stub/account.tf | 1 - ci/terraform/ticf-cri-stub/alerts.tf | 3 --- ci/terraform/ticf-cri-stub/lambda.tf | 7 ++++--- ci/terraform/ticf-cri-stub/shared.tf | 3 +++ 4 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 ci/terraform/ticf-cri-stub/account.tf delete mode 100644 ci/terraform/ticf-cri-stub/alerts.tf diff --git a/ci/terraform/ticf-cri-stub/account.tf b/ci/terraform/ticf-cri-stub/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/ticf-cri-stub/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/ticf-cri-stub/alerts.tf b/ci/terraform/ticf-cri-stub/alerts.tf deleted file mode 100644 index b25f4f919b..0000000000 --- a/ci/terraform/ticf-cri-stub/alerts.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} diff --git a/ci/terraform/ticf-cri-stub/lambda.tf b/ci/terraform/ticf-cri-stub/lambda.tf index 8a22a8e048..6f310dc2af 100644 --- a/ci/terraform/ticf-cri-stub/lambda.tf +++ b/ci/terraform/ticf-cri-stub/lambda.tf @@ -42,7 +42,8 @@ module "ticf_cri_stub_lambda" { cloudwatch_key_arn = data.terraform_remote_state.shared.outputs.cloudwatch_encryption_key_arn cloudwatch_log_retention = var.cloudwatch_log_retention lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn - account_alias = data.aws_iam_account_alias.current.account_alias - slack_event_topic_arn = data.aws_sns_topic.slack_events.arn - dynatrace_secret = local.dynatrace_secret + + account_alias = local.aws_account_alias + slack_event_topic_arn = local.slack_event_sns_topic_arn + dynatrace_secret = local.dynatrace_secret } diff --git a/ci/terraform/ticf-cri-stub/shared.tf b/ci/terraform/ticf-cri-stub/shared.tf index fdec321fbd..d3d65318fb 100644 --- a/ci/terraform/ticf-cri-stub/shared.tf +++ b/ci/terraform/ticf-cri-stub/shared.tf @@ -21,4 +21,7 @@ locals { authentication_security_group_id = data.terraform_remote_state.shared.outputs.authentication_security_group_id authentication_private_subnet_ids = data.terraform_remote_state.shared.outputs.authentication_private_subnet_ids lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } From 6382d6fdc343466519e62470436741b532a54256 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:20:37 +0000 Subject: [PATCH 12/13] BAU: utils: Use shared resources --- ci/terraform/utils/account.tf | 1 - ci/terraform/utils/bulk-sending-alerts.tf | 8 ++------ ci/terraform/utils/shared.tf | 3 +++ 3 files changed, 5 insertions(+), 7 deletions(-) delete mode 100644 ci/terraform/utils/account.tf diff --git a/ci/terraform/utils/account.tf b/ci/terraform/utils/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/utils/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/utils/bulk-sending-alerts.tf b/ci/terraform/utils/bulk-sending-alerts.tf index ef7ca40215..4c621675f1 100644 --- a/ci/terraform/utils/bulk-sending-alerts.tf +++ b/ci/terraform/utils/bulk-sending-alerts.tf @@ -4,7 +4,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_error_rate_cloudwatch_alarm" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" threshold = var.lambda_log_alarm_error_rate_threshold - alarm_description = "Lambda error rate of ${var.lambda_log_alarm_error_rate_threshold} has been reached in the ${aws_lambda_function.bulk_user_email_send_lambda[0].function_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" + alarm_description = "Lambda error rate of ${var.lambda_log_alarm_error_rate_threshold} has been reached in the ${aws_lambda_function.bulk_user_email_send_lambda[0].function_name} lambda.ACCOUNT: ${local.aws_account_alias}" metric_query { id = "e1" @@ -41,9 +41,5 @@ resource "aws_cloudwatch_metric_alarm" "lambda_error_rate_cloudwatch_alarm" { } } } - alarm_actions = [data.aws_sns_topic.slack_events.arn] + alarm_actions = [local.slack_event_sns_topic_arn] } - -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} \ No newline at end of file diff --git a/ci/terraform/utils/shared.tf b/ci/terraform/utils/shared.tf index 790641b879..089ad18bed 100644 --- a/ci/terraform/utils/shared.tf +++ b/ci/terraform/utils/shared.tf @@ -25,4 +25,7 @@ locals { } common_passwords_encryption_policy_arn = data.terraform_remote_state.shared.outputs.common_passwords_encryption_policy_arn user_profile_kms_key_arn = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn + + slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn + aws_account_alias = data.terraform_remote_state.shared.outputs.aws_account_alias } From a91706851477d2eb565b86d871512ed87c3579a2 Mon Sep 17 00:00:00 2001 From: Tom