From e60b34d36ca10235f55d2b83f2ec52053706fd0c Mon Sep 17 00:00:00 2001
From: Dan Pantry <dpantry@riotgames.com>
Date: Fri, 23 Feb 2024 20:30:04 -0800
Subject: [PATCH] Move Terraform configuration out of repository

---
 .gitignore                                    |  34 +-----
 README.md                                     | 101 ------------------
 example.env                                   |   6 --
 git-hooks/pre-commit                          |   2 -
 .../modules/frontend/.terraform.lock.hcl      |  25 -----
 terraform/modules/frontend/bucket.tf          |  45 --------
 terraform/modules/frontend/cloudfront.tf      |  50 ---------
 terraform/modules/frontend/outputs.tf         |   3 -
 terraform/modules/frontend/variables.tf       |  23 ----
 terraform/modules/frontend/versions.tf        |   9 --
 terraform/modules/frontend/wafclassic.tf      |  19 ----
 .../modules/kitchensink/.terraform.lock.hcl   |  25 -----
 terraform/modules/kitchensink/iam.tf          |  42 --------
 terraform/modules/kitchensink/main.tf         |  61 -----------
 terraform/modules/kitchensink/outputs.tf      |   7 --
 terraform/modules/kitchensink/variables.tf    |  71 ------------
 terraform/modules/kitchensink/versions.tf     |   9 --
 .../list_applications/.terraform.lock.hcl     |  25 -----
 terraform/modules/list_applications/lambda.tf |  20 ----
 .../modules/list_applications/loadbalancer.tf |  32 ------
 .../modules/list_applications/variables.tf    |  28 -----
 .../modules/list_applications/versions.tf     |   9 --
 .../modules/loadbalancer/.terraform.lock.hcl  |  25 -----
 .../modules/loadbalancer/loadbalancer.tf      |  39 -------
 terraform/modules/loadbalancer/outputs.tf     |   7 --
 terraform/modules/loadbalancer/variables.tf   |  11 --
 terraform/modules/loadbalancer/versions.tf    |   9 --
 27 files changed, 2 insertions(+), 735 deletions(-)
 delete mode 100755 git-hooks/pre-commit
 delete mode 100644 terraform/modules/frontend/.terraform.lock.hcl
 delete mode 100644 terraform/modules/frontend/bucket.tf
 delete mode 100644 terraform/modules/frontend/cloudfront.tf
 delete mode 100644 terraform/modules/frontend/outputs.tf
 delete mode 100644 terraform/modules/frontend/variables.tf
 delete mode 100644 terraform/modules/frontend/versions.tf
 delete mode 100644 terraform/modules/frontend/wafclassic.tf
 delete mode 100644 terraform/modules/kitchensink/.terraform.lock.hcl
 delete mode 100644 terraform/modules/kitchensink/iam.tf
 delete mode 100644 terraform/modules/kitchensink/main.tf
 delete mode 100644 terraform/modules/kitchensink/outputs.tf
 delete mode 100644 terraform/modules/kitchensink/variables.tf
 delete mode 100644 terraform/modules/kitchensink/versions.tf
 delete mode 100644 terraform/modules/list_applications/.terraform.lock.hcl
 delete mode 100644 terraform/modules/list_applications/lambda.tf
 delete mode 100644 terraform/modules/list_applications/loadbalancer.tf
 delete mode 100644 terraform/modules/list_applications/variables.tf
 delete mode 100644 terraform/modules/list_applications/versions.tf
 delete mode 100644 terraform/modules/loadbalancer/.terraform.lock.hcl
 delete mode 100644 terraform/modules/loadbalancer/loadbalancer.tf
 delete mode 100644 terraform/modules/loadbalancer/outputs.tf
 delete mode 100644 terraform/modules/loadbalancer/variables.tf
 delete mode 100644 terraform/modules/loadbalancer/versions.tf

diff --git a/.gitignore b/.gitignore
index e399bf15..94c59ed6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,8 +12,8 @@ api/lambdas/get_user_data/get_user_data
 *.bak
 .vscode
 
-# Created by https://www.gitignore.io/api/go,vim,osx,node,emacs,windows,terraform
-# Edit at https://www.gitignore.io/?templates=go,vim,osx,node,emacs,windows,terraform
+# Created by https://www.gitignore.io/api/go,vim,osx,node,emacs,windows
+# Edit at https://www.gitignore.io/?templates=go,vim,osx,node,emacs,windows
 
 ### Emacs ###
 # -*- mode: gitignore; -*-
@@ -198,36 +198,6 @@ Network Trash Folder
 Temporary Items
 .apdisk
 
-### Terraform ###
-# Local .terraform directories
-**/.terraform/*
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
 ### Vim ###
 # Swap
 [._]*.s[a-v][a-z]
diff --git a/README.md b/README.md
index 94ce0ba1..9aded5ab 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,6 @@ aws s3api create-bucket --bucket <terraform state bucket> --region us-west-2 --c
 
 - go 1.20+
 - node 16.17.0+
-- terraform 1.3.7+
 
 ## Setting Up Your Variable Files
 
@@ -88,103 +87,3 @@ We advise against using environment variables for secrets in AWS Lambda as they
 | OKTA_HOST | The hostname of your Okta instance. We'd recommend using a vanity domain, such as https://singlesignon.example.com. |
 | OKTA_TOKEN | A token from Okta that has the `okta.apps.read` scope. |
 | SETTINGS_PROVIDER | This must be set to 'env' for the Lambda functions to read from the environment. |
-
-# Deploying
-
-These steps assume you created `prod.env` as instructed above.
