From 2d35f916b3f6a9dcbf37d10c0d9fe236692f1bac Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Thu, 1 Feb 2024 09:22:47 +0000 Subject: [PATCH 1/3] MLPAB-1758 - add docs for all modules (#1015) * add docs for all modules * insert comments for terraform docs management of docs * add terraform-docs pre-commit hooks for terraform roots and modules --- .pre-commit-config.yaml | 19 +- terraform/account/.terraform-docs.yml | 8 + terraform/account/README.md | 110 ++++++++++++ terraform/account/region/.terraform-docs.yml | 8 + terraform/account/region/README.md | 112 ++++++++++++ .../modules/antivirus_definitions/README.md | 65 +++++++ .../region/modules/dns_firewall/README.md | 51 ++++++ .../modules/s3_batch_manifests/README.md | 48 +++++ .../s3_bucket_event_notifications/README.md | 46 +++++ terraform/environment/.terraform-docs.yml | 8 + terraform/environment/README.md | 89 +++++++++- .../environment/global/.terraform-docs.yml | 8 + terraform/environment/global/README.md | 105 +++++++++++ .../environment/region/.terraform-docs.yml | 8 + terraform/environment/region/README.md | 168 ++++++++++++------ .../environment/region/modules/app/README.md | 151 +++++++++------- .../region/modules/application_logs/README.md | 45 ++--- .../region/modules/ecs_autoscaling/README.md | 68 +++---- .../region/modules/event_bus/README.md | 54 ++++++ .../region/modules/event_received/README.md | 66 +++++++ .../region/modules/lambda/README.md | 63 +++++++ .../region/modules/mock_onelogin/README.md | 79 ++++++++ .../region/modules/s3_antivirus/README.md | 61 +++++++ .../modules/uploads_s3_bucket/README.md | 79 ++++++++ 24 files changed, 1347 insertions(+), 172 deletions(-) create mode 100644 terraform/account/.terraform-docs.yml create mode 100644 terraform/account/region/.terraform-docs.yml create mode 100644 terraform/account/region/README.md create mode 100644 terraform/account/region/modules/antivirus_definitions/README.md create mode 100644 terraform/account/region/modules/dns_firewall/README.md create mode 100644 terraform/account/region/modules/s3_batch_manifests/README.md create mode 100644 terraform/account/region/modules/s3_bucket_event_notifications/README.md create mode 100644 terraform/environment/.terraform-docs.yml create mode 100644 terraform/environment/global/.terraform-docs.yml create mode 100644 terraform/environment/global/README.md create mode 100644 terraform/environment/region/.terraform-docs.yml create mode 100644 terraform/environment/region/modules/event_received/README.md create mode 100644 terraform/environment/region/modules/lambda/README.md create mode 100644 terraform/environment/region/modules/mock_onelogin/README.md create mode 100644 terraform/environment/region/modules/s3_antivirus/README.md create mode 100644 terraform/environment/region/modules/uploads_s3_bucket/README.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3041631eb3..e4fb32061c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -25,7 +25,24 @@ repos: - id: terraform_tflint args: - --args=--recursive - + - repo: https://github.com/terraform-docs/terraform-docs + rev: "v0.17.0" + hooks: + - id: terraform-docs-go + name: terraform-docs Environment-root + args: ["--config", "terraform/environment/.terraform-docs.yml", "./terraform/environment"] + - id: terraform-docs-go + name: terraform-docs Environment-region + args: ["--config", "terraform/environment/region/.terraform-docs.yml", "./terraform/environment/region"] + - id: terraform-docs-go + name: terraform-docs Environment-global + args: ["--config", "terraform/environment/global/.terraform-docs.yml", "./terraform/environment/global"] + - id: terraform-docs-go + name: terraform-docs Account-root + args: ["--config", "terraform/account/.terraform-docs.yml", "./terraform/account"] + - id: terraform-docs-go + name: terraform-docs Account-region + args: ["--config", "terraform/account/region/.terraform-docs.yml", "./terraform/account/region"] - repo: https://github.com/dnephin/pre-commit-golang rev: v0.5.1 hooks: diff --git a/terraform/account/.terraform-docs.yml b/terraform/account/.terraform-docs.yml new file mode 100644 index 0000000000..332a650e36 --- /dev/null +++ b/terraform/account/.terraform-docs.yml @@ -0,0 +1,8 @@ +formatter: markdown table + +recursive: + enabled: false + +output: + file: README.md + mode: inject diff --git a/terraform/account/README.md b/terraform/account/README.md index fb8481cb29..780ffe41bf 100644 --- a/terraform/account/README.md +++ b/terraform/account/README.md @@ -84,3 +84,113 @@ aws-vault exec identity -- terraform force-unlock 69592de7-6132-c863-ae53-976776 It is important to select the correct workspace. For terraform_environment, this will be based on your PR and can be found in the Github Actions account level plan/apply pipeline job for example `TF Plan Dev Account` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | 1.7.1 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.34.0 | +| [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.34.0 | +| [aws.global](#provider\_aws.global) | 5.34.0 | +| [aws.management\_global](#provider\_aws.management\_global) | 5.34.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [eu\_west\_1](#module\_eu\_west\_1) | ./region | n/a | +| [eu\_west\_2](#module\_eu\_west\_2) | ./region | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_backup_vault.eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | +| [aws_backup_vault.eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | +| [aws_dynamodb_table.workspace_cleanup_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | +| [aws_iam_role.aws_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.aws_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_service_linked_role.ecs_autoscaling_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource | +| [aws_kms_alias.cloudwatch_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.cloudwatch_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.dynamodb_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.dynamodb_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.reduced_fees_uploads_s3_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.reduced_fees_uploads_s3_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.secrets_manager_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.secrets_manager_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.sns_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.sns_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.sns_alias_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.sqs_alias_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.sqs_alias_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.reduced_fees_uploads_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.secrets_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_replica_key.cloudwatch_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.dynamodb_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.reduced_fees_uploads_s3_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.secrets_manager_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.sns_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.sns_replica_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_kms_replica_key.sqs_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource | +| [aws_resourcegroups_group.account_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_resourcegroups_group.account_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_resourcegroups_group.account_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_secretsmanager_secret.cookie_session_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.gov_uk_notify_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.gov_uk_onelogin_identity_public_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.gov_uk_pay_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.lpa_store_jwt_secret_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.os_postcode_lookup_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.private_jwt_key_base64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_ssm_parameter.additional_allowed_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_caller_identity.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.aws_backup_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatch_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatch_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatch_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dynamodb_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dynamodb_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dynamodb_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.reduced_fees_uploads_s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.reduced_fees_uploads_s3_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.reduced_fees_uploads_s3_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secrets_manager_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secrets_manager_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secrets_manager_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sns_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sns_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sns_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sqs_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sqs_kms_development_account_operator_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sqs_kms_merged](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_region.eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [accounts](#input\_accounts) | n/a | 
map(
    object({
      account_id    = string
      account_name  = string
      is_production = bool
      regions       = list(string)
    })
  )
| n/a | yes | +| [default\_role](#input\_default\_role) | n/a | `string` | `"modernising-lpa-ci"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [resource\_group\_arns](#output\_resource\_group\_arns) | n/a | +| [workspace\_name](#output\_workspace\_name) | n/a | + diff --git a/terraform/account/region/.terraform-docs.yml b/terraform/account/region/.terraform-docs.yml new file mode 100644 index 0000000000..23806cfb6b --- /dev/null +++ b/terraform/account/region/.terraform-docs.yml @@ -0,0 +1,8 @@ +formatter: markdown table + +recursive: + enabled: true + +output: + file: README.md + mode: inject diff --git a/terraform/account/region/README.md b/terraform/account/region/README.md new file mode 100644 index 0000000000..03932b080b --- /dev/null +++ b/terraform/account/region/README.md @@ -0,0 +1,112 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.34.0 | +| [aws.global](#provider\_aws.global) | ~> 5.34.0 | +| [aws.management](#provider\_aws.management) | ~> 5.34.0 | +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [antivirus\_definitions](#module\_antivirus\_definitions) | ./modules/antivirus_definitions | n/a | +| [dns\_firewall](#module\_dns\_firewall) | ./modules/dns_firewall | n/a | +| [network](#module\_network) | github.com/ministryofjustice/opg-terraform-aws-network | v1.3.3 | +| [s3\_batch\_manifests](#module\_s3\_batch\_manifests) | ./modules/s3_batch_manifests | n/a | +| [s3\_event\_notifications](#module\_s3\_event\_notifications) | ./modules/s3_bucket_event_notifications | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_acm_certificate.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource | +| [aws_cloudwatch_log_group.default_vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.waf_web_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cognito_identity_pool.rum_monitor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool) | resource | +| [aws_cognito_identity_pool_roles_attachment.rum_monitor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource | +| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | +| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | +| [aws_default_subnet.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_subnet) | resource | +| [aws_flow_log.default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | +| [aws_iam_policy.default_vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default_vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default_vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_route53_record.certificate_validation_app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.log_retention_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_logging.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_policy.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_secretsmanager_secret.rum_monitor_identity_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.rum_monitor_identity_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_security_group.default_vpc_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.vpc_endpoints_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.default_vpc_endpoints_subnet_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.vpc_endpoints_private_subnet_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.vpc_endpoints_public_subnet_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_sns_topic.cloudwatch_application_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic.ecs_autoscaling_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_vpc_endpoint.default_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint_policy.default_vpc_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_policy) | resource | +| [aws_vpc_endpoint_policy.