Whitwell Date: Mon, 9 Dec 2024 15:36:03 +0000 Subject: [PATCH 13/13] BAU: remove endpoint-module --- .../endpoint-module/.terraform.lock.hcl | 101 --------- .../modules/endpoint-module/README.md | 106 ---------- .../modules/endpoint-module/account.tf | 1 - .../modules/endpoint-module/alerts.tf | 93 --------- .../modules/endpoint-module/api-gateway.tf | 56 ----- .../modules/endpoint-module/dynatrace.tf | 26 --- .../modules/endpoint-module/lambda.tf | 135 ------------- .../modules/endpoint-module/outputs.tf | 11 - .../modules/endpoint-module/variables.tf | 191 ------------------ .../modules/endpoint-module/versions.tf | 1 - .../modules/endpoint-module/wait-for-alias.sh | 1 - 11 files changed, 722 deletions(-) delete mode 100644 ci/terraform/modules/endpoint-module/.terraform.lock.hcl delete mode 100644 ci/terraform/modules/endpoint-module/README.md delete mode 100644 ci/terraform/modules/endpoint-module/account.tf delete mode 100644 ci/terraform/modules/endpoint-module/alerts.tf delete mode 100644 ci/terraform/modules/endpoint-module/api-gateway.tf delete mode 100644 ci/terraform/modules/endpoint-module/dynatrace.tf delete mode 100644 ci/terraform/modules/endpoint-module/lambda.tf delete mode 100644 ci/terraform/modules/endpoint-module/outputs.tf delete mode 100644 ci/terraform/modules/endpoint-module/variables.tf delete mode 120000 ci/terraform/modules/endpoint-module/versions.tf delete mode 120000 ci/terraform/modules/endpoint-module/wait-for-alias.sh diff --git a/ci/terraform/modules/endpoint-module/.terraform.lock.hcl b/ci/terraform/modules/endpoint-module/.terraform.lock.hcl deleted file mode 100644 index 5663e4284a..0000000000 --- a/ci/terraform/modules/endpoint-module/.terraform.lock.hcl +++ /dev/null @@ -1,101 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.75.1" - constraints = "5.75.1" - hashes = [ - "h1:PIBnv1Mi0tX2GF6qUSdps3IouABeTqVgJZ4aAzIVzdI=", - "h1:R6IWpE+foH9oKVkmYVHtXxelMFOt5R60zmHmeXwkp6U=", - "h1:fr252BPFVqsCcVoLMN4PTVacXmrW3pbMlK1ibi/wHiU=", - "h1:ijX5mwbQZOnPVQGxxVsJs6Yh6h2w+V3mQmKznB6pIkw=", - "h1:uz55I4t3Pqy3p+82NZ35mkUA9mZ5yu4pS6beZMI8wpA=", - "zh:1075825e7311a8d2d233fd453a173910e891b0320e8a7698af44d1f90b02621d", - "zh:203c5d09a03fcaa946defb8459f01227f2fcda07df768f74777beb328d6751ae", - "zh:21bc79ccb09bfdeb711a3a5226c6c4a457ac7c4bb781dbda6ade7be38461739f", - "zh:2bac969855b62a0ff6716954be29387a1f9793626059122cda4681206396e309", - "zh:4b65ea5b51058f05b9ec8797f76184e19e5b38a609029fe2226af3fa4ad289b3", - "zh:5065d7df357fb3ee2b0a2520bbcff6335c0c47bfb9e8e9932bad088c3ab7efd3", - "zh:678a4015a4cd26af5c2b30dfd9290b8a01e900668fa0fec6585dfd1838f1cebd", - "zh:6ddc5dfdd4a0dddca027db99a7bfa9a0978933119d63af81acb6020728405119", - "zh:98c0d48b09842c444dbcbddd279e5b5b1e44113951817a8ecc28896bb4ad1dd7", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:aad169fea072842c0b54f1ff95f1ec6558d6c5af3ea4c159308583db59003b09", - "zh:bd2625ed8e1ff29ac6ed3a810d7b68a090add5fcb2fce4122669bd37e1eb9f1d", - "zh:c6f57625e26a6ef1ffb49bfa0e6148496ad12d80c857f6bb222e21f293a2a78a", - "zh:c7cd085326c5eb88804b11a4bc0fbc8376f06138f4b9624fb25cd06ea8687cdd", - "zh:f60c98139f983817d4d08f4138b1e53f31f91176ff638631e8dd38b6de36fce0", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.5.2" - constraints = "2.5.2" - hashes = [ - "h1:6NIiHWMbE9bFZaUiqC+OokdWSbW7g3+yQYnO4yvgtuY=", - "h1:6XyefmvbkprppmYbGmMcQW5NB4w6C363SSShzuhF4R0=", - "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=", - "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", - "h1:p99F1AoV9z51aJ4EdItxz/vLwWIyhx/0Iw7L7sWSH1o=", - "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", - "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", - "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", - "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", - "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", - "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", - "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", - "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", - "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", - "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.3" - constraints = "3.6.3" - hashes = [ - "h1:+UItZOLue/moJfnI3tqZBQbXUYR4ZnqPYfJDJPgLZy0=", - "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", - "h1:In4XBRMdhY89yUoTUyar3wDF28RJlDpQzdjahp59FAk=", - "h1:f6jXn4MCv67kgcofx9D49qx1ZEBv8oyvwKDMPBr0A24=", - "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", - "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", - "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", - "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", - "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", - "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", - "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", - "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", - "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", - "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", - "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.12.1" - constraints = "0.12.1" - hashes = [ - "h1:6BhxSYBJdBBKyuqatOGkuPKVenfx6UmLdiI13Pb3his=", - "h1:JzYsPugN8Fb7C4NlfLoFu7BBPuRVT2/fCOdCaxshveI=", - "h1:VgFDnbNB6f13IXMkO9dRNNkcJFk0/SOM0e82qhO1e8I=", - "h1:j+ED7j0ZFJ4EDx7sdna76wsiIf397toylDN0dFi6v0U=", - "h1:ny87bLSd1q3AcQNBXmKhUHRBErwuPEX/nCa05C7tyF0=", - "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2", - "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea", - "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511", - "zh:438b8c74f5ed62fe921bd1078abe628a6675e44912933100ea4fa26863e340e9", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:85c8bd8eefc4afc33445de2ee7fbf33a7807bc34eb3734b8eefa4e98e4cddf38", - "zh:98bbe309c9ff5b2352de6a047e0ec6c7e3764b4ed3dfd370839c4be2fbfff869", - "zh:9c7bf8c56da1b124e0e2f3210a1915e778bab2be924481af684695b52672891e", - "zh:d2200f7f6ab8ecb8373cda796b864ad4867f5c255cff9d3b032f666e4c78f625", - "zh:d8c7926feaddfdc08d5ebb41b03445166df8c125417b28d64712dccd9feef136", - "zh:e2412a192fc340c61b373d6c20c9d805d7d3dee6c720c34db23c2a8ff0abd71b", - "zh:e6ac6bba391afe728a099df344dbd6481425b06d61697522017b8f7a59957d44", - ] -} diff --git a/ci/terraform/modules/endpoint-module/README.md b/ci/terraform/modules/endpoint-module/README.md deleted file mode 100644 index 2ff92cdc80..0000000000 --- a/ci/terraform/modules/endpoint-module/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Endpoint Lambda - -This module provisions a lambda from a java zip, the supporting logging and metrics infrastructure, and adds an endpoint to an API gateway. - -This module is designed to be used when a 'piecemeal' api gateway is being constructed (ie. not via [api-gateway](../api-gateway/)). - -Eventually, this module will consume [endpoint-lambda](../endpoint-lambda/), which this is an extension of. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.8 | -| [aws](#requirement\_aws) | 5.75.1 | -| [local](#requirement\_local) | 2.5.2 | -| [random](#requirement\_random) | 3.6.3 | -| [time](#requirement\_time) | 0.12.1 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.75.1 | -| [terraform](#provider\_terraform) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_api_gateway_integration.endpoint_integration](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/api_gateway_integration) | resource | -| [aws_api_gateway_method.endpoint_method](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/api_gateway_method) | resource | -| [aws_api_gateway_resource.endpoint_resource](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/api_gateway_resource) | resource | -| [aws_appautoscaling_policy.provisioned-concurrency-policy](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/appautoscaling_policy) | resource | -| [aws_appautoscaling_target.lambda_target](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/appautoscaling_target) | resource | -| [aws_cloudwatch_log_group.lambda_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_metric_filter.lambda_error_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/cloudwatch_log_metric_filter) | resource | -| [aws_cloudwatch_log_subscription_filter.log_subscription](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/cloudwatch_log_subscription_filter) | resource | -| [aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_cloudwatch_metric_alarm.lambda_error_rate_cloudwatch_alarm](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_lambda_alias.endpoint_lambda](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/lambda_alias) | resource | -| [aws_lambda_function.endpoint_lambda](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/lambda_function) | resource | -| [aws_lambda_permission.endpoint_execution_permission](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/lambda_permission) | resource | -| [aws_lambda_provisioned_concurrency_config.endpoint_lambda_concurrency_config](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/resources/lambda_provisioned_concurrency_config) | resource | -| [terraform_data.wait_for_alias](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | -| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/data-sources/iam_account_alias) | data source | -| [aws_secretsmanager_secret.dynatrace_secret](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.dynatrace_secret](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/data-sources/secretsmanager_secret_version) | data source | -| [aws_sns_topic.slack_events](https://registry.terraform.io/providers/hashicorp/aws/5.75.1/docs/data-sources/sns_topic) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [authentication\_vpc\_arn](#input\_authentication\_vpc\_arn) | n/a | `string` | n/a | yes | -| [cloudwatch\_key\_arn](#input\_cloudwatch\_key\_arn) | The ARN of the KMS key to use log encryption | `string` | n/a | yes | -| [endpoint\_method](#input\_endpoint\_method) | n/a | `list(string)` | n/a | yes | -| [endpoint\_name](#input\_endpoint\_name) | n/a | `string` | n/a | yes | -| [environment](#input\_environment) | n/a | `string` | n/a | yes | -| [execution\_arn](#input\_execution\_arn) | n/a | `string` | n/a | yes | -| [handler\_environment\_variables](#input\_handler\_environment\_variables) | n/a | `map(string)` | n/a | yes | -| [handler\_function\_name](#input\_handler\_function\_name) | n/a | `string` | n/a | yes | -| [lambda\_env\_vars\_encryption\_kms\_key\_arn](#input\_lambda\_env\_vars\_encryption\_kms\_key\_arn) | n/a | `string` | n/a | yes | -| [lambda\_role\_arn](#input\_lambda\_role\_arn) | n/a | `string` | n/a | yes | -| [lambda\_zip\_file](#input\_lambda\_zip\_file) | n/a | `string` | n/a | yes | -| [lambda\_zip\_file\_version](#input\_lambda\_zip\_file\_version) | n/a | `string` | n/a | yes | -| [memory\_size](#input\_memory\_size) | n/a | `number` | n/a | yes | -| [path\_part](#input\_path\_part) | n/a | `string` | n/a | yes | -| [rest\_api\_id](#input\_rest\_api\_id) | n/a | `string` | n/a | yes | -| [root\_resource\_id](#input\_root\_resource\_id) | n/a | `string` | n/a | yes | -| [security\_group\_ids](#input\_security\_group\_ids) | The list of security group IDs to apply to the lambda | `list(string)` | n/a | yes | -| [source\_bucket](#input\_source\_bucket) | n/a | `string` | n/a | yes | -| [subnet\_id](#input\_subnet\_id) | The id of the subnets for the lambda | `list(string)` | n/a | yes | -| [api\_key\_required](#input\_api\_key\_required) | n/a | `bool` | `false` | no | -| [authorizer\_id](#input\_authorizer\_id) | n/a | `string` | `null` | no | -| [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | The number of day to retain Cloudwatch logs for | `number` | `30` | no | -| [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | n/a | `any` | `null` | no | -| [create\_endpoint](#input\_create\_endpoint) | n/a | `bool` | `true` | no | -| [extra\_tags](#input\_extra\_tags) | Extra tags to apply to resources | `map(string)` | `{}` | no | -| [handler\_runtime](#input\_handler\_runtime) | n/a | `string` | `"java17"` | no | -| [integration\_request\_parameters](#input\_integration\_request\_parameters) | n/a | `map(string)` | `{}` | no | -| [lambda\_error\_rate\_alarm\_disabled](#input\_lambda\_error\_rate\_alarm\_disabled) | n/a | `bool` | `false` | no | -| [lambda\_log\_alarm\_error\_rate\_threshold](#input\_lambda\_log\_alarm\_error\_rate\_threshold) | The rate of errors in a lambda before generating a Cloudwatch alarm. Calculated by dividing the number of errors in a lambda divided by the number of invocations in a 60 second period | `number` | `10` | no | -| [lambda\_log\_alarm\_threshold](#input\_lambda\_log\_alarm\_threshold) | The number of errors in a lambda logs before generating a Cloudwatch alarm | `number` | `5` | no | -| [logging\_endpoint\_arn](#input\_logging\_endpoint\_arn) | Amazon Resource Name (ARN) for the endpoint to ship logs to | `string` | `""` | no | -| [logging\_endpoint\_arns](#input\_logging\_endpoint\_arns) | Amazon Resource Name (ARN) for the CSLS endpoints to ship logs to | `list(string)` | `[]` | no | -| [logging\_endpoint\_enabled](#input\_logging\_endpoint\_enabled) | Whether the Lambda should ship its logs to the `logging_endpoint_arn` | `bool` | `false` | no | -| [max\_provisioned\_concurrency](#input\_max\_provisioned\_concurrency) | n/a | `number` | `5` | no | -| [method\_request\_parameters](#input\_method\_request\_parameters) | n/a | `map(bool)` | `{}` | no | -| [provisioned\_concurrency](#input\_provisioned\_concurrency) | n/a | `number` | `0` | no | -| [runbook\_link](#input\_runbook\_link) | n/a | `string` | `""` | no | -| [scaling\_trigger](#input\_scaling\_trigger) | n/a | `number` | `0.7` | no | -| [wait\_for\_alias\_timeout](#input\_wait\_for\_alias\_timeout) | The number of seconds to wait for the alias to be created | `number` | `300` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [integration\_trigger\_value](#output\_integration\_trigger\_value) | n/a | -| [method\_trigger\_value](#output\_method\_trigger\_value) | n/a | -| [resource\_id](#output\_resource\_id) | n/a | - diff --git a/ci/terraform/modules/endpoint-module/account.tf b/ci/terraform/modules/endpoint-module/account.tf deleted file mode 100644 index 239bc19c65..0000000000 --- a/ci/terraform/modules/endpoint-module/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_iam_account_alias" "current" {} diff --git a/ci/terraform/modules/endpoint-module/alerts.tf b/ci/terraform/modules/endpoint-module/alerts.tf deleted file mode 100644 index e55be0e217..0000000000 --- a/ci/terraform/modules/endpoint-module/alerts.tf +++ /dev/null @@ -1,93 +0,0 @@ -resource "aws_cloudwatch_log_metric_filter" "lambda_error_metric_filter" { - name = replace("${var.environment}-${var.endpoint_name}-errors", ".", "") - pattern = "{($.level = \"ERROR\")}" - log_group_name = aws_cloudwatch_log_group.lambda_log_group.name - - metric_transformation { - name = replace("${var.environment}-${var.endpoint_name}-error-count", ".", "") - namespace = "LambdaErrorsNamespace" - value = "1" - } -} -moved { - from = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter[0] - to = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter -} - -locals { - base_error_alarm_description = "${var.lambda_log_alarm_threshold} or more errors have occurred in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - error_alarm_description = var.runbook_link == "" ? local.base_error_alarm_description : "${local.base_error_alarm_description}. Runbook: ${var.runbook_link}" - base_error_rate_alarm_description = "Lambda error rate of ${var.lambda_log_alarm_error_rate_threshold} has been reached in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}" - error_rate_alarm_description = var.runbook_link == "" ? local.base_error_rate_alarm_description : "${local.base_error_rate_alarm_description}. Runbook: ${var.runbook_link}" -} - -resource "aws_cloudwatch_metric_alarm" "lambda_error_cloudwatch_alarm" { - alarm_name = replace("${var.environment}-${var.endpoint_name}-alarm", ".", "") - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter.metric_transformation[0].name - namespace = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter.metric_transformation[0].namespace - period = "3600" - statistic = "Sum" - threshold = var.lambda_log_alarm_threshold - alarm_description = local.error_alarm_description - alarm_actions = [data.aws_sns_topic.slack_events.arn] - - tags = local.extra_tags -} -moved { - from = aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm[0] - to = aws_cloudwatch_metric_alarm.lambda_error_cloudwatch_alarm -} - -resource "aws_cloudwatch_metric_alarm" "lambda_error_rate_cloudwatch_alarm" { - count = var.lambda_error_rate_alarm_disabled ? 0 : 1 - alarm_name = replace("${var.environment}-${var.endpoint_name}-error-rate-alarm", ".", "") - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = "1" - threshold = var.lambda_log_alarm_error_rate_threshold - alarm_description = local.error_rate_alarm_description - - metric_query { - id = "e1" - return_data = true - expression = "m2/m1*100" - label = "Error Rate" - } - - metric_query { - id = "m1" - metric { - namespace = "AWS/Lambda" - metric_name = "Invocations" - period = 60 - stat = "Sum" - unit = "Count" - - dimensions = { - FunctionName = aws_lambda_function.endpoint_lambda.function_name - } - } - } - metric_query { - id = "m2" - metric { - namespace = "AWS/Lambda" - metric_name = "Errors" - period = 60 - stat = "Sum" - unit = "Count" - - dimensions = { - FunctionName = aws_lambda_function.endpoint_lambda.function_name - } - } - } - alarm_actions = [data.aws_sns_topic.slack_events.arn] - - tags = local.extra_tags -} - -data "aws_sns_topic" "slack_events" { - name = "${var.environment}-slack-events" -} diff --git a/ci/terraform/modules/endpoint-module/api-gateway.tf b/ci/terraform/modules/endpoint-module/api-gateway.tf deleted file mode 100644 index 576d5e05b9..0000000000 --- a/ci/terraform/modules/endpoint-module/api-gateway.tf +++ /dev/null @@ -1,56 +0,0 @@ -resource "aws_api_gateway_resource" "endpoint_resource" { - count = var.create_endpoint ? 