-
-## First Deploy
-
-You'll need to create a Terraform module which references KeyConjurer. We recommend you do this outside of the KeyConjurer folder itself and check your Terraform configuration into source control. An example module that uses KeyConjurer might look like this:
-
-
-```hcl
-resource "aws_acm_certificate" "api-cert" {
-  domain_name       = "api.keyconjurer.example.com"
-  validation_method = "EMAIL"
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_acm_certificate_validation" "api-cert" {
-  certificate_arn = aws_acm_certificate.api-cert.arn
-}
-
-resource "aws_acm_certificate" "frontend-cert" {
-  domain_name       = "keyconjurer.example.com"
-  validation_method = "EMAIL"
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_acm_certificate_validation" "frontend-cert" {
-  certificate_arn = aws_acm_certificate.frontend-cert.arn
-}
-
-module "keyconjurer-production" {
-  source          = "./Key-Conjurer/terraform/modules/kitchensink"
-  api_cert        = aws_acm_certificate.development-cert.arn
-  api_domain      = aws_acm_certificate.development-cert.domain_name
-  frontend_cert   = aws_acm_certificate.frontend-cert.arn
-  frontend_domain = aws_acm_certificate.frontend-cert.domain_name
-  vpc_id          = "vpc-xxxxxx"
-  subnets         = ["subnet-xxxxxx", "subnet-xxxxxx", "subnet-xxxxxx"]
-  s3_tf_bucket    = "<the bucket you created in step 1>"
-  kms_key_arn     = data.aws_kms_key.development.arn
-
-  lambda_env = {
-    VAULT_ADDR              = ""
-    VAULT_ROLE_NAME         = "
-    VAULT_SECRET_MOUNT_PATH = ""
-    VAULT_SECRET_PATH       = ""
-    VAULT_AWS_AUTH_PATH     = ""
-  }
-
-  lb_security_group_ids = []
-  depends_on = [
-    aws_acm_certificate_validation.frontend-cert
-    aws_acm_certificate_validation.api-cert
-  ]
-}
-```
-
-After modifying `example.env` to your liking, we would recommend renaming this to `prod.env`. You can then deploy KeyConjurer using the following steps:
-
-```
-$ pwd
-/key-conjurer
-$ make build
-$ cd terraform
-/key-conjurer
-$ make upload
-$ /your/key-conjurer/terraform/folder
-$ terraform apply
-```
-
-During your initial deployment, you may need to verify the domain name you've created. This is left as an exercise to the reader; the only thing KeyConjurer requires is _two_ ACM certificates:
-
-1. One for the frontend Cloudfront distribution
-2. One for the Load Balancer.
-
-## Future Deploys
-
-Similar to the above steps:
-
-```
-$ pwd
-/key-conjurer
-$ make build
-$ cd terraform
-/key-conjurer
-$ make upload
-$ /your/key-conjurer/terraform/folder
-$ terraform apply
-```
-
-## Noteworthy Info
-
-* `frontend` serves the CLI tool. This means the binaries created in `cli` need to be uploaded to the same bucket that's used to serve the frontend.
-* KeyConjurer's Terraform will create an ACL by default unless `create_waf_acl` is set to _false_ and a WAF ACL is provided using `waf_acl_id`. This default ACL will **block all connections**.