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_policy) | resource | +| [aws_wafv2_web_acl.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource | +| [aws_wafv2_web_acl_logging_configuration.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_ecr_repository.s3_antivirus_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.allow_account_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.default_vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.default_vpc_flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.rum_monitor_unauthenticated_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_role.sns_failure_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.sns_success_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.secrets_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.sns_kms_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_network_acls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route53_zone.modernising_lpa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | +| [aws_route_tables.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | +| [aws_s3_bucket.s3_access_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | +| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudwatch\_log\_group\_kms\_key\_alias](#input\_cloudwatch\_log\_group\_kms\_key\_alias) | The alias of the KMS Key to use when encrypting Cloudwatch log data. | `string` | `null` | no | +| [network\_cidr\_block](#input\_network\_cidr\_block) | The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4\_netmask\_length. | `string` | n/a | yes | +| [reduced\_fees\_uploads\_s3\_encryption\_kms\_key\_alias](#input\_reduced\_fees\_uploads\_s3\_encryption\_kms\_key\_alias) | The alias of the KMS key used to encrypt the reduced fees uploads S3 bucket and replication manifests | `string` | n/a | yes | +| [secrets\_manager\_kms\_key\_alias](#input\_secrets\_manager\_kms\_key\_alias) | The alias of the KMS key used to encrypt Secrets Manager secrets | `string` | n/a | yes | +| [sns\_kms\_key\_alias](#input\_sns\_kms\_key\_alias) | The alias of the KMS key used to encrypt the SNS topic | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [ecs\_autoscaling\_alarm\_sns\_topic](#output\_ecs\_autoscaling\_alarm\_sns\_topic) | n/a | + diff --git a/terraform/account/region/modules/antivirus_definitions/README.md b/terraform/account/region/modules/antivirus_definitions/README.md new file mode 100644 index 0000000000..a93b903274 --- /dev/null +++ b/terraform/account/region/modules/antivirus_definitions/README.md @@ -0,0 +1,65 @@ +# Antivirus Definitions + +This module creates a S3 bucket for antivirus definitions, and a Lambda function to update the definitions. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.cron](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_role.s3_antivirus_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_key.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_lambda_function.lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_lambda_execution_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_lambda_permission.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_logging.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.public_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatch_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.access_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | +| [aws_security_group.lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_subnet.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ecr\_image\_uri](#input\_ecr\_image\_uri) | URI of ECR image to use for Lambda | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/terraform/account/region/modules/dns_firewall/README.md b/terraform/account/region/modules/dns_firewall/README.md new file mode 100644 index 0000000000..972161d78c --- /dev/null +++ b/terraform/account/region/modules/dns_firewall/README.md @@ -0,0 +1,51 @@ +# DNS Firewall + +This module creates a DNS Firewall rule group and rule group associations. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.aws_route53_resolver_query_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_query_definition.dns_firewall_statistics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_query_definition) | resource | +| [aws_route53_resolver_firewall_domain_list.egress_allow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_domain_list) | resource | +| [aws_route53_resolver_firewall_domain_list.egress_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_domain_list) | resource | +| [aws_route53_resolver_firewall_rule.egress_allow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule) | resource | +| [aws_route53_resolver_firewall_rule.egress_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule) | resource | +| [aws_route53_resolver_firewall_rule_group.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule_group) | resource | +| [aws_route53_resolver_firewall_rule_group_association.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule_group_association) | resource | +| [aws_route53_resolver_query_log_config.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource | +| [aws_route53_resolver_query_log_config_association.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_service.services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudwatch\_log\_group\_kms\_key\_alias](#input\_cloudwatch\_log\_group\_kms\_key\_alias) | n/a | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/terraform/account/region/modules/s3_batch_manifests/README.md b/terraform/account/region/modules/s3_batch_manifests/README.md new file mode 100644 index 0000000000..07d8d8f015 --- /dev/null +++ b/terraform/account/region/modules/s3_batch_manifests/README.md @@ -0,0 +1,48 @@ +# S3 Batch Manifests + +This module creates a S3 bucket for S3 Batch Job Manifests. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_logging.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.public_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.s3_encryption_kms_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.access_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [s3\_encryption\_kms\_key\_alias](#input\_s3\_encryption\_kms\_key\_alias) | The alias of the KMS key used to encrypt the reduced fees uploads S3 bucket and replication manifests | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/terraform/account/region/modules/s3_bucket_event_notifications/README.md b/terraform/account/region/modules/s3_bucket_event_notifications/README.md new file mode 100644 index 0000000000..4fa9e69bd9 --- /dev/null +++ b/terraform/account/region/modules/s3_bucket_event_notifications/README.md @@ -0,0 +1,46 @@ +# S3 Bucket Event Notifications Module + +This module creates a S3 bucket event notifications and event notification filters. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | +| [aws_sns_topic.s3_event_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.s3_event_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [s3\_bucket\_event\_types](#input\_s3\_bucket\_event\_types) | The type of event that triggers the notification | `list(string)` | 
[
  "s3:ObjectRemoved:*",
  "s3:ObjectAcl:Put"
]
| no | +| [s3\_bucket\_id](#input\_s3\_bucket\_id) | The ID of the S3 bucket to which the notification is attached | `string` | n/a | yes | +| [sns\_failure\_feedback\_role\_arn](#input\_sns\_failure\_feedback\_role\_arn) | The ARN of the IAM role that Amazon SNS can assume when it needs to access your AWS resources to process your failure feedback | `string` | n/a | yes | +| [sns\_kms\_key\_alias](#input\_sns\_kms\_key\_alias) | The alias of the KMS key used to encrypt the SNS topic | `string` | n/a | yes | +| [sns\_success\_feedback\_role\_arn](#input\_sns\_success\_feedback\_role\_arn) | The ARN of the IAM role that Amazon SNS can assume when it needs to access your AWS resources to process your success feedback | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/terraform/environment/.terraform-docs.yml b/terraform/environment/.terraform-docs.yml new file mode 100644 index 0000000000..332a650e36 --- /dev/null +++ b/terraform/environment/.terraform-docs.yml @@ -0,0 +1,8 @@ +formatter: markdown table + +recursive: + enabled: false + +output: + file: README.md + mode: inject diff --git a/terraform/environment/README.md b/terraform/environment/README.md index 15eaaee6a3..cee91d873c 100644 --- a/terraform/environment/README.md +++ b/terraform/environment/README.md @@ -11,10 +11,20 @@ It is important to namespace resources to avoid getting errors for creating reso There are two namespace variables available. ```hcl -"${local.environment_name}" +"${local.default_tags.environment-name}" ``` -can return `uml93` or `production` +is available in the root module. Within modules, we use the default tags data source + +```hcl +data "aws_default_tags" "current" { + provider = aws.region +} + +"${data.aws_default_tags.current.tags["environment-name"]}" +``` + +They will both return values like `1015mlpab17` or `production` ## Regional Design Pattern @@ -97,3 +107,78 @@ aws-vault exec identity -- terraform force-unlock 69592de7-6132-c863-ae53-976776 It is important to select the correct workspace. For terraform_environment, this will be based on your PR and can be found in the Github Actions pipeline job `PR Environment Deploy` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | 1.7.1 | +| [aws](#requirement\_aws) | ~> 5.34.0 | +| [pagerduty](#requirement\_pagerduty) | 3.5.2 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.34.0 | +| [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.34.0 | +| [aws.global](#provider\_aws.global) | 5.34.0 | +| [aws.management\_eu\_west\_1](#provider\_aws.management\_eu\_west\_1) | 5.34.0 | +| [aws.management\_global](#provider\_aws.management\_global) | 5.34.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [allow\_list](#module\_allow\_list) | git@github.com:ministryofjustice/opg-terraform-aws-moj-ip-allow-list.git | v2.3.0 | +| [eu\_west\_1](#module\_eu\_west\_1) | ./region | n/a | +| [eu\_west\_2](#module\_eu\_west\_2) | ./region | n/a | +| [global](#module\_global) | ./global | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_backup_plan.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | +| [aws_backup_selection.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | +| [aws_backup_vault_notifications.aws_backup_failure_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource | +| [aws_dynamodb_table.lpas_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | +| [aws_dynamodb_table_replica.lpas_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table_replica) | resource | +| [aws_sns_topic.aws_backup_failure_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.aws_backup_failure_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_ssm_parameter.container_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.dns_target_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_backup_vault.eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/backup_vault) | data source | +| [aws_backup_vault.eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/backup_vault) | data source | +| [aws_ecr_repository.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_ecr_repository.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_iam_policy_document.aws_backup_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_role.aws_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.sns_failure_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.sns_success_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_kms_alias.dynamodb_encryption_key_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.dynamodb_encryption_key_eu_west_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.sns_encryption_key_eu_west_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [container\_version](#input\_container\_version) | n/a | `string` | `"latest"` | no | +| [default\_role](#input\_default\_role) | n/a | `string` | `"modernising-lpa-ci"` | no | +| [environments](#input\_environments) | n/a | 
map(
    object({
      account_id    = string
      account_name  = string
      is_production = bool
      regions       = list(string)
      app = object({
        env = object({
          app_public_url         = string
          auth_redirect_base_url = string
          notify_is_production   = string
          onelogin_url           = string
        })
        autoscaling = object({
          minimum = number
          maximum = number
        })
        dependency_health_check_alarm_enabled   = bool
        service_health_check_alarm_enabled      = bool
        cloudwatch_application_insights_enabled = bool
      })
      mock_onelogin_enabled = bool
      uid_service = object({
        base_url = string
        api_arns = list(string)
      })
      lpa_store_service = object({
        base_url = string
        api_arns = list(string)
      })
      backups = object({
        backup_plan_enabled = bool
        copy_action_enabled = bool
      })
      dynamodb = object({
        region_replica_enabled = bool
        stream_enabled         = bool
      })
      ecs = object({
        fargate_spot_capacity_provider_enabled = bool

      })
      cloudwatch_log_groups = object({
        application_log_retention_days = number
      })
      application_load_balancer = object({
        deletion_protection_enabled = bool
      })
      cloudwatch_application_insights_enabled = bool