1 : 0 - rest_api_id = var.rest_api_id - parent_id = var.root_resource_id - path_part = var.path_part -} - -resource "aws_api_gateway_method" "endpoint_method" { - for_each = toset(var.endpoint_method) - rest_api_id = var.rest_api_id - resource_id = var.create_endpoint ? aws_api_gateway_resource.endpoint_resource[0].id : var.root_resource_id - http_method = each.key - - authorization = var.authorizer_id == null ? "NONE" : "CUSTOM" - authorizer_id = var.authorizer_id - - request_parameters = var.method_request_parameters - api_key_required = var.api_key_required - depends_on = [ - aws_api_gateway_resource.endpoint_resource - ] -} - -resource "aws_api_gateway_integration" "endpoint_integration" { - for_each = toset(var.endpoint_method) - rest_api_id = var.rest_api_id - resource_id = var.create_endpoint ? aws_api_gateway_resource.endpoint_resource[0].id : var.root_resource_id - http_method = aws_api_gateway_method.endpoint_method[each.key].http_method - request_parameters = var.integration_request_parameters - - integration_http_method = "POST" - type = "AWS_PROXY" - uri = aws_lambda_alias.endpoint_lambda.invoke_arn - - depends_on = [ - aws_api_gateway_resource.endpoint_resource, - aws_api_gateway_method.endpoint_method, - aws_lambda_function.endpoint_lambda, - ] -} - -resource "aws_lambda_permission" "endpoint_execution_permission" { - statement_id = "AllowAPIGatewayInvoke" - action = "lambda:InvokeFunction" - function_name = aws_lambda_function.endpoint_lambda.function_name - principal = "apigateway.amazonaws.com" - qualifier = aws_lambda_alias.endpoint_lambda.name - - # The "/*/*" portion grants access from any method on any resource - # within the API Gateway REST API. - source_arn = "${var.execution_arn}/*/*" - - depends_on = [ - aws_lambda_function.endpoint_lambda - ] -} diff --git a/ci/terraform/modules/endpoint-module/dynatrace.tf b/ci/terraform/modules/endpoint-module/dynatrace.tf deleted file mode 100644 index ddab84019d..0000000000 --- a/ci/terraform/modules/endpoint-module/dynatrace.tf +++ /dev/null @@ -1,26 +0,0 @@ -data "aws_secretsmanager_secret" "dynatrace_secret" { - arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret -} -data "aws_secretsmanager_secret_version" "dynatrace_secret" { - secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id -} - -locals { - dynatrace_layer_arn = local.dynatrace_secret["JAVA_LAYER"] - dynatrace_environment_variables = { - AWS_LAMBDA_EXEC_WRAPPER = "/opt/dynatrace" - - DT_CONNECTION_AUTH_TOKEN = local.dynatrace_secret["DT_CONNECTION_AUTH_TOKEN"] - DT_CONNECTION_BASE_URL = local.dynatrace_secret["DT_CONNECTION_BASE_URL"] - DT_CLUSTER_ID = local.dynatrace_secret["DT_CLUSTER_ID"] - DT_TENANT = local.dynatrace_secret["DT_TENANT"] - DT_LOG_COLLECTION_AUTH_TOKEN = local.dynatrace_secret["DT_LOG_COLLECTION_AUTH_TOKEN"] - - DT_OPEN_TELEMETRY_ENABLE_INTEGRATION = "true" - } - - dynatrace_production_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables" - dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables" - - dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string) -} diff --git a/ci/terraform/modules/endpoint-module/lambda.tf b/ci/terraform/modules/endpoint-module/lambda.tf deleted file mode 100644 index 2fefbaf393..0000000000 --- a/ci/terraform/modules/endpoint-module/lambda.tf +++ /dev/null @@ -1,135 +0,0 @@ -resource "aws_lambda_function" "endpoint_lambda" { - function_name = replace("${var.environment}-${var.endpoint_name}-lambda", ".", "") - role = var.lambda_role_arn - handler = var.handler_function_name - timeout = 30 - memory_size = var.memory_size - publish = true - - tracing_config { - mode = "Active" - } - - s3_bucket = var.source_bucket - s3_key = var.lambda_zip_file - s3_object_version = var.lambda_zip_file_version - - code_signing_config_arn = var.code_signing_config_arn - - layers = local.lambda_layers - - vpc_config { - security_group_ids = var.security_group_ids - subnet_ids = var.subnet_id - } - environment { - variables = merge( - var.handler_environment_variables, - local.deploy_dynatrace ? local.dynatrace_environment_variables : {}, - { - JAVA_TOOL_OPTIONS = "-XX:+TieredCompilation -XX:TieredStopAtLevel=1 '--add-reads=jdk.jfr=ALL-UNNAMED'" - }) - } - kms_key_arn = var.lambda_env_vars_encryption_kms_key_arn - - runtime = var.handler_runtime - - tags = local.extra_tags -} - -resource "aws_cloudwatch_log_group" "lambda_log_group" { - name = "/aws/lambda/${aws_lambda_function.endpoint_lambda.function_name}" - tags = var.extra_tags - kms_key_id = var.cloudwatch_key_arn - retention_in_days = var.cloudwatch_log_retention - - depends_on = [ - aws_lambda_function.endpoint_lambda - ] -} - -moved { - from = aws_cloudwatch_log_group.lambda_log_group[0] - to = aws_cloudwatch_log_group.lambda_log_group -} - -resource "aws_cloudwatch_log_subscription_filter" "log_subscription" { - count = length(var.logging_endpoint_arns) - name = "${var.endpoint_name}-log-subscription-${count.index}" - log_group_name = aws_cloudwatch_log_group.lambda_log_group.name - filter_pattern = "" - destination_arn = var.logging_endpoint_arns[count.index] - - lifecycle { - create_before_destroy = false - } -} - -resource "aws_lambda_alias" "endpoint_lambda" { - name = replace("${var.environment}-${var.endpoint_name}-lambda-active", ".", "") - description = "Alias pointing at active version of Lambda" - function_name = aws_lambda_function.endpoint_lambda.arn - function_version = aws_lambda_function.endpoint_lambda.version -} - -resource "terraform_data" "wait_for_alias" { - triggers_replace = [aws_lambda_function.endpoint_lambda.version] - - depends_on = [aws_lambda_alias.endpoint_lambda] - - provisioner "local-exec" { - command = "timeout ${var.wait_for_alias_timeout} bash ${path.module}/wait-for-alias.sh ${aws_lambda_function.endpoint_lambda.function_name} ${aws_lambda_alias.endpoint_lambda.name} ${var.wait_for_alias_timeout}" - on_failure = fail - } -} - -resource "aws_lambda_provisioned_concurrency_config" "endpoint_lambda_concurrency_config" { - count = var.provisioned_concurrency == 0 ? 0 : 1 - - function_name = aws_lambda_function.endpoint_lambda.function_name - qualifier = aws_lambda_alias.endpoint_lambda.name - - provisioned_concurrent_executions = var.provisioned_concurrency - - lifecycle { - ignore_changes = [provisioned_concurrent_executions] # Ignoring as this is targeted by aws_app_autoscaling_target.lambda_target resource - } - - depends_on = [terraform_data.wait_for_alias] -} - -resource "aws_appautoscaling_target" "lambda_target" { - count = var.max_provisioned_concurrency > var.provisioned_concurrency ? 1 : 0 - - max_capacity = var.max_provisioned_concurrency - min_capacity = var.provisioned_concurrency - resource_id = "function:${aws_lambda_function.endpoint_lambda.function_name}:${aws_lambda_alias.endpoint_lambda.name}" - scalable_dimension = "lambda:function:ProvisionedConcurrency" - service_namespace = "lambda" - - depends_on = [aws_lambda_provisioned_concurrency_config.endpoint_lambda_concurrency_config] - tags = local.extra_tags -} - -resource "aws_appautoscaling_policy" "provisioned-concurrency-policy" { - count = var.max_provisioned_concurrency > var.provisioned_concurrency ? 1 : 0 - - name = "LambdaProvisonedConcurrency:${aws_lambda_function.endpoint_lambda.function_name}" - resource_id = aws_appautoscaling_target.lambda_target[0].resource_id - scalable_dimension = aws_appautoscaling_target.lambda_target[0].scalable_dimension - service_namespace = aws_appautoscaling_target.lambda_target[0].service_namespace - policy_type = "TargetTrackingScaling" - - target_tracking_scaling_policy_configuration { - target_value = var.scaling_trigger - predefined_metric_specification { - predefined_metric_type = "LambdaProvisionedConcurrencyUtilization" - } - } - depends_on = [aws_lambda_provisioned_concurrency_config.endpoint_lambda_concurrency_config] -} - -locals { - deploy_dynatrace = true - lambda_layers = flatten(local.deploy_dynatrace ? [local.dynatrace_layer_arn] : []) -} diff --git a/ci/terraform/modules/endpoint-module/outputs.tf b/ci/terraform/modules/endpoint-module/outputs.tf deleted file mode 100644 index 78927d9b09..0000000000 --- a/ci/terraform/modules/endpoint-module/outputs.tf +++ /dev/null @@ -1,11 +0,0 @@ -output "resource_id" { - value = var.create_endpoint ? aws_api_gateway_resource.endpoint_resource[0].id : var.root_resource_id -} - -output "integration_trigger_value" { - value = jsonencode(aws_api_gateway_integration.endpoint_integration) -} - -output "method_trigger_value" { - value = jsonencode(aws_api_gateway_method.endpoint_method) -} diff --git a/ci/terraform/modules/endpoint-module/variables.tf b/ci/terraform/modules/endpoint-module/variables.tf deleted file mode 100644 index 7ec63215bc..0000000000 --- a/ci/terraform/modules/endpoint-module/variables.tf +++ /dev/null @@ -1,191 +0,0 @@ -variable "endpoint_name" { - type = string -} - -variable "path_part" { - type = string -} - -variable "method_request_parameters" { - type = map(bool) - default = {} -} - -variable "create_endpoint" { - type = bool - default = true -} - -variable "api_key_required" { - type = bool - default = false -} - -variable "integration_request_parameters" { - type = map(string) - default = {} -} - -variable "endpoint_method" { - type = list(string) -} - -variable "source_bucket" { - type = string -} - -variable "lambda_zip_file" { - type = string -} - -variable "lambda_zip_file_version" { - type = string -} - -variable "handler_function_name" { - type = string -} - -variable "handler_environment_variables" { - type = map(string) -} - -variable "handler_runtime" { - type = string - default = "java17" -} - -variable "rest_api_id" { - type = string -} - -variable "root_resource_id" { - type = string -} - -variable "execution_arn" { - type = string -} - -variable "environment" { - type = string -} - -variable "authentication_vpc_arn" { - type = string -} - -variable "security_group_ids" { - type = list(string) - description = "The list of security group IDs to apply to the lambda" -} - -variable "subnet_id" { - type = list(string) - description = "The id of the subnets for the lambda" -} - -variable "lambda_role_arn" { - type = string -} - -variable "logging_endpoint_enabled" { - type = bool - default = false - description = "Whether the Lambda should ship its logs to the `logging_endpoint_arn`" -} - -variable "logging_endpoint_arn" { - type = string - default = "" - description = "Amazon Resource Name (ARN) for the endpoint to ship logs to" -} - -variable "logging_endpoint_arns" { - type = list(string) - default = [] - description = "Amazon Resource Name (ARN) for the CSLS endpoints to ship logs to" -} - -variable "extra_tags" { - default = {} - type = map(string) - description = "Extra tags to apply to resources" -} - -locals { - extra_tags = merge( - var.extra_tags, - { - Service = var.endpoint_name - } - ) -} - - -variable "authorizer_id" { - type = string - default = null -} - -variable "cloudwatch_key_arn" { - type = string - description = "The ARN of the KMS key to use log encryption" -} - -variable "cloudwatch_log_retention" { - default = 30 - type = number - description = "The number of day to retain Cloudwatch logs for" -} - -variable "lambda_log_alarm_threshold" { - type = number - description = "The number of errors in a lambda logs before generating a Cloudwatch alarm" - default = 5 -} - -variable "lambda_log_alarm_error_rate_threshold" { - type = number - description = "The rate of errors in a lambda before generating a Cloudwatch alarm. Calculated by dividing the number of errors in a lambda divided by the number of invocations in a 60 second period" - default = 10 -} - -variable "lambda_error_rate_alarm_disabled" { - type = bool - default = false -} - -variable "lambda_env_vars_encryption_kms_key_arn" { - type = string -} - -variable "code_signing_config_arn" { - default = null -} - -variable "memory_size" { - type = number -} - -variable "provisioned_concurrency" { - default = 0 -} - -variable "max_provisioned_concurrency" { - default = 5 -} - -variable "scaling_trigger" { - default = 0.7 -} - -variable "runbook_link" { - default = "" -} - -variable "wait_for_alias_timeout" { - type = number - description = "The number of seconds to wait for the alias to be created" - default = 300 -} diff --git a/ci/terraform/modules/endpoint-module/versions.tf b/ci/terraform/modules/endpoint-module/versions.tf deleted file mode 120000 index b7707ec81b..0000000000 --- a/ci/terraform/modules/endpoint-module/versions.tf +++ /dev/null @@ -1 +0,0 @@ -../../versions.tf \ No newline at end of file diff --git a/ci/terraform/modules/endpoint-module/wait-for-alias.sh b/ci/terraform/modules/endpoint-module/wait-for-alias.sh deleted file mode 120000 index 3417c94bee..0000000000 --- a/ci/terraform/modules/endpoint-module/wait-for-alias.sh +++ /dev/null @@ -1 +0,0 @@ -../endpoint-lambda/wait-for-alias.sh \ No newline at end of file