-* Both a Load Balancer Security Group and a WAF are used to control connections to KeyConjurer. These both need to agree on the IP ranges to allow to KeyConjurer, otherwise you may end up in a situation where a user can access the frontend or use KeyConjurer from the CLI, but not both.
diff --git a/example.env b/example.env
index c410f339..3e559762 100644
--- a/example.env
+++ b/example.env
@@ -5,12 +5,6 @@ tfswitch $TF_VERSION > /dev/null
 
 export RELEASE='prod'
 
-# The backend bucket in terraform/main.tf needs to be set to the same value
-#  because you cannot use a variable for that value in terraform
-export S3_TF_BUCKET_NAME='<S3_TF_BUCKET_NAME>'
-export S3_TF_BUCKET_TAGS="TagSet=[{Key=Name,Value=keyconjurer}]"
-export S3_FRONTEND_BUCKET='<Bucket to Hold UI/CLI binaries>'
-
 export LOGSTASH_ENDPOINT='<LOGSTASH_ENDPOINT>'
 export SECRETS_RETRIEVER='kms_blob'
 
diff --git a/git-hooks/pre-commit b/git-hooks/pre-commit
deleted file mode 100755
index a7151ff6..00000000
--- a/git-hooks/pre-commit
+++ /dev/null
@@ -1,2 +0,0 @@
-terraform fmt **/*.tf
-cd frontend && npm run fmt && cd -
diff --git a/terraform/modules/frontend/.terraform.lock.hcl b/terraform/modules/frontend/.terraform.lock.hcl
deleted file mode 100644
index ea5e241c..00000000
--- a/terraform/modules/frontend/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.52.0"
-  constraints = "4.52.0"
-  hashes = [
-    "h1:Ofm8syFCBU8MFOiU+zg+vnTWkSdozpmvaA9xukNvcBg=",
-    "zh:00c865de3a0e7643f4e2e5c8d4ba91eee94a46d41090eb134baca6b58c107172",
-    "zh:1430682e26eba25d8ace19fa780361187f474153e455545235b4fe30637fdcc2",
-    "zh:1b9a4e5c889bd2022bd59fb924dc78e189f1b7a4fd718fcacda0f0a4cb74d6eb",
-    "zh:2485260141608f1d386d0f68934092bbf68a27d96f0d83c73222d0382aee02f5",
-    "zh:2fe67ee94e2df7dabee7e474356f8e907e7c8011533f9d71df8702d59f9060b2",
-    "zh:37babd1b7ff96ff1f42aa56d7575cacabda6f9f460ff651d70662bfd90076341",
-    "zh:54aa8d39f22ecab6613169f49d37d2ccfaf417e59dd7a8c8fc6bf92600c3384f",
-    "zh:5bf4a84b962a8d2da8f4ccf2a7de56fb6c7a1f566e8393b563977fc7872a8740",
-    "zh:8cb4a51f209a3cc497e53f09188c15c6675697587fe2ea14a6c7fff10c8c8476",
-    "zh:91f6bdcbb1e36471140982e9048b7ced437d3290b2cc21079e5429cc84fed2fd",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9f8c01c3f677bc64ddefa41e59c6fc98860c11875d7f148af55969d3e3847f77",
-    "zh:b6b4fc0bd6f3c0adcd9531da3ccf8c25787ccd6ccc568f13ebbff1336d71a9e1",
-    "zh:d52a428bd92cc319088685ecac63b9f7d12d4cd6725604edb20d0c4f37a9936e",
-    "zh:e20252a851a0d38548a3c01a006bfc59ee1fc84217bf9eb95b22724769601b2b",
-  ]
-}
diff --git a/terraform/modules/frontend/bucket.tf b/terraform/modules/frontend/bucket.tf
deleted file mode 100644
index f04df9d5..00000000
--- a/terraform/modules/frontend/bucket.tf
+++ /dev/null
@@ -1,45 +0,0 @@
-resource "aws_s3_bucket" "keyconjurer_frontend" {
-  bucket = var.bucket_name
-}
-
-data "aws_iam_policy_document" "frontend_bucket_policy" {
-  statement {
-    sid       = "Cloudfront Access"
-    actions   = ["s3:GetObject"]
-    resources = ["${aws_s3_bucket.keyconjurer_frontend.arn}/*"]
-    principals {
-      type        = "CanonicalUser"
-      identifiers = [aws_cloudfront_origin_access_identity.keyconjurer_identity.s3_canonical_user_id]
-    }
-  }
-
-  statement {
-    sid       = "CI Upload"
-    actions   = ["s3:PutObject"]
-    resources = ["${aws_s3_bucket.keyconjurer_frontend.arn}/*"]
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.account_number}:role/infosec_ci"]
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "frontend_bucket" {