      pagerduty_service_name                  = string
      event_bus = object({
        target_event_bus_arn = string
        receive_account_ids  = list(string)
      })
      reduced_fees = object({
        enabled                                   = bool
        s3_object_replication_enabled             = bool
        target_environment                        = string
        destination_account_id                    = string
        enable_s3_batch_job_replication_scheduler = bool
      })
      s3_antivirus_provisioned_concurrency = number
    })
  )
| n/a | yes | +| [pagerduty\_api\_key](#input\_pagerduty\_api\_key) | n/a | `string` | n/a | yes | +| [public\_access\_enabled](#input\_public\_access\_enabled) | n/a | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [app\_fqdn](#output\_app\_fqdn) | n/a | +| [container\_version](#output\_container\_version) | n/a | +| [environment\_config\_json](#output\_environment\_config\_json) | n/a | +| [public\_access\_enabled](#output\_public\_access\_enabled) | n/a | +| [resource\_group\_arns](#output\_resource\_group\_arns) | n/a | +| [workspace\_name](#output\_workspace\_name) | n/a | + diff --git a/terraform/environment/global/.terraform-docs.yml b/terraform/environment/global/.terraform-docs.yml new file mode 100644 index 0000000000..332a650e36 --- /dev/null +++ b/terraform/environment/global/.terraform-docs.yml @@ -0,0 +1,8 @@ +formatter: markdown table + +recursive: + enabled: false + +output: + file: README.md + mode: inject diff --git a/terraform/environment/global/README.md b/terraform/environment/global/README.md new file mode 100644 index 0000000000..0b0e0e1fe6 --- /dev/null +++ b/terraform/environment/global/README.md @@ -0,0 +1,105 @@ +# Global Resource Module + +This module creates the global resources for an environment. + +## Requirements + +| Name | Version | +|---------------------------------------------------------------------------|-----------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | +| [pagerduty](#requirement\_pagerduty) | 3.5.2 | + +## Providers + +| Name | Version | +|------------------------------------------------------------------------|-----------| +| [aws.global](#provider\_aws.global) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [aws_applicationinsights_application.environment_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/applicationinsights_application) | resource | +| [aws_iam_role.app_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.s3_antivirus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.s3_antivirus_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_resourcegroups_group.environment_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.cross_account_put_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.execution_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.task_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|--------|---------|:--------:| +| [cloudwatch\_application\_insights\_enabled](#input\_cloudwatch\_application\_insights\_enabled) | Enable CloudWatch Application Insights | `bool` | n/a | yes | + +## Outputs + +| Name | Description | +|------------------------------------------------------------------------------------------------|-------------| +| [iam\_roles](#output\_iam\_roles) | n/a | +| [resource\_group\_arn](#output\_resource\_group\_arn) | n/a | + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | +| [pagerduty](#requirement\_pagerduty) | 3.5.2 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.global](#provider\_aws.global) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_applicationinsights_application.environment_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/applicationinsights_application) | resource | +| [aws_iam_role.app_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.s3_antivirus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.s3_antivirus_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_resourcegroups_group.environment_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.cross_account_put_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.execution_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.task_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudwatch\_application\_insights\_enabled](#input\_cloudwatch\_application\_insights\_enabled) | Enable CloudWatch Application Insights | `bool` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [iam\_roles](#output\_iam\_roles) | n/a | +| [resource\_group\_arn](#output\_resource\_group\_arn) | n/a | + diff --git a/terraform/environment/region/.terraform-docs.yml b/terraform/environment/region/.terraform-docs.yml new file mode 100644 index 0000000000..23806cfb6b --- /dev/null +++ b/terraform/environment/region/.terraform-docs.yml @@ -0,0 +1,8 @@ +formatter: markdown table + +recursive: + enabled: true + +output: + file: README.md + mode: inject diff --git a/terraform/environment/region/README.md b/terraform/environment/region/README.md index 6d8619c6bd..e85a3c2559 100644 --- a/terraform/environment/region/README.md +++ b/terraform/environment/region/README.md @@ -1,68 +1,136 @@ +# Region Resources Module + +This module creates the regional resources for an environment. + + ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| -| [terraform](#requirement\_terraform) | >= 1.2.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | +| [pagerduty](#requirement\_pagerduty) | 3.5.2 | ## Providers -| Name | Version | -|------------------------------------------------------------------------|---------| -| [aws.global](#provider\_aws.global) | 4.24.0 | -| [aws.region](#provider\_aws.region) | 4.24.0 | +| Name | Version | +|------|---------| +| [aws.global](#provider\_aws.global) | ~> 5.34.0 | +| [aws.management](#provider\_aws.management) | ~> 5.34.0 | +| [aws.management\_global](#provider\_aws.management\_global) | ~> 5.34.0 | +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | +| [pagerduty](#provider\_pagerduty) | 3.5.2 | ## Modules -| Name | Source | Version | -|---------------------------------------------------------------------------------------------------|----------------------------|---------| -| [app](#module\_app) | ./modules/app | n/a | -| [app\_ecs\_autoscaling](#module\_app\_ecs\_autoscaling) | ./modules/ecs_autoscaling | n/a | -| [application\_logs](#module\_application\_logs) | ./modules/application_logs | n/a | +| Name | Source | Version | +|------|--------|---------| +| [app](#module\_app) | ./modules/app | n/a | +| [app\_ecs\_autoscaling](#module\_app\_ecs\_autoscaling) | ./modules/ecs_autoscaling | n/a | +| [application\_logs](#module\_application\_logs) | ./modules/application_logs | n/a | +| [event\_bus](#module\_event\_bus) | ./modules/event_bus | n/a | +| [event\_received](#module\_event\_received) | ./modules/event_received | n/a | +| [mock\_onelogin](#module\_mock\_onelogin) | ./modules/mock_onelogin | n/a | +| [s3\_antivirus](#module\_s3\_antivirus) | ./modules/s3_antivirus | n/a | +| [uploads\_s3\_bucket](#module\_uploads\_s3\_bucket) | ./modules/uploads_s3_bucket | n/a | ## Resources -| Name | Type | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_ecs_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource | -| [aws_iam_role_policy.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_rum_app_monitor.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource | -| [aws_secretsmanager_secret_version.rum_monitor_application_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_caller_identity.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | -| [aws_iam_policy_document.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_role.ecs_autoscaling_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | -| [aws_iam_role.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_region.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +|------|------| +| [aws_applicationinsights_application.environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/applicationinsights_application) | resource | +| [aws_cloudwatch_dashboard.health_checks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_dashboard) | resource | +| [aws_cloudwatch_metric_alarm.dependency_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_cloudwatch_metric_alarm.service_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_ecs_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource | +| [aws_iam_role_policy.execution_role_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_resourcegroups_group.environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_route53_health_check.dependency_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource | +| [aws_route53_health_check.service_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource | +| [aws_route53_record.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_rum_app_monitor.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource | +| [aws_secretsmanager_secret.rum_monitor_application_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.rum_monitor_application_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_service_discovery_private_dns_namespace.mock_one_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_private_dns_namespace) | resource | +| [aws_sns_topic.dependency_health_checks_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic.service_health_checks_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_subscription.cloudwatch_application_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.dependency_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.ecs_autoscaling_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.service_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [pagerduty_service_integration.cloudwatch_application_insights](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/resources/service_integration) | resource | +| [pagerduty_service_integration.dependency_health_check](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/resources/service_integration) | resource | +| [pagerduty_service_integration.ecs_autoscaling_alarms](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/resources/service_integration) | resource | +| [pagerduty_service_integration.service_health_check](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/resources/service_integration) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_ecr_image.s3_antivirus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_image) | data source | +| [aws_ecr_repository.event_received](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_ecr_repository.s3_antivirus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_ecr_repository.s3_create_batch_replication_jobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | +| [aws_iam_policy_document.execution_role_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_role.ecs_autoscaling_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.rum_monitor_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.sns_failure_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_iam_role.sns_success_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | +| [aws_kms_alias.secrets_manager_secret_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.sns_kms_key_alias_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route53_zone.modernising_lpa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | +| [aws_s3_bucket.antivirus_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | | [aws_secretsmanager_secret_version.rum_monitor_identity_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | -| [aws_subnet.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | -| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | -| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_sns_topic.cloudwatch_application_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source | +| [aws_sns_topic.custom_cloudwatch_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source | +| [aws_sns_topic.ecs_autoscaling_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source | +| [aws_ssm_parameter.additional_allowed_ingress_cidrs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.replication_bucket_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.replication_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_subnet.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [pagerduty_service.main](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/data-sources/service) | data source | +| [pagerduty_vendor.cloudwatch](https://registry.terraform.io/providers/PagerDuty/pagerduty/3.5.2/docs/data-sources/vendor) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|---------|:--------:| -| [alb\_deletion\_protection\_enabled](#input\_alb\_deletion\_protection\_enabled) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | n/a | yes | -| [app\_env\_vars](#input\_app\_env\_vars) | Environment variable values for app | `any` | n/a | yes | -| [app\_service\_container\_version](#input\_app\_service\_container\_version) | (optional) describe your variable | `string` | n/a | yes | -| [app\_service\_repository\_url](#input\_app\_service\_repository\_url) | (optional) describe your variable | `string` | n/a | yes | -| [application\_log\_retention\_days](#input\_application\_log\_retention\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | n/a | yes | -| [ecs\_capacity\_provider](#input\_ecs\_capacity\_provider) | Name of the capacity provider to use. Valid values are FARGATE\_SPOT and FARGATE | `string` | n/a | yes | -| [ecs\_execution\_role](#input\_ecs\_execution\_role) | The task execution role that the Amazon ECS container agent and the Docker daemon can assume. | `any` | n/a | yes | -| [ecs\_task\_autoscaling](#input\_ecs\_task\_autoscaling) | task minimum and maximum values for autoscaling | `any` | n/a | yes | -| [ecs\_task\_roles](#input\_ecs\_task\_roles) | ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. | 