-  bucket = aws_s3_bucket.keyconjurer_frontend.bucket
-  policy = data.aws_iam_policy_document.frontend_bucket_policy.json
-}
-
-
-resource "aws_s3_bucket_acl" "frontend_bucket" {
-  bucket = aws_s3_bucket.keyconjurer_frontend.bucket
-  acl    = "private"
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "frontend_bucket" {
-  bucket = aws_s3_bucket.keyconjurer_frontend.bucket
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
diff --git a/terraform/modules/frontend/cloudfront.tf b/terraform/modules/frontend/cloudfront.tf
deleted file mode 100644
index 449fd130..00000000
--- a/terraform/modules/frontend/cloudfront.tf
+++ /dev/null
@@ -1,50 +0,0 @@
-resource "aws_cloudfront_origin_access_identity" "keyconjurer_identity" {
-  comment = "Key Conjurer bucket access"
-}
-
-resource "aws_cloudfront_distribution" "keyconjurer_distribution" {
-  enabled             = true
-  default_root_object = "index.html"
-  // US, Canada, Europe only
-  price_class = "PriceClass_100"
-  aliases     = [var.domain]
-
-  origin {
-    domain_name = aws_s3_bucket.keyconjurer_frontend.bucket_regional_domain_name
-    origin_id   = "keyconjurer-origin"
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.keyconjurer_identity.cloudfront_access_identity_path
-    }
-  }
-
-  default_cache_behavior {
-    allowed_methods        = ["GET", "HEAD"]
-    cached_methods         = ["GET", "HEAD"]
-    default_ttl            = 300 // 5 minutes
-    max_ttl                = 300 // 5 minutes
-    target_origin_id       = "keyconjurer-origin"
-    viewer_protocol_policy = "redirect-to-https"
-
-    forwarded_values {
-      query_string = false
-
-      cookies {
-        forward = "none"
-      }
-    }
-  }
-
-  restrictions {
-    geo_restriction {
-      restriction_type = "none"
-    }
-  }
-
-  viewer_certificate {
-    acm_certificate_arn = var.certificate_arn
-    ssl_support_method  = "sni-only"
-  }
-
-  web_acl_id = var.create_waf_acl ? aws_waf_web_acl.keyconjurer_waf_acl[0].id : var.waf_acl_id
-}
diff --git a/terraform/modules/frontend/outputs.tf b/terraform/modules/frontend/outputs.tf
deleted file mode 100644
index e704f62c..00000000
--- a/terraform/modules/frontend/outputs.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-output "domain_name" {
-  value = aws_cloudfront_distribution.keyconjurer_distribution.domain_name
-}
diff --git a/terraform/modules/frontend/variables.tf b/terraform/modules/frontend/variables.tf
deleted file mode 100644
index ad78f0c8..00000000
--- a/terraform/modules/frontend/variables.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-variable "create_waf_acl" {
-  type = bool
-}
-
-variable "bucket_name" {
-  type = string
-}
-
-variable "certificate_arn" {
-  type = string
-}
-
-variable "domain" {
-  type = string
-}
-
-variable "account_number" {
-  type = string
-}
-
-variable "waf_acl_id" {
-  type = string
-}
diff --git a/terraform/modules/frontend/versions.tf b/terraform/modules/frontend/versions.tf
deleted file mode 100644
index f5aca969..00000000
--- a/terraform/modules/frontend/versions.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.3.7"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.52.0"
-    }
-  }
-}
diff --git a/terraform/modules/frontend/wafclassic.tf b/terraform/modules/frontend/wafclassic.tf
deleted file mode 100644
index a211776f..00000000
--- a/terraform/modules/frontend/wafclassic.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-resource "aws_waf_ipset" "ipset" {
-  count = var.create_waf_acl == true ? 1 : 0
-  name  = "keyconjurer-tfIPSet"
-
-  ip_set_descriptors {
-    type  = "IPV4"
-    value = "127.0.0.1/32"
-  }
-}
-
-resource "aws_waf_web_acl" "keyconjurer_waf_acl" {
-  count       = var.create_waf_acl == true ? 1 : 0
-  name        = "KeyConjurerWAFWebACL"
-  metric_name = "KeyConjurerWAFWebACL"
-
-  default_action {
-    type = "BLOCK"
-  }
-}
diff --git a/terraform/modules/kitchensink/.terraform.lock.hcl b/terraform/modules/kitchensink/.terraform.lock.hcl
deleted file mode 100644
index ea5e241c..00000000
--- a/terraform/modules/kitchensink/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.52.0"
-  constraints = "4.52.0"
-  hashes = [
-    "h1:Ofm8syFCBU8MFOiU+zg+vnTWkSdozpmvaA9xukNvcBg=",
-    "zh:00c865de3a0e7643f4e2e5c8d4ba91eee94a46d41090eb134baca6b58c107172",
-    "zh:1430682e26eba25d8ace19fa780361187f474153e455545235b4fe30637fdcc2",
-    "zh:1b9a4e5c889bd2022bd59fb924dc78e189f1b7a4fd718fcacda0f0a4cb74d6eb",
-    "zh:2485260141608f1d386d0f68934092bbf68a27d96f0d83c73222d0382aee02f5",
-    "zh:2fe67ee94e2df7dabee7e474356f8e907e7c8011533f9d71df8702d59f9060b2",
-    "zh:37babd1b7ff96ff1f42aa56d7575cacabda6f9f460ff651d70662bfd90076341",
-    "zh:54aa8d39f22ecab6613169f49d37d2ccfaf417e59dd7a8c8fc6bf92600c3384f",
-    "zh:5bf4a84b962a8d2da8f4ccf2a7de56fb6c7a1f566e8393b563977fc7872a8740",
-    "zh:8cb4a51f209a3cc497e53f09188c15c6675697587fe2ea14a6c7fff10c8c8476",
-    "zh:91f6bdcbb1e36471140982e9048b7ced437d3290b2cc21079e5429cc84fed2fd",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9f8c01c3f677bc64ddefa41e59c6fc98860c11875d7f148af55969d3e3847f77",
-    "zh:b6b4fc0bd6f3c0adcd9531da3ccf8c25787ccd6ccc568f13ebbff1336d71a9e1",
-    "zh:d52a428bd92cc319088685ecac63b9f7d12d4cd6725604edb20d0c4f37a9936e",
-    "zh:e20252a851a0d38548a3c01a006bfc59ee1fc84217bf9eb95b22724769601b2b",
-  ]
-}
diff --git a/terraform/modules/kitchensink/iam.tf b/terraform/modules/kitchensink/iam.tf
deleted file mode 100644
index 48e800b9..00000000
--- a/terraform/modules/kitchensink/iam.tf
+++ /dev/null
@@ -1,42 +0,0 @@
-resource "aws_iam_role" "keyconjurer-lambda" {
-  name               = var.lambda_execution_role_name
-  description        = "Used by KeyConjurer Lambda functions to access protected resources"
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-POLICY
-}
-
-data "aws_iam_policy_document" "keyconjurer_lambda_permissions" {
-  statement {
-    sid       = "AllowAssumeRoleIntoFederatedUser"
-    actions   = ["sts:AssumeRole"]
-    resources = ["arn:aws:sts::*:federated-user/*"]
-  }
-}
-
-resource "aws_iam_role_policy" "keyconjurer-lamdba" {
-  name   = "${var.lambda_execution_role_name}-policy"
-  role   = aws_iam_role.keyconjurer-lambda.id
-  policy = data.aws_iam_policy_document.keyconjurer_lambda_permissions.json
-}
-
-resource "aws_iam_role_policy_attachment" "keyconjurer-lambda-basic-execution" {
-  role       = aws_iam_role.keyconjurer-lambda.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-resource "aws_iam_role_policy_attachment" "keyconjurer-lambda-vpc-access-execution" {
-  role       = aws_iam_role.keyconjurer-lambda.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
-}
diff --git a/terraform/modules/kitchensink/main.tf b/terraform/modules/kitchensink/main.tf
deleted file mode 100644
index c3a2b421..00000000
--- a/terraform/modules/kitchensink/main.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-# This main.tf file can be used to deploy a version of KeyConjurer.
-# For more advanced deployments, you should use the constituent modules separately.