object({
    app = any
  })
| n/a | yes | -| [ingress\_allow\_list\_cidr](#input\_ingress\_allow\_list\_cidr) | List of CIDR ranges permitted to access the service | `list(string)` | n/a | yes | -| [lpas\_table](#input\_lpas\_table) | DynamoDB table for storing LPAs | `any` | n/a | yes | -| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes | -| [rum\_monitor\_application\_id\_secretsmanager\_secret\_id](#input\_rum\_monitor\_application\_id\_secretsmanager\_secret\_id) | ARN of the AWS Secrets Manager secret containing the RUM monitor identity pool ID | `string` | n/a | yes | -| [rum\_monitor\_identity\_pool\_id\_secretsmanager\_secret\_id](#input\_rum\_monitor\_identity\_pool\_id\_secretsmanager\_secret\_id) | ARN of the AWS Secrets Manager secret containing the RUM monitor identity pool ID | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alb\_deletion\_protection\_enabled](#input\_alb\_deletion\_protection\_enabled) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | n/a | yes | +| [app\_env\_vars](#input\_app\_env\_vars) | Environment variable values for app | `any` | n/a | yes | +| [app\_service\_container\_version](#input\_app\_service\_container\_version) | Container version the app service | `string` | n/a | yes | +| [app\_service\_repository\_url](#input\_app\_service\_repository\_url) | Repository URL for the app service | `string` | n/a | yes | +| [application\_log\_retention\_days](#input\_application\_log\_retention\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | n/a | yes | +| [cloudwatch\_application\_insights\_enabled](#input\_cloudwatch\_application\_insights\_enabled) | Enable CloudWatch Application Insights | `bool` | n/a | yes | +| [dependency\_health\_check\_alarm\_enabled](#input\_dependency\_health\_check\_alarm\_enabled) | Enable the dependency health check alert actions | `bool` | `false` | no | +| [dns\_weighting](#input\_dns\_weighting) | Weighting for DNS records | `number` | n/a | yes | +| [ecs\_capacity\_provider](#input\_ecs\_capacity\_provider) | Name of the capacity provider to use. Valid values are FARGATE\_SPOT and FARGATE | `string` | n/a | yes | +| [ecs\_task\_autoscaling](#input\_ecs\_task\_autoscaling) | task minimum and maximum values for autoscaling | `any` | n/a | yes | +| [iam\_roles](#input\_iam\_roles) | ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. | 
object({
    ecs_execution_role = any
    app_ecs_task_role  = any
    s3_antivirus       = any
    cross_account_put  = any
  })
| n/a | yes | +| [ingress\_allow\_list\_cidr](#input\_ingress\_allow\_list\_cidr) | List of CIDR ranges permitted to access the service | `list(string)` | n/a | yes | +| [lpa\_store\_service](#input\_lpa\_store\_service) | n/a | 
object({
    base_url = string
    api_arns = list(string)
  })
| n/a | yes | +| [lpas\_table](#input\_lpas\_table) | DynamoDB table for storing LPAs | `any` | n/a | yes | +| [mock\_onelogin\_enabled](#input\_mock\_onelogin\_enabled) | n/a | `bool` | n/a | yes | +| [mock\_onelogin\_service\_container\_version](#input\_mock\_onelogin\_service\_container\_version) | Container version for the mock-onelogin service | `string` | n/a | yes | +| [mock\_onelogin\_service\_repository\_url](#input\_mock\_onelogin\_service\_repository\_url) | Repository URL for the mock-onelogin service | `string` | n/a | yes | +| [pagerduty\_service\_name](#input\_pagerduty\_service\_name) | Name of the PagerDuty service to use for alerts | `string` | n/a | yes | +| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes | +| [receive\_account\_ids](#input\_receive\_account\_ids) | IDs of accounts to receive messages from | `list(string)` | `[]` | no | +| [reduced\_fees](#input\_reduced\_fees) | n/a | 
object({
    s3_object_replication_enabled             = bool
    target_environment                        = string
    destination_account_id                    = string
    enable_s3_batch_job_replication_scheduler = bool
  })
| n/a | yes | +| [s3\_antivirus\_provisioned\_concurrency](#input\_s3\_antivirus\_provisioned\_concurrency) | Number of concurrent executions to provision for Lambda | `number` | `0` | no | +| [service\_health\_check\_alarm\_enabled](#input\_service\_health\_check\_alarm\_enabled) | Enable the service health check alert actions | `bool` | `false` | no | +| [target\_event\_bus\_arn](#input\_target\_event\_bus\_arn) | ARN of the event bus to forward events to | `string` | n/a | yes | +| [uid\_service](#input\_uid\_service) | n/a | 
object({
    base_url = string
    api_arns = list(string)
  })
| n/a | yes | ## Outputs -| Name | Description | -|----------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [app\_load\_balancer](#output\_app\_load\_balancer) | n/a | -| [app\_load\_balancer\_security\_group](#output\_app\_load\_balancer\_security\_group) | n/a | +| Name | Description | +|------|-------------| +| [app\_fqdn](#output\_app\_fqdn) | n/a | +| [app\_load\_balancer](#output\_app\_load\_balancer) | n/a | +| [app\_load\_balancer\_security\_group](#output\_app\_load\_balancer\_security\_group) | n/a | +| [resource\_group\_arn](#output\_resource\_group\_arn) | n/a | + diff --git a/terraform/environment/region/modules/app/README.md b/terraform/environment/region/modules/app/README.md index cb703b274a..43fe80dcc0 100644 --- a/terraform/environment/region/modules/app/README.md +++ b/terraform/environment/region/modules/app/README.md @@ -1,14 +1,20 @@ +# App Module + +The module creates an ECS service for the Modernising LPA application, and associated resources including a load balancer, security groups, and a WAFv2 web ACL association. + + ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| -| [terraform](#requirement\_terraform) | >= 1.2.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | ## Providers -| Name | Version | -|------------------------------------------------------------------------|---------| -| [aws.region](#provider\_aws.region) | n/a | +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | ## Modules @@ -16,70 +22,81 @@ No modules. ## Resources -| Name | Type | -|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_ecs_service.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | -| [aws_ecs_task_definition.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | -| [aws_iam_role_policy.app_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_lb.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | -| [aws_lb_listener.app_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | -| [aws_lb_listener.app_loadbalancer_http_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | -| [aws_lb_listener_certificate.app_loadbalancer_live_service_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate) | resource | -| [aws_lb_target_group.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | -| [aws_security_group.app_ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_security_group.app_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_security_group_rule.app_ecs_service_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.app_ecs_service_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.app_loadbalancer_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.app_loadbalancer_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.app_loadbalancer_port_80_redirect_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.app_loadbalancer_public_access_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.loadbalancer_ingress_route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_wafv2_web_acl_association.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource | -| [aws_acm_certificate.certificate_app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | -| [aws_iam_policy_document.task_role_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_ip_ranges.route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ip_ranges) | data source | -| [aws_kms_alias.dynamodb_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [aws_kms_alias.secrets_manager_secret_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | -| [aws_secretsmanager_secret.cookie_session_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.gov_uk_notify_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.gov_uk_onelogin_identity_public_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.gov_uk_pay_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.os_postcode_lookup_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.private_jwt_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret.rum_monitor_identity_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_wafv2_web_acl.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/wafv2_web_acl) | data source | +| Name | Type | +|------|------| +| [aws_ecs_service.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | +| [aws_iam_role_policy.app_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_lb.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.app_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener.app_loadbalancer_http_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener_certificate.app_loadbalancer_live_service_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate) | resource | +| [aws_lb_listener_rule.app_maintenance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | +| [aws_lb_listener_rule.app_maintenance_welsh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | +| [aws_lb_target_group.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_security_group.app_ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.app_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.app_ecs_service_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_ecs_service_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_loadbalancer_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_loadbalancer_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_loadbalancer_port_80_redirect_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_loadbalancer_public_access_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_loadbalancer_public_access_ingress_port_80](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.loadbalancer_ingress_route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_wafv2_web_acl_association.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource | +| [aws_acm_certificate.certificate_app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.task_role_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_ip_ranges.route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ip_ranges) | data source | +| [aws_kms_alias.dynamodb_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.reduced_fees_uploads_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.secrets_manager_secret_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | +| [aws_secretsmanager_secret.cookie_session_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.gov_uk_notify_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.gov_uk_onelogin_identity_public_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.gov_uk_pay_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.lpa_store_jwt_secret_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.os_postcode_lookup_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.private_jwt_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret.rum_monitor_identity_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_wafv2_web_acl.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/wafv2_web_acl) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|---------|:--------:| -| [alb\_deletion\_protection\_enabled](#input\_alb\_deletion\_protection\_enabled) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | n/a | yes | -| [app\_env\_vars](#input\_app\_env\_vars) | Environment variable values for app | `any` | n/a | yes | -| [app\_service\_container\_version](#input\_app\_service\_container\_version) | (optional) describe your variable | `string` | n/a | yes | -| [app\_service\_repository\_url](#input\_app\_service\_repository\_url) | (optional) describe your variable | `string` | n/a | yes | -| [aws\_rum\_guest\_role\_arn](#input\_aws\_rum\_guest\_role\_arn) | ARN of the AWS RUM guest role | `string` | n/a | yes | -| [container\_port](#input\_container\_port) | Port on the container to associate with. | `number` | n/a | yes | -| [ecs\_application\_log\_group\_name](#input\_ecs\_application\_log\_group\_name) | The AWS Cloudwatch Log Group resource for application logging | `any` | n/a | yes | -| [ecs\_capacity\_provider](#input\_ecs\_capacity\_provider) | Name of the capacity provider to use. Valid values are FARGATE\_SPOT and FARGATE | `string` | n/a | yes | -| [ecs\_cluster](#input\_ecs\_cluster) | ARN of an ECS cluster. | `string` | n/a | yes | -| [ecs\_execution\_role](#input\_ecs\_execution\_role) | ID and ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. | 
object({
    id  = string
    arn = string
  })