-
-module "frontend" {
-  source          = "../frontend"
-  create_waf_acl  = var.create_waf_acl
-  waf_acl_id      = var.waf_acl_id
-  bucket_name     = var.frontend_bucket_name
-  certificate_arn = var.frontend_cert
-  domain          = var.frontend_domain
-  account_number  = var.account_number
-}
-
-module "loadbalancer" {
-  source          = "../loadbalancer"
-  subnets         = var.subnets
-  certificate_arn = var.api_cert
-  security_group_ids = [
-    aws_security_group.keyconjurer-lb.id
-  ]
-}
-
-module "list_applications" {
-  source                = "../list_applications"
-  listener_arn          = module.loadbalancer.https_listener_arn
-  bucket_name           = var.s3_tf_bucket
-  environment           = var.environment
-  environment_variables = var.lambda_env
-  subnets               = var.subnets
-  execution_role_arn    = aws_iam_role.keyconjurer-lambda.arn
-  security_group_ids = [
-    aws_security_group.keyconjurer-default.id
-  ]
-}
-
-resource "aws_security_group" "keyconjurer-default" {
-  name_prefix = "keyconjurer"
-  description = "default security group to allow most expected protocols"
-  vpc_id      = var.vpc_id
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
-}
-
-resource "aws_security_group" "keyconjurer-lb" {
-  name_prefix = "keyconjurer-lb"
-  vpc_id      = var.vpc_id
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
-}
diff --git a/terraform/modules/kitchensink/outputs.tf b/terraform/modules/kitchensink/outputs.tf
deleted file mode 100644
index d3e94a0b..00000000
--- a/terraform/modules/kitchensink/outputs.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-output "url" {
-  value = module.loadbalancer.dns_name
-}
-
-output "cloudfront_distribution_url" {
-  value = module.frontend.domain_name
-}
diff --git a/terraform/modules/kitchensink/variables.tf b/terraform/modules/kitchensink/variables.tf
deleted file mode 100644
index 406d0849..00000000
--- a/terraform/modules/kitchensink/variables.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-variable "account_number" {
-  type        = string
-  description = "Account number for AWS account"
-}
-
-variable "api_cert" {
-  type        = string
-  description = "ACM ARN for api"
-}
-
-variable "api_domain" {
-  type        = string
-  description = "Domain name to use for the api"
-}
-
-variable "frontend_cert" {
-  type        = string
-  description = "ACM ARN for frontend"
-}
-
-variable "frontend_domain" {
-  type        = string
-  description = "Domain name to use for the frontend"
-}
-
-variable "lambda_env" {
-  type        = map(string)
-  description = "Enviroment variables for lambdas"
-}
-
-variable "s3_tf_bucket" {
-  type        = string
-  description = "Bucket to store terraform information; it should be same as the one in your AWS provider"
-}
-
-variable "subnets" {
-  type        = list(string)
-  description = "Subnets to use for deployment"
-}
-
-variable "vpc_id" {
-  type        = string
-  description = "VPC to use for deployment"
-}
-
-variable "create_waf_acl" {
-  type    = bool
-  default = false
-}
-
-variable "waf_acl_id" {
-  type        = string
-  default     = ""
-  description = "The ACL to use with the Cloudfront distribution that is created. if not specified, an ACL which blocks all public access will be created"
-}
-
-variable "lb_security_group_ids" {
-  type = list(string)
-}
-
-variable "frontend_bucket_name" {
-  type = string
-}
-
-variable "lambda_execution_role_name" {
-  type = string
-}
-
-variable "environment" {
-  type = string
-}
\ No newline at end of file
diff --git a/terraform/modules/kitchensink/versions.tf b/terraform/modules/kitchensink/versions.tf
deleted file mode 100644
index f5aca969..00000000
--- a/terraform/modules/kitchensink/versions.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.3.7"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.52.0"
-    }
-  }
-}
diff --git a/terraform/modules/list_applications/.terraform.lock.hcl b/terraform/modules/list_applications/.terraform.lock.hcl
deleted file mode 100644
index ea5e241c..00000000
--- a/terraform/modules/list_applications/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.52.0"
-  constraints = "4.52.0"
-  hashes = [
-    "h1:Ofm8syFCBU8MFOiU+zg+vnTWkSdozpmvaA9xukNvcBg=",
-    "zh:00c865de3a0e7643f4e2e5c8d4ba91eee94a46d41090eb134baca6b58c107172",
-    "zh:1430682e26eba25d8ace19fa780361187f474153e455545235b4fe30637fdcc2",
-    "zh:1b9a4e5c889bd2022bd59fb924dc78e189f1b7a4fd718fcacda0f0a4cb74d6eb",
-    "zh:2485260141608f1d386d0f68934092bbf68a27d96f0d83c73222d0382aee02f5",
-    "zh:2fe67ee94e2df7dabee7e474356f8e907e7c8011533f9d71df8702d59f9060b2",
-    "zh:37babd1b7ff96ff1f42aa56d7575cacabda6f9f460ff651d70662bfd90076341",
-    "zh:54aa8d39f22ecab6613169f49d37d2ccfaf417e59dd7a8c8fc6bf92600c3384f",
-    "zh:5bf4a84b962a8d2da8f4ccf2a7de56fb6c7a1f566e8393b563977fc7872a8740",
-    "zh:8cb4a51f209a3cc497e53f09188c15c6675697587fe2ea14a6c7fff10c8c8476",
-    "zh:91f6bdcbb1e36471140982e9048b7ced437d3290b2cc21079e5429cc84fed2fd",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9f8c01c3f677bc64ddefa41e59c6fc98860c11875d7f148af55969d3e3847f77",
-    "zh:b6b4fc0bd6f3c0adcd9531da3ccf8c25787ccd6ccc568f13ebbff1336d71a9e1",
-    "zh:d52a428bd92cc319088685ecac63b9f7d12d4cd6725604edb20d0c4f37a9936e",
-    "zh:e20252a851a0d38548a3c01a006bfc59ee1fc84217bf9eb95b22724769601b2b",
-  ]
-}
diff --git a/terraform/modules/list_applications/lambda.tf b/terraform/modules/list_applications/lambda.tf
deleted file mode 100644
index af503c78..00000000
--- a/terraform/modules/list_applications/lambda.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-resource "aws_lambda_function" "lambda" {
-  function_name    = "keyconjurer-${var.environment}-list_applications_v2"
-  description      = "[${var.environment}] List the providers a user can use"
-  s3_bucket        = var.bucket_name
-  s3_key           = "${var.environment}/list_applications.zip"
-  source_code_hash = "true"
-  role             = var.execution_role_arn
-  handler          = "bootstrap"
-  runtime          = "provided.al2"
-  timeout          = 300
-
-  environment {
-    variables = var.environment_variables
-  }
-
-  vpc_config {
-    subnet_ids         = var.subnets
-    security_group_ids = var.security_group_ids
-  }
-}
diff --git a/terraform/modules/list_applications/loadbalancer.tf b/terraform/modules/list_applications/loadbalancer.tf
deleted file mode 100644
index 19ce0755..00000000
--- a/terraform/modules/list_applications/loadbalancer.tf
+++ /dev/null
@@ -1,32 +0,0 @@
-resource "aws_lb_target_group" "lambda" {
-  name_prefix = "keycon"
-  target_type = "lambda"
-}
-
-resource "aws_lb_listener_rule" "lambda" {
-  listener_arn = var.listener_arn
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.lambda.arn
-  }
-
-  condition {
-    path_pattern {
-      values = ["/v2/applications"]
-    }
-  }
-}
-
-resource "aws_lb_target_group_attachment" "lambda" {
-  target_group_arn = aws_lb_target_group.lambda.arn
-  target_id        = aws_lambda_function.lambda.arn
-}
-
-resource "aws_lambda_permission" "lambda" {
-  statement_id  = "LoadBalancer"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.lambda.arn
-  principal     = "elasticloadbalancing.amazonaws.com"
-  source_arn    = aws_lb_target_group.lambda.arn
-}
diff --git a/terraform/modules/list_applications/variables.tf b/terraform/modules/list_applications/variables.tf
deleted file mode 100644
index 5c991682..00000000
--- a/terraform/modules/list_applications/variables.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-variable "listener_arn" {
-  type = string
-}
-
-variable "subnets" {
-  type = list(string)
-}
-
-variable "security_group_ids" {
-  type = list(string)
-}
-
-variable "bucket_name" {
-  type = string
-}
-
-variable "environment" {
-  type = string
-}
-
-variable "environment_variables" {
-  type    = map(string)
-  default = {}
-}
-
-variable "execution_role_arn" {
-  type = string
-}