| n/a | yes | -| [ecs\_service\_desired\_count](#input\_ecs\_service\_desired\_count) | Number of instances of the task definition to place and keep running. Defaults to 0. Do not specify if using the DAEMON scheduling strategy. | `number` | `0` | no | -| [ecs\_task\_role](#input\_ecs\_task\_role) | ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. | `any` | n/a | yes | -| [ingress\_allow\_list\_cidr](#input\_ingress\_allow\_list\_cidr) | List of CIDR ranges permitted to access the service | `list(string)` | n/a | yes | -| [lpas\_table](#input\_lpas\_table) | DynamoDB table for storing LPAs | `any` | n/a | yes | -| [network](#input\_network) | VPC ID, a list of application subnets, and a list of private subnets required to provision the ECS service | 
object({
    vpc_id              = string
    application_subnets = list(string)
    public_subnets      = list(string)
  })
| n/a | yes | -| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes | -| [rum\_monitor\_application\_id\_secretsmanager\_secret\_arn](#input\_rum\_monitor\_application\_id\_secretsmanager\_secret\_arn) | ARN of the AWS Secrets Manager secret containing the RUM monitor application ID | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alb\_deletion\_protection\_enabled](#input\_alb\_deletion\_protection\_enabled) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | n/a | yes | +| [app\_allowed\_api\_arns](#input\_app\_allowed\_api\_arns) | n/a | `list(string)` | n/a | yes | +| [app\_env\_vars](#input\_app\_env\_vars) | Environment variable values for app | `any` | n/a | yes | +| [app\_service\_container\_version](#input\_app\_service\_container\_version) | (optional) describe your variable | `string` | n/a | yes | +| [app\_service\_repository\_url](#input\_app\_service\_repository\_url) | (optional) describe your variable | `string` | n/a | yes | +| [aws\_rum\_guest\_role\_arn](#input\_aws\_rum\_guest\_role\_arn) | ARN of the AWS RUM guest role | `string` | n/a | yes | +| [container\_port](#input\_container\_port) | Port on the container to associate with. | `number` | n/a | yes | +| [ecs\_application\_log\_group\_name](#input\_ecs\_application\_log\_group\_name) | The AWS Cloudwatch Log Group resource for application logging | `string` | n/a | yes | +| [ecs\_capacity\_provider](#input\_ecs\_capacity\_provider) | Name of the capacity provider to use. Valid values are FARGATE\_SPOT and FARGATE | `string` | n/a | yes | +| [ecs\_cluster](#input\_ecs\_cluster) | ARN of an ECS cluster. | `string` | n/a | yes | +| [ecs\_execution\_role](#input\_ecs\_execution\_role) | ID and ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. | 
object({
    id  = string
    arn = string
  })
| n/a | yes | +| [ecs\_service\_desired\_count](#input\_ecs\_service\_desired\_count) | Number of instances of the task definition to place and keep running. Defaults to 0. Do not specify if using the DAEMON scheduling strategy. | `number` | `0` | no | +| [event\_bus](#input\_event\_bus) | Name and ARN of the event bus to send events to | 
object({
    name = string
    arn  = string
  })
| n/a | yes | +| [ingress\_allow\_list\_cidr](#input\_ingress\_allow\_list\_cidr) | List of CIDR ranges permitted to access the service | `list(string)` | n/a | yes | +| [lpa\_store\_base\_url](#input\_lpa\_store\_base\_url) | n/a | `string` | n/a | yes | +| [lpas\_table](#input\_lpas\_table) | DynamoDB table for storing LPAs | `any` | n/a | yes | +| [mock\_onelogin\_enabled](#input\_mock\_onelogin\_enabled) | n/a | `bool` | n/a | yes | +| [network](#input\_network) | VPC ID, a list of application subnets, and a list of private subnets required to provision the ECS service | 
object({
    vpc_id              = string
    application_subnets = list(string)
    public_subnets      = list(string)
  })
| n/a | yes | +| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes | +| [rum\_monitor\_application\_id\_secretsmanager\_secret\_arn](#input\_rum\_monitor\_application\_id\_secretsmanager\_secret\_arn) | ARN of the AWS Secrets Manager secret containing the RUM monitor application ID | `string` | n/a | yes | +| [uid\_base\_url](#input\_uid\_base\_url) | n/a | `string` | n/a | yes | +| [uploads\_s3\_bucket](#input\_uploads\_s3\_bucket) | Name and ARN of the S3 bucket for uploads | 
object({
    bucket_name = string
    bucket_arn  = string
  })
| n/a | yes | ## Outputs -| Name | Description | -|--------------------------------------------------------------------------------------------------------------------------------|-------------| -| [ecs\_service](#output\_ecs\_service) | n/a | -| [load\_balancer](#output\_load\_balancer) | n/a | -| [load\_balancer\_security\_group](#output\_load\_balancer\_security\_group) | n/a | +| Name | Description | +|------|-------------| +| [ecs\_service](#output\_ecs\_service) | n/a | +| [ecs\_service\_security\_group](#output\_ecs\_service\_security\_group) | n/a | +| [load\_balancer](#output\_load\_balancer) | n/a | +| [load\_balancer\_security\_group](#output\_load\_balancer\_security\_group) | n/a | + diff --git a/terraform/environment/region/modules/application_logs/README.md b/terraform/environment/region/modules/application_logs/README.md index 535a61caef..ce4c2106ac 100644 --- a/terraform/environment/region/modules/application_logs/README.md +++ b/terraform/environment/region/modules/application_logs/README.md @@ -1,14 +1,20 @@ +# Application Logs + +The module creates a cloudwatch log group and useful log queries for application logs. + + ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| -| [terraform](#requirement\_terraform) | >= 1.2.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | ## Providers -| Name | Version | -|------------------------------------------------------------------------|---------| -| [aws.region](#provider\_aws.region) | n/a | +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | ## Modules @@ -16,23 +22,22 @@ No modules. ## Resources -| Name | Type | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_cloudwatch_log_group.application_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_query_definition.app_container_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_query_definition) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | -| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.application_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_query_definition.app_container_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_query_definition) | resource | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|:--------:| -| [application\_log\_retention\_days](#input\_application\_log\_retention\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [application\_log\_retention\_days](#input\_application\_log\_retention\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | n/a | yes | ## Outputs -| Name | Description | -|------------------------------------------------------------------------------------------------------|-------------| -| [cloudwatch\_log\_group](#output\_cloudwatch\_log\_group) | n/a | +| Name | Description | +|------|-------------| +| [cloudwatch\_log\_group](#output\_cloudwatch\_log\_group) | n/a | + diff --git a/terraform/environment/region/modules/ecs_autoscaling/README.md b/terraform/environment/region/modules/ecs_autoscaling/README.md index 80d18547be..2b61f01409 100644 --- a/terraform/environment/region/modules/ecs_autoscaling/README.md +++ b/terraform/environment/region/modules/ecs_autoscaling/README.md @@ -1,14 +1,20 @@ +# ECS Autoscaling Module + +This module creates the autoscaling resources for an ECS service. + + ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|----------| -| [terraform](#requirement\_terraform) | >= 1.2.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | ## Providers -| Name | Version | -|------------------------------------------------------------------------|---------| -| [aws.region](#provider\_aws.region) | n/a | +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | ## Modules @@ -16,36 +22,34 @@ No modules. ## Resources -| Name | Type | -|--------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [aws_appautoscaling_policy.down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource | -| [aws_appautoscaling_policy.up](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource | -| [aws_appautoscaling_target.ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource | -| [aws_cloudwatch_metric_alarm.max_scaling_reached](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_cloudwatch_metric_alarm.scale_down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_cloudwatch_metric_alarm.scale_up](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +|------|------| +| [aws_appautoscaling_policy.down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource | +| [aws_appautoscaling_policy.up](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource | +| [aws_appautoscaling_target.ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource | +| [aws_cloudwatch_metric_alarm.max_scaling_reached](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_cloudwatch_metric_alarm.scale_down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_cloudwatch_metric_alarm.scale_up](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------|---------|:--------:| -| [autoscaling\_metric\_max\_cpu\_target](#input\_autoscaling\_metric\_max\_cpu\_target) | The target value for the CPU metric. | `number` | `80` | no | -| [autoscaling\_metric\_max\_memory\_target](#input\_autoscaling\_metric\_max\_memory\_target) | The target value for the memory metric. | `number` | `80` | no | -| [autoscaling\_metric\_min\_cpu\_target](#input\_autoscaling\_metric\_min\_cpu\_target) | The target value for the CPU metric. | `number` | `30` | no | -| [autoscaling\_metric\_min\_memory\_target](#input\_autoscaling\_metric\_min\_memory\_target) | The target value for the memory metric. | `number` | `30` | no | -| [aws\_ecs\_cluster\_name](#input\_aws\_ecs\_cluster\_name) | Name of the ECS cluster for the service being scaled. | `string` | n/a | yes | -| [aws\_ecs\_service\_name](#input\_aws\_ecs\_service\_name) | Name of the ECS service. | `string` | n/a | yes | -| [ecs\_autoscaling\_service\_role\_arn](#input\_ecs\_autoscaling\_service\_role\_arn) | The ARN of the IAM role that allows Application AutoScaling to modify your scalable target on your behalf. | `string` | n/a | yes | -| [ecs\_task\_autoscaling\_maximum](#input\_ecs\_task\_autoscaling\_maximum) | The max capacity of the scalable target. | `number` | n/a | yes | -| [ecs\_task\_autoscaling\_minimum](#input\_ecs\_task\_autoscaling\_minimum) | The min capacity of the scalable target. | `number` | `1` | no | -| [environment](#input\_environment) | Name of the environment. | `string` | n/a | yes | -| [max\_scaling\_alarm\_actions](#input\_max\_scaling\_alarm\_actions) | List of alarm actions for maximum autoscaling being reached. | `list(string)` | n/a | yes | -| [scale\_down\_cooldown](#input\_scale\_down\_cooldown) | The amount of time, in seconds, after a scale in activity completes before another scale in activity can start. | `number` | `60` | no | -| [scale\_up\_cooldown](#input\_scale\_up\_cooldown) | The amount of time, in seconds, after a scale out activity completes before another scale out activity can start. | `number` | `60` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [autoscaling\_metric\_max\_cpu\_target](#input\_autoscaling\_metric\_max\_cpu\_target) | The target value for the CPU metric. | `number` | `80` | no | +| [autoscaling\_metric\_max\_memory\_target](#input\_autoscaling\_metric\_max\_memory\_target) | The target value for the memory metric. | `number` | `80` | no | +| [autoscaling\_metric\_min\_cpu\_target](#input\_autoscaling\_metric\_min\_cpu\_target) | The target value for the CPU metric. | `number` | `30` | no | +| [autoscaling\_metric\_min\_memory\_target](#input\_autoscaling\_metric\_min\_memory\_target) | The target value for the memory metric. | `number` | `30` | no | +| [aws\_ecs\_cluster\_name](#input\_aws\_ecs\_cluster\_name) | Name of the ECS cluster for the service being scaled. | `string` | n/a | yes | +| [aws\_ecs\_service\_name](#input\_aws\_ecs\_service\_name) | Name of the ECS service. | `string` | n/a | yes | +| [ecs\_autoscaling\_service\_role\_arn](#input\_ecs\_autoscaling\_service\_role\_arn) | The ARN of the IAM role that allows Application AutoScaling to modify your scalable target on your behalf. | `string` | n/a | yes | +| [ecs\_task\_autoscaling\_maximum](#input\_ecs\_task\_autoscaling\_maximum) | The max capacity of the scalable target. | `number` | n/a | yes | +| [ecs\_task\_autoscaling\_minimum](#input\_ecs\_task\_autoscaling\_minimum) | The min capacity of the scalable target. | `number` | `1` | no | +| [environment](#input\_environment) | Name of the environment. | `string` | n/a | yes | +| [max\_scaling\_alarm\_actions](#input\_max\_scaling\_alarm\_actions) | List of alarm actions for maximum autoscaling being reached. | `list(string)` | n/a | yes | +| [scale\_down\_cooldown](#input\_scale\_down\_cooldown) | The amount of time, in seconds, after a scale in activity completes before another scale in activity can start. | `number` | `60` | no | +| [scale\_up\_cooldown](#input\_scale\_up\_cooldown) | The amount of time, in seconds, after a scale out activity completes before another scale out activity can start. | `number` | `60` | no | ## Outputs No outputs. + diff --git a/terraform/environment/region/modules/event_bus/README.md b/terraform/environment/region/modules/event_bus/README.md index b4f8a4be79..b982c7dd88 100644 --- a/terraform/environment/region/modules/event_bus/README.md +++ b/terraform/environment/region/modules/event_bus/README.md @@ -11,3 +11,57 @@ You can create an incoming reduced fees event by using the following aws cli put ```shell aws-vault exec mlpa-dev -- aws events put-events --entries file://reduced_fees_update_event.json ``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.34.0 | +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_archive.