diff --git a/terraform/modules/list_applications/versions.tf b/terraform/modules/list_applications/versions.tf
deleted file mode 100644
index f5aca969..00000000
--- a/terraform/modules/list_applications/versions.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.3.7"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.52.0"
-    }
-  }
-}
diff --git a/terraform/modules/loadbalancer/.terraform.lock.hcl b/terraform/modules/loadbalancer/.terraform.lock.hcl
deleted file mode 100644
index ea5e241c..00000000
--- a/terraform/modules/loadbalancer/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.52.0"
-  constraints = "4.52.0"
-  hashes = [
-    "h1:Ofm8syFCBU8MFOiU+zg+vnTWkSdozpmvaA9xukNvcBg=",
-    "zh:00c865de3a0e7643f4e2e5c8d4ba91eee94a46d41090eb134baca6b58c107172",
-    "zh:1430682e26eba25d8ace19fa780361187f474153e455545235b4fe30637fdcc2",
-    "zh:1b9a4e5c889bd2022bd59fb924dc78e189f1b7a4fd718fcacda0f0a4cb74d6eb",
-    "zh:2485260141608f1d386d0f68934092bbf68a27d96f0d83c73222d0382aee02f5",
-    "zh:2fe67ee94e2df7dabee7e474356f8e907e7c8011533f9d71df8702d59f9060b2",
-    "zh:37babd1b7ff96ff1f42aa56d7575cacabda6f9f460ff651d70662bfd90076341",
-    "zh:54aa8d39f22ecab6613169f49d37d2ccfaf417e59dd7a8c8fc6bf92600c3384f",
-    "zh:5bf4a84b962a8d2da8f4ccf2a7de56fb6c7a1f566e8393b563977fc7872a8740",
-    "zh:8cb4a51f209a3cc497e53f09188c15c6675697587fe2ea14a6c7fff10c8c8476",
-    "zh:91f6bdcbb1e36471140982e9048b7ced437d3290b2cc21079e5429cc84fed2fd",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9f8c01c3f677bc64ddefa41e59c6fc98860c11875d7f148af55969d3e3847f77",
-    "zh:b6b4fc0bd6f3c0adcd9531da3ccf8c25787ccd6ccc568f13ebbff1336d71a9e1",
-    "zh:d52a428bd92cc319088685ecac63b9f7d12d4cd6725604edb20d0c4f37a9936e",
-    "zh:e20252a851a0d38548a3c01a006bfc59ee1fc84217bf9eb95b22724769601b2b",
-  ]
-}
diff --git a/terraform/modules/loadbalancer/loadbalancer.tf b/terraform/modules/loadbalancer/loadbalancer.tf
deleted file mode 100644
index 9f1e1be6..00000000
--- a/terraform/modules/loadbalancer/loadbalancer.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-resource "aws_lb" "keyconjurer" {
-  name_prefix     = "keycon"
-  internal        = true
-  subnets         = var.subnets
-  security_groups = var.security_group_ids
-}
-
-resource "aws_lb_listener" "https" {
-  load_balancer_arn = aws_lb.keyconjurer.arn
-  certificate_arn   = var.certificate_arn
-
-  port     = "443"
-  protocol = "HTTPS"
-
-  default_action {
-    type = "fixed-response"
-    fixed_response {
-      content_type = "text/plain"
-      message_body = "Not found\n"
-      status_code  = "404"
-    }
-  }
-}
-
-resource "aws_lb_listener" "https_redirect" {
-  load_balancer_arn = aws_lb.keyconjurer.arn
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    type = "redirect"
-
-    redirect {
-      port        = "443"
-      protocol    = "HTTPS"
-      status_code = "HTTP_301"
-    }
-  }
-}
diff --git a/terraform/modules/loadbalancer/outputs.tf b/terraform/modules/loadbalancer/outputs.tf
deleted file mode 100644
index f43fc0d7..00000000
--- a/terraform/modules/loadbalancer/outputs.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-output "https_listener_arn" {
-  value = aws_lb_listener.https.arn
-}
-
-output "dns_name" {
-  value = aws_lb.keyconjurer.dns_name
-}
diff --git a/terraform/modules/loadbalancer/variables.tf b/terraform/modules/loadbalancer/variables.tf
deleted file mode 100644
index 2ea4ad55..00000000
--- a/terraform/modules/loadbalancer/variables.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-variable "subnets" {
-  type = list(string)
-}
-
-variable "certificate_arn" {
-  type = string
-}
-
-variable "security_group_ids" {
-  type = list(string)
-}
diff --git a/terraform/modules/loadbalancer/versions.tf b/terraform/modules/loadbalancer/versions.tf
deleted file mode 100644
index f5aca969..00000000
--- a/terraform/modules/loadbalancer/versions.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.3.7"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.52.0"
-    }
-  }
-}