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_archive) | resource | +| [aws_cloudwatch_event_bus.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_bus) | resource | +| [aws_cloudwatch_event_bus_policy.cross_account_receive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_bus_policy) | resource | +| [aws_cloudwatch_event_rule.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_metric_alarm.event_bus_dead_letter_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_iam_role_policy.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_sqs_queue.event_bus_dead_letter_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.cross_account_put_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cross_account_receive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_sns_topic.custom_cloudwatch_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [iam\_role](#input\_iam\_role) | IAM role to allow cross account put to event bus | `any` | n/a | yes | +| [receive\_account\_ids](#input\_receive\_account\_ids) | IDs of accounts to receive messages from | `list(string)` | `[]` | no | +| [target\_event\_bus\_arn](#input\_target\_event\_bus\_arn) | ARN of the event bus to forward events to | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [event\_bus](#output\_event\_bus) | n/a | + diff --git a/terraform/environment/region/modules/event_received/README.md b/terraform/environment/region/modules/event_received/README.md new file mode 100644 index 0000000000..6a32717b21 --- /dev/null +++ b/terraform/environment/region/modules/event_received/README.md @@ -0,0 +1,66 @@ +# Event Received Module + +This module creates the resources required to receive and process events from the event bus. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.34.0 | +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [event\_received](#module\_event\_received) | ../lambda | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.receive_events_mlpa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_rule.receive_events_sirius](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.receive_events_mlpa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_event_target.receive_events_sirius](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_iam_role_policy.event_received](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.cloudwatch_lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_permission.allow_cloudwatch_to_call_event_received_mlpa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_lambda_permission.allow_cloudwatch_to_call_event_received_sirius](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.api_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.event_received](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.dynamodb_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.secrets_manager_secret_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.gov_uk_notify_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allowed\_api\_arns](#input\_allowed\_api\_arns) | n/a | `list(string)` | n/a | yes | +| [app\_public\_url](#input\_app\_public\_url) | n/a | `string` | n/a | yes | +| [event\_bus\_name](#input\_event\_bus\_name) | n/a | `string` | n/a | yes | +| [lambda\_function\_image\_ecr\_url](#input\_lambda\_function\_image\_ecr\_url) | n/a | `string` | n/a | yes | +| [lambda\_function\_image\_tag](#input\_lambda\_function\_image\_tag) | n/a | `string` | n/a | yes | +| [lpas\_table](#input\_lpas\_table) | n/a | 
object({
    arn  = string
    name = string
  })
| n/a | yes | +| [uid\_base\_url](#input\_uid\_base\_url) | n/a | `string` | n/a | yes | +| [uploads\_bucket](#input\_uploads\_bucket) | n/a | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda\_function](#output\_lambda\_function) | n/a | + diff --git a/terraform/environment/region/modules/lambda/README.md b/terraform/environment/region/modules/lambda/README.md new file mode 100644 index 0000000000..f0f6c093ed --- /dev/null +++ b/terraform/environment/region/modules/lambda/README.md @@ -0,0 +1,63 @@ +# Lambda Module + +This module creates the resources required to deploy an image based Lambda function. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_metric_alarm.lambda_function_failures](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_iam_role.lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.aws_xray_write_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.vpc_access_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_lambda_execution_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.aws_xray_write_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_sns_topic.custom_cloudwatch_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Description of your Lambda Function (or Layer) | `string` | `null` | no | +| [environment](#input\_environment) | The environment lambda is being deployed to. | `string` | n/a | yes | +| [environment\_variables](#input\_environment\_variables) | A map that defines environment variables for the Lambda Function. | `map(string)` | `{}` | no | +| [iam\_policy\_documents](#input\_iam\_policy\_documents) | List of IAM policy documents that are merged together. Documents later in the list override earlier ones | `list(string)` | `[]` | no | +| [image\_uri](#input\_image\_uri) | The image uri in ECR. | `string` | `null` | no | +| [kms\_key](#input\_kms\_key) | KMS key for the lambda log group | `any` | n/a | yes | +| [lambda\_name](#input\_lambda\_name) | A unique name for your Lambda Function | `string` | n/a | yes | +| [memory](#input\_memory) | The memory to use. | `number` | `null` | no | +| [package\_type](#input\_package\_type) | The Lambda deployment package type. | `string` | `"Image"` | no | +| [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. | `number` | `30` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda](#output\_lambda) | The lambda function | +| [lambda\_log](#output\_lambda\_log) | The lambda logs | +| [lambda\_role](#output\_lambda\_role) | The lambda role | + diff --git a/terraform/environment/region/modules/mock_onelogin/README.md b/terraform/environment/region/modules/mock_onelogin/README.md new file mode 100644 index 0000000000..fd2f93344c --- /dev/null +++ b/terraform/environment/region/modules/mock_onelogin/README.md @@ -0,0 +1,79 @@ +# Mock One Login Module + +This module creates the resources required to mock One Login. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_ecs_service.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | +| [aws_lb.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.mock_onelogin_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener.mock_onelogin_loadbalancer_http_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener_certificate.mock_onelogin_loadbalancer_live_service_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate) | resource | +| [aws_lb_target_group.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_security_group.mock_onelogin_ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.mock_onelogin_loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.loadbalancer_ingress_route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_one_login_service_app_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_ecs_service_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_ecs_service_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_loadbalancer_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_loadbalancer_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_loadbalancer_port_80_redirect_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.mock_onelogin_loadbalancer_public_access_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_service_discovery_service.mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_service) | resource | +| [aws_acm_certificate.certificate_mock_onelogin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_ip_ranges.route53_healthchecks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ip_ranges) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alb\_deletion\_protection\_enabled](#input\_alb\_deletion\_protection\_enabled) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | n/a | yes | +| [app\_ecs\_service\_security\_group\_id](#input\_app\_ecs\_service\_security\_group\_id) | ID of the security group for the app ECS service | `string` | n/a | yes | +| [aws\_service\_discovery\_private\_dns\_namespace](#input\_aws\_service\_discovery\_private\_dns\_namespace) | ID and name of the AWS Service Discovery private DNS namespace | 
object({
    id   = string
    name = string
  })
| n/a | yes | +| [container\_port](#input\_container\_port) | Port on the container to associate with. | `number` | n/a | yes | +| [container\_version](#input\_container\_version) | Version of the container to use | `string` | n/a | yes | +| [ecs\_application\_log\_group\_name](#input\_ecs\_application\_log\_group\_name) | The AWS Cloudwatch Log Group resource for application logging | `string` | n/a | yes | +| [ecs\_capacity\_provider](#input\_ecs\_capacity\_provider) | Name of the capacity provider to use. Valid values are FARGATE\_SPOT and FARGATE | `string` | n/a | yes | +| [ecs\_cluster](#input\_ecs\_cluster) | ARN of an ECS cluster. | `string` | n/a | yes | +| [ecs\_execution\_role](#input\_ecs\_execution\_role) | ID and ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. | 
object({
    id  = string
    arn = string
  })
| n/a | yes | +| [ecs\_service\_desired\_count](#input\_ecs\_service\_desired\_count) | Number of instances of the task definition to place and keep running. Defaults to 0. Do not specify if using the DAEMON scheduling strategy. | `number` | `0` | no | +| [ecs\_task\_role](#input\_ecs\_task\_role) | ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. | `any` | n/a | yes | +| [ingress\_allow\_list\_cidr](#input\_ingress\_allow\_list\_cidr) | List of CIDR ranges permitted to access the service | `list(string)` | n/a | yes | +| [network](#input\_network) | VPC ID, a list of application subnets, and a list of private subnets required to provision the ECS service | 
object({
    vpc_id              = string
    application_subnets = list(string)
    public_subnets      = list(string)
  })
| n/a | yes | +| [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes | +| [redirect\_base\_url](#input\_redirect\_base\_url) | Base URL expected for redirect\_url | `string` | n/a | yes | +| [repository\_url](#input\_repository\_url) | URL of the repository for the container to use | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [ecs\_service](#output\_ecs\_service) | n/a | +| [load\_balancer](#output\_load\_balancer) | n/a | +| [load\_balancer\_security\_group](#output\_load\_balancer\_security\_group) | n/a | + diff --git a/terraform/environment/region/modules/s3_antivirus/README.md b/terraform/environment/region/modules/s3_antivirus/README.md new file mode 100644 index 0000000000..0ec0f03765 --- /dev/null +++ b/terraform/environment/region/modules/s3_antivirus/README.md @@ -0,0 +1,61 @@ +# S3 Antivirus Module + +This module deploys a lambda function that scans S3 objects for viruses on put. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_metric_alarm.virus_infections](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_iam_role_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_lambda_alias.lambda_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_alias) | resource | +| [aws_lambda_function.lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_lambda_execution_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_lambda_provisioned_concurrency_config.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_provisioned_concurrency_config) | resource | +| [aws_s3_bucket_metric.virus_infections](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_metric) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.uploads_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alarm\_sns\_topic\_arn](#input\_alarm\_sns\_topic\_arn) | ARN of the SNS topic for alarm notifications | `string` | n/a | yes | +| [aws\_subnet\_ids](#input\_aws\_subnet\_ids) | List of Sirius private subnet Ids | `list(string)` | n/a | yes | +| [data\_store\_bucket](#input\_data\_store\_bucket) | Data store bucket to scan for viruses | `any` | n/a | yes | +| [definition\_bucket](#input\_definition\_bucket) | Bucket containing virus definitions | `any` | n/a | yes | +| [ecr\_image\_uri](#input\_ecr\_image\_uri) | URI of ECR image to use for Lambda | `string` | n/a | yes | +| [environment\_variables](#input\_environment\_variables) | A map that defines environment variables for the Lambda Function. | `map(string)` | `{}` | no | +| [lambda\_task\_role](#input\_lambda\_task\_role) | Execution role for Lambda | `any` | n/a | yes | +| [s3\_antivirus\_provisioned\_concurrency](#input\_s3\_antivirus\_provisioned\_concurrency) | Number of concurrent executions to provision for Lambda | `number` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda\_function](#output\_lambda\_function) | n/a | + diff --git a/terraform/environment/region/modules/uploads_s3_bucket/README.md b/terraform/environment/region/modules/uploads_s3_bucket/README.md new file mode 100644 index 0000000000..9c0ca639f8 --- /dev/null +++ b/terraform/environment/region/modules/uploads_s3_bucket/README.md @@ -0,0 +1,79 @@ +# Uploads S3 Bucket Module + +This module creates an S3 bucket for storing uploads, triggers for virus scanning, S3 object replication to the case management application account. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.5.2 | +| [aws](#requirement\_aws) | ~> 5.34.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.region](#provider\_aws.region) | ~> 5.34.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [s3\_create\_batch\_replication\_jobs](#module\_s3\_create\_batch\_replication\_jobs) | ../lambda | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_metric_alarm.replication-failed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_iam_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.scheduler_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.s3_create_batch_replication_jobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.scheduler_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.cloudwatch_lambda_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_permission.av_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_lambda_permission.object_tagging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_logging.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | +| [aws_s3_bucket_ownership_controls.bucket_object_ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.public_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_replication_configuration.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.bucket_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_scheduler_schedule.invoke_lambda_every_15_minutes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule) | resource | +| [aws_ssm_parameter.s3_batch_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | +| [aws_iam_policy_document.assume_replication_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_create_batch_replication_jobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.scheduler_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.scheduler_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_kms_alias.reduced_fees_uploads_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bucket\_name](#input\_bucket\_name) | Name of the bucket. do not use dots (.) except for buckets that are used only for static website hosting. | `string` | n/a | yes | +| [events\_received\_lambda\_function](#input\_events\_received\_lambda\_function) | Lambda function ARN for events received | `any` | n/a | yes | +| [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | +| [s3\_antivirus\_lambda\_function](#input\_s3\_antivirus\_lambda\_function) | Lambda function ARN for events received | `any` | n/a | yes | +| [s3\_replication](#input\_s3\_replication) | s3\_replication = {
enabled = "Enable S3 object replication"
destination\_bucket\_arn = "ARN of the destination bucket"
destination\_encryption\_key\_arn = "ARN of the destination encryption key"
destination\_account\_id = "Account ID of the destination bucket"
lambda\_function\_image\_ecr\_arn = "ARN of the lambda function to be invoked on a schedule to create replication jobs"
lambda\_function\_image\_ecr\_url = "URL of the lambda function to be invoked on a schedule to create replication jobs"
lambda\_function\_image\_tag = "Tag of the lambda function to be invoked on a schedule to create replication jobs"
enable\_s3\_batch\_job\_replication\_scheduler = "Enable scheduler to create replication jobs"
} | 
object({
    enabled                                   = bool
    destination_bucket_arn                    = string
    destination_encryption_key_arn            = string
    destination_account_id                    = string
    lambda_function_image_ecr_arn             = string
    lambda_function_image_ecr_url             = string
    lambda_function_image_tag                 = string
    enable_s3_batch_job_replication_scheduler = bool
  })
| n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket](#output\_bucket) | S3 uploads bucket. | + From 04ab706e4bc4e5b22c401a83389c98b2cc82f022 Mon Sep 17 00:00:00 2001 From: Joshua Hawxwell Date: Thu, 1 Feb 2024 13:01:29 +0000 Subject: [PATCH 2/3] MLPAB-1781 Show organisation name in header (#1016) Also changes header to match designs, and redirects to dashboard if supporter has an organisation. --- internal/app/app.go | 3 +- internal/page/app_data.go | 1 + .../page/attorney/enter_reference_number.go | 3 +- internal/page/attorney/register.go | 5 +- .../enter_reference_number.go | 3 +- internal/page/certificateprovider/register.go | 3 +- internal/page/donor/register.go | 7 +- internal/page/fixtures/supporter.go | 6 +- internal/page/login_callback.go | 13 +- internal/page/paths.go | 8 +- .../page/supporter/enter_organisation_name.go | 2 +- internal/page/supporter/guidance.go | 3 +- internal/page/supporter/guidance_test.go | 4 +- internal/page/supporter/invite_member.go | 8 +- internal/page/supporter/invite_member_test.go | 37 +---- internal/page/supporter/login_callback.go | 20 ++- .../page/supporter/login_callback_test.go | 134 +++++++++++------- .../page/supporter/organisation_created.go | 10 +- .../supporter/organisation_created_test.go | 27 +--- internal/page/supporter/register.go | 55 ++++--- internal/page/supporter/register_test.go | 115 +++++++++++++-- internal/sesh/sesh.go | 5 + web/assets/scss/main.scss | 14 ++ web/template/layout/login-header.gohtml | 21 ++- 24 files changed, 314 insertions(+), 193 deletions(-) diff --git a/internal/app/app.go b/internal/app/app.go index a7ef16306b..72e548bb84 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -2,7 +2,6 @@ package app import ( "context" - "encoding/base64" "fmt" "net/http" "strings" @@ -267,7 +266,7 @@ func makeHandle(mux *http.ServeMux, errorHandler page.ErrorHandler, store sesh.S return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(loginSession.Sub)) + appData.SessionID = loginSession.SessionID() ctx = page.ContextWithSessionData(ctx, &page.SessionData{SessionID: appData.SessionID}) } diff --git a/internal/page/app_data.go b/internal/page/app_data.go index 029757c520..837a51e712 100644 --- a/internal/page/app_data.go +++ b/internal/page/app_data.go @@ -28,6 +28,7 @@ type AppData struct { OneloginURL string AppPublicURL string IsSupporter bool + OrganisationName string } func (d AppData) Redirect(w http.ResponseWriter, r *http.Request, url string) error { diff --git a/internal/page/attorney/enter_reference_number.go b/internal/page/attorney/enter_reference_number.go index 796668b61d..b5e270ebc1 100644 --- a/internal/page/attorney/enter_reference_number.go +++ b/internal/page/attorney/enter_reference_number.go @@ -1,7 +1,6 @@ package attorney import ( - "encoding/base64" "errors" "net/http" @@ -51,7 +50,7 @@ func EnterReferenceNumber(tmpl template.Template, shareCodeStore ShareCodeStore, } ctx := page.ContextWithSessionData(r.Context(), &page.SessionData{ - SessionID: base64.StdEncoding.EncodeToString([]byte(session.Sub)), + SessionID: session.SessionID(), LpaID: shareCode.LpaID, }) diff --git a/internal/page/attorney/register.go b/internal/page/attorney/register.go index a9df7b070e..8c3017cb14 100644 --- a/internal/page/attorney/register.go +++ b/internal/page/attorney/register.go @@ -2,7 +2,6 @@ package attorney import ( "context" - "encoding/base64" "io" "net/http" "time" @@ -152,7 +151,7 @@ func makeHandle(mux *http.ServeMux, store sesh.Store, errorHandler page.ErrorHan return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(session.Sub)) + appData.SessionID = session.SessionID() ctx = page.ContextWithSessionData(ctx, &page.SessionData{SessionID: appData.SessionID, LpaID: appData.LpaID}) } @@ -177,7 +176,7 @@ func makeAttorneyHandle(mux *http.ServeMux, store sesh.Store, errorHandler page. return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(session.Sub)) + appData.SessionID = session.SessionID() sessionData, err := page.SessionDataFromContext(ctx) if err == nil { diff --git a/internal/page/certificateprovider/enter_reference_number.go b/internal/page/certificateprovider/enter_reference_number.go index 3434fad3b2..825be3fad4 100644 --- a/internal/page/certificateprovider/enter_reference_number.go +++ b/internal/page/certificateprovider/enter_reference_number.go @@ -1,7 +1,6 @@ package certificateprovider import ( - "encoding/base64" "errors" "net/http" @@ -52,7 +51,7 @@ func EnterReferenceNumber(tmpl template.Template, shareCodeStore ShareCodeStore, } ctx := page.ContextWithSessionData(r.Context(), &page.SessionData{ - SessionID: base64.StdEncoding.EncodeToString([]byte(session.Sub)), + SessionID: session.SessionID(), LpaID: shareCode.LpaID, }) diff --git a/internal/page/certificateprovider/register.go b/internal/page/certificateprovider/register.go index 95ab7b35d6..44f05a5828 100644 --- a/internal/page/certificateprovider/register.go +++ b/internal/page/certificateprovider/register.go @@ -2,7 +2,6 @@ package certificateprovider import ( "context" - "encoding/base64" "io" "net/http" "time" @@ -185,7 +184,7 @@ func makeCertificateProviderHandle(mux *http.ServeMux, store sesh.Store, errorHa return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(session.Sub)) + appData.SessionID = session.SessionID() sessionData, err := page.SessionDataFromContext(ctx) if err == nil { diff --git a/internal/page/donor/register.go b/internal/page/donor/register.go index e40aed330c..34385f463d 100644 --- a/internal/page/donor/register.go +++ b/internal/page/donor/register.go @@ -2,7 +2,6 @@ package donor import ( "context" - "encoding/base64" "fmt" "io" "net/http" @@ -404,10 +403,9 @@ func makeHandle(mux *http.ServeMux, store sesh.Store, defaultOptions page.Handle return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(donorSession.Sub)) + appData.SessionID = donorSession.SessionID() sessionData, err := page.SessionDataFromContext(ctx) - if err == nil { sessionData.SessionID = appData.SessionID ctx = page.ContextWithSessionData(ctx, sessionData) @@ -444,10 +442,9 @@ func makeLpaHandle(mux *http.ServeMux, store sesh.Store, defaultOptions page.Han return } - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(donorSession.Sub)) + appData.SessionID = donorSession.SessionID() sessionData, err := page.SessionDataFromContext(ctx) - if err == nil { sessionData.SessionID = appData.SessionID ctx = page.ContextWithSessionData(ctx, sessionData) diff --git a/internal/page/fixtures/supporter.go b/internal/page/fixtures/supporter.go index b51c552b10..f0d0e5da47 100644 --- a/internal/page/fixtures/supporter.go +++ b/internal/page/fixtures/supporter.go @@ -35,7 +35,11 @@ func Supporter(sessionStore sesh.Store, organisationStore OrganisationStore) pag } } - http.Redirect(w, r, "/supporter/"+redirect, http.StatusFound) + if redirect != page.Paths.Supporter.EnterOrganisationName.Format() { + redirect = "/supporter/" + redirect + } + + http.Redirect(w, r, redirect, http.StatusFound) return nil } } diff --git a/internal/page/login_callback.go b/internal/page/login_callback.go index 1ad0a4c065..1683e2bf9a 100644 --- a/internal/page/login_callback.go +++ b/internal/page/login_callback.go @@ -2,7 +2,6 @@ package page import ( "context" - "encoding/base64" "net/http" "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" @@ -32,20 +31,18 @@ func LoginCallback(oneLoginClient LoginCallbackOneLoginClient, sessionStore sesh return err } - if err := sesh.SetLoginSession(sessionStore, r, w, &sesh.LoginSession{ + session := &sesh.LoginSession{ IDToken: idToken, Sub: userInfo.Sub, Email: userInfo.Email, - }); err != nil { + } + + if err := sesh.SetLoginSession(sessionStore, r, w, session); err != nil { return err } if actorType != actor.TypeDonor { - exists, err := dashboardStore.SubExistsForActorType( - r.Context(), - base64.StdEncoding.EncodeToString([]byte(userInfo.Sub)), - actorType, - ) + exists, err := dashboardStore.SubExistsForActorType(r.Context(), session.SessionID(), actorType) if err != nil { return err diff --git a/internal/page/paths.go b/internal/page/paths.go index bc447c94fa..0d7d459bec 100644 --- a/internal/page/paths.go +++ b/internal/page/paths.go @@ -169,11 +169,11 @@ type HealthCheckPaths struct { } type SupporterPaths struct { - Start Path - Login Path - LoginCallback Path + Start Path + Login Path + LoginCallback Path + EnterOrganisationName Path - EnterOrganisationName SupporterPath OrganisationCreated SupporterPath Dashboard SupporterPath InviteMember SupporterPath diff --git a/internal/page/supporter/enter_organisation_name.go b/internal/page/supporter/enter_organisation_name.go index 50639b0798..0931ee56b6 100644 --- a/internal/page/supporter/enter_organisation_name.go +++ b/internal/page/supporter/enter_organisation_name.go @@ -14,7 +14,7 @@ type enterOrganisationNameData struct { Form *enterOrganisationNameForm } -func EnterOrganisationName(tmpl template.Template, organisationStore OrganisationStore) Handler { +func EnterOrganisationName(tmpl template.Template, organisationStore OrganisationStore) page.Handler { return func(appData page.AppData, w http.ResponseWriter, r *http.Request) error { data := &enterOrganisationNameData{ App: appData, diff --git a/internal/page/supporter/guidance.go b/internal/page/supporter/guidance.go index df37d8e3fb..1d039025e0 100644 --- a/internal/page/supporter/guidance.go +++ b/internal/page/supporter/guidance.go @@ -5,6 +5,7 @@ import ( "net/url" "github.com/ministryofjustice/opg-go-common/template" + "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/validation" ) @@ -16,7 +17,7 @@ type guidanceData struct { } func Guidance(tmpl template.Template) Handler { - return func(appData page.AppData, w http.ResponseWriter, r *http.Request) error { + return func(appData page.AppData, w http.ResponseWriter, r *http.Request, organisation *actor.Organisation) error { return tmpl(w, &guidanceData{ App: appData, Query: r.URL.Query(), diff --git a/internal/page/supporter/guidance_test.go b/internal/page/supporter/guidance_test.go index c7e4803242..66aebfddcf 100644 --- a/internal/page/supporter/guidance_test.go +++ b/internal/page/supporter/guidance_test.go @@ -18,7 +18,7 @@ func TestGuidance(t *testing.T) { Execute(w, &guidanceData{App: testAppData, Query: url.Values{}}). Return(nil) - err := Guidance(template.Execute)(testAppData, w, r) + err := Guidance(template.Execute)(testAppData, w, r, nil) resp := w.Result() assert.Nil(t, err) @@ -34,7 +34,7 @@ func TestGuidanceWhenTemplateErrors(t *testing.T) { Execute(w, &guidanceData{App: testAppData, Query: url.Values{}}). Return(expectedError) - err := Guidance(template.Execute)(testAppData, w, r) + err := Guidance(template.Execute)(testAppData, w, r, nil) assert.Equal(t, expectedError, err) } diff --git a/internal/page/supporter/invite_member.go b/internal/page/supporter/invite_member.go index b5d0ebf39c..3639b0d767 100644 --- a/internal/page/supporter/invite_member.go +++ b/internal/page/supporter/invite_member.go @@ -5,6 +5,7 @@ import ( "net/url" "github.com/ministryofjustice/opg-go-common/template" + "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" "github.com/ministryofjustice/opg-modernising-lpa/internal/notify" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/validation" @@ -17,7 +18,7 @@ type inviteMemberData struct { } func InviteMember(tmpl template.Template, organisationStore OrganisationStore, notifyClient NotifyClient, randomString func(int) string) Handler { - return func(appData page.AppData, w http.ResponseWriter, r *http.Request) error { + return func(appData page.AppData, w http.ResponseWriter, r *http.Request, organisation *actor.Organisation) error { data := &inviteMemberData{ App: appData, Form: &inviteMemberForm{}, @@ -28,11 +29,6 @@ func InviteMember(tmpl template.Template, organisationStore OrganisationStore, n data.Errors = data.Form.Validate() if !data.Errors.Any() { - organisation, err := organisationStore.Get(r.Context()) - if err != nil { - return err - } - inviteCode := randomString(12) if err := organisationStore.CreateMemberInvite(r.Context(), organisation, data.Form.Email, inviteCode); err != nil { return err diff --git a/internal/page/supporter/invite_member_test.go b/internal/page/supporter/invite_member_test.go index ba6a8243ce..dac5b31d0e 100644 --- a/internal/page/supporter/invite_member_test.go +++ b/internal/page/supporter/invite_member_test.go @@ -27,7 +27,7 @@ func TestGetInviteMember(t *testing.T) { }). Return(nil) - err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r) + err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r, nil) resp := w.Result() assert.Nil(t, err) @@ -43,7 +43,7 @@ func TestGetInviteMemberWhenTemplateErrors(t *testing.T) { Execute(w, mock.Anything). Return(expectedError) - err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r) + err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r, nil) resp := w.Result() assert.Equal(t, expectedError, err) @@ -60,9 +60,6 @@ func TestPostInviteMember(t *testing.T) { organisation := &actor.Organisation{Name: "My organisation"} organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(organisation, nil) organisationStore.EXPECT(). CreateMemberInvite(r.Context(), organisation, "email@example.com", "abcde"). Return(nil) @@ -75,7 +72,7 @@ func TestPostInviteMember(t *testing.T) { }). Return(nil) - err := InviteMember(nil, organisationStore, notifyClient, func(int) string { return "abcde" })(testAppData, w, r) + err := InviteMember(nil, organisationStore, notifyClient, func(int) string { return "abcde" })(testAppData, w, r, organisation) resp := w.Result() assert.Nil(t, err) @@ -101,29 +98,13 @@ func TestPostInviteMemberWhenValidationError(t *testing.T) { }). Return(nil) - err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r) + err := InviteMember(template.Execute, nil, nil, nil)(testAppData, w, r, nil) resp := w.Result() assert.Nil(t, err) assert.Equal(t, http.StatusOK, resp.StatusCode) } -func TestPostInviteMemberWhenOrganisationGetErrors(t *testing.T) { - form := url.Values{"email": {"email@example.com"}} - - w := httptest.NewRecorder() - r, _ := http.NewRequest(http.MethodPost, "/", strings.NewReader(form.Encode())) - r.Header.Add("Content-Type", page.FormUrlEncoded) - - organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(&actor.Organisation{}, expectedError) - - err := InviteMember(nil, organisationStore, nil, func(int) string { return "abcde" })(testAppData, w, r) - assert.Equal(t, expectedError, err) -} - func TestPostInviteMemberWhenCreateMemberInviteErrors(t *testing.T) { form := url.Values{"email": {"email@example.com"}} @@ -132,14 +113,11 @@ func TestPostInviteMemberWhenCreateMemberInviteErrors(t *testing.T) { r.Header.Add("Content-Type", page.FormUrlEncoded) organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(&actor.Organisation{}, nil) organisationStore.EXPECT(). CreateMemberInvite(r.Context(), mock.Anything, mock.Anything, mock.Anything). Return(expectedError) - err := InviteMember(nil, organisationStore, nil, func(int) string { return "abcde" })(testAppData, w, r) + err := InviteMember(nil, organisationStore, nil, func(int) string { return "abcde" })(testAppData, w, r, &actor.Organisation{}) assert.Equal(t, expectedError, err) } @@ -151,9 +129,6 @@ func TestPostInviteMemberWhenNotifySendErrors(t *testing.T) { r.Header.Add("Content-Type", page.FormUrlEncoded) organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(&actor.Organisation{}, nil) organisationStore.EXPECT(). CreateMemberInvite(r.Context(), mock.Anything, mock.Anything, mock.Anything). Return(nil) @@ -163,7 +138,7 @@ func TestPostInviteMemberWhenNotifySendErrors(t *testing.T) { SendEmail(r.Context(), mock.Anything, mock.Anything). Return(expectedError) - err := InviteMember(nil, organisationStore, notifyClient, func(int) string { return "abcde" })(testAppData, w, r) + err := InviteMember(nil, organisationStore, notifyClient, func(int) string { return "abcde" })(testAppData, w, r, &actor.Organisation{}) assert.Equal(t, expectedError, err) } diff --git a/internal/page/supporter/login_callback.go b/internal/page/supporter/login_callback.go index 220410761a..0ec726fda7 100644 --- a/internal/page/supporter/login_callback.go +++ b/internal/page/supporter/login_callback.go @@ -2,8 +2,10 @@ package supporter import ( "context" + "errors" "net/http" + "github.com/ministryofjustice/opg-modernising-lpa/internal/dynamo" "github.com/ministryofjustice/opg-modernising-lpa/internal/onelogin" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/sesh" @@ -14,7 +16,7 @@ type LoginCallbackOneLoginClient interface { UserInfo(ctx context.Context, accessToken string) (onelogin.UserInfo, error) } -func LoginCallback(oneLoginClient LoginCallbackOneLoginClient, sessionStore sesh.Store) page.Handler { +func LoginCallback(oneLoginClient LoginCallbackOneLoginClient, sessionStore sesh.Store, organisationStore OrganisationStore) page.Handler { return func(appData page.AppData, w http.ResponseWriter, r *http.Request) error { oneLoginSession, err := sesh.OneLogin(sessionStore, r) if err != nil { @@ -31,11 +33,23 @@ func LoginCallback(oneLoginClient LoginCallbackOneLoginClient, sessionStore sesh return err } - if err := sesh.SetLoginSession(sessionStore, r, w, &sesh.LoginSession{ + session := &sesh.LoginSession{ IDToken: idToken, Sub: userInfo.Sub, Email: userInfo.Email, - }); err != nil { + } + + if err := sesh.SetLoginSession(sessionStore, r, w, session); err != nil { + return err + } + + ctx := page.ContextWithSessionData(r.Context(), &page.SessionData{SessionID: session.SessionID()}) + + _, err = organisationStore.Get(ctx) + if err == nil { + return page.Paths.Supporter.Dashboard.Redirect(w, r, appData) + } + if !errors.Is(err, dynamo.NotFoundError{}) { return err } diff --git a/internal/page/supporter/login_callback_test.go b/internal/page/supporter/login_callback_test.go index b3951edee3..31a094823b 100644 --- a/internal/page/supporter/login_callback_test.go +++ b/internal/page/supporter/login_callback_test.go @@ -6,6 +6,8 @@ import ( "testing" "github.com/gorilla/sessions" + "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" + "github.com/ministryofjustice/opg-modernising-lpa/internal/dynamo" "github.com/ministryofjustice/opg-modernising-lpa/internal/onelogin" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/sesh" @@ -14,57 +16,89 @@ import ( ) func TestLoginCallback(t *testing.T) { - w := httptest.NewRecorder() - r, _ := http.NewRequest(http.MethodGet, "/?code=auth-code&state=my-state", nil) - - client := newMockOneLoginClient(t) - client.EXPECT(). - Exchange(r.Context(), "auth-code", "my-nonce"). - Return("id-token", "a JWT", nil) - client.EXPECT(). - UserInfo(r.Context(), "a JWT"). - Return(onelogin.UserInfo{Sub: "random", Email: "name@example.com"}, nil) - - sessionStore := newMockSessionStore(t) - - session := sessions.NewSession(sessionStore, "session") - session.Options = &sessions.Options{ - Path: "/", - MaxAge: 86400, - SameSite: http.SameSiteLaxMode, - HttpOnly: true, - Secure: true, - } - session.Values = map[any]any{ - "session": &sesh.LoginSession{ - IDToken: "id-token", - Sub: "random", - Email: "name@example.com", + testcases := map[string]struct { + getError error + redirect string + expectedError error + }{ + "no organisation": { + getError: dynamo.NotFoundError{}, + redirect: page.Paths.Supporter.EnterOrganisationName.Format(), + }, + "has organisation": { + redirect: page.Paths.Supporter.Dashboard.Format(), + }, + "error getting organisation": { + getError: expectedError, + expectedError: expectedError, }, } - sessionStore.EXPECT(). - Get(r, "params"). - Return(&sessions.Session{ - Values: map[any]any{ - "one-login": &sesh.OneLoginSession{ - State: "my-state", - Nonce: "my-nonce", - Locale: "en", - Redirect: "/redirect", - }, - }, - }, nil) - sessionStore.EXPECT(). - Save(r, w, session). - Return(nil) + for name, tc := range testcases { + t.Run(name, func(t *testing.T) { - err := LoginCallback(client, sessionStore)(page.AppData{}, w, r) - assert.Nil(t, err) - resp := w.Result() + w := httptest.NewRecorder() + r, _ := http.NewRequest(http.MethodGet, "/?code=auth-code&state=my-state", nil) + + loginSession := &sesh.LoginSession{ + IDToken: "id-token", + Sub: "random", + Email: "name@example.com", + } + + client := newMockOneLoginClient(t) + client.EXPECT(). + Exchange(r.Context(), "auth-code", "my-nonce"). + Return("id-token", "a JWT", nil) + client.EXPECT(). + UserInfo(r.Context(), "a JWT"). + Return(onelogin.UserInfo{Sub: "random", Email: "name@example.com"}, nil) + + sessionStore := newMockSessionStore(t) - assert.Equal(t, http.StatusFound, resp.StatusCode) - assert.Equal(t, page.Paths.Supporter.EnterOrganisationName.Format(), resp.Header.Get("Location")) + session := sessions.NewSession(sessionStore, "session") + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 86400, + SameSite: http.SameSiteLaxMode, + HttpOnly: true, + Secure: true, + } + session.Values = map[any]any{"session": loginSession} + + sessionStore.EXPECT(). + Get(r, "params"). + Return(&sessions.Session{ + Values: map[any]any{ + "one-login": &sesh.OneLoginSession{ + State: "my-state", + Nonce: "my-nonce", + Locale: "en", + Redirect: "/redirect", + }, + }, + }, nil) + sessionStore.EXPECT(). + Save(r, w, session). + Return(nil) + + organisationStore := newMockOrganisationStore(t) + organisationStore.EXPECT(). + Get(page.ContextWithSessionData(r.Context(), &page.SessionData{SessionID: loginSession.SessionID()})). + Return(&actor.Organisation{}, tc.getError) + + err := LoginCallback(client, sessionStore, organisationStore)(page.AppData{}, w, r) + if tc.expectedError != nil { + assert.Equal(t, tc.expectedError, err) + } else { + assert.Nil(t, err) + resp := w.Result() + + assert.Equal(t, http.StatusFound, resp.StatusCode) + assert.Equal(t, tc.redirect, resp.Header.Get("Location")) + } + }) + } } func TestLoginCallbackSessionMissing(t *testing.T) { @@ -115,7 +149,7 @@ func TestLoginCallbackSessionMissing(t *testing.T) { Get(r, "params"). Return(tc.session, tc.getErr) - err := LoginCallback(nil, sessionStore)(page.AppData{}, w, r) + err := LoginCallback(nil, sessionStore, nil)(page.AppData{}, w, r) assert.Equal(t, tc.expectedErr, err) }) } @@ -139,7 +173,7 @@ func TestLoginCallbackWhenExchangeErrors(t *testing.T) { }, }, nil) - err := LoginCallback(client, sessionStore)(page.AppData{}, w, r) + err := LoginCallback(client, sessionStore, nil)(page.AppData{}, w, r) assert.Equal(t, expectedError, err) } @@ -164,7 +198,7 @@ func TestLoginCallbackWhenUserInfoError(t *testing.T) { }, }, nil) - err := LoginCallback(client, sessionStore)(page.AppData{}, w, r) + err := LoginCallback(client, sessionStore, nil)(page.AppData{}, w, r) assert.Equal(t, expectedError, err) } @@ -197,6 +231,6 @@ func TestLoginCallbackWhenSessionError(t *testing.T) { Save(r, w, mock.Anything). Return(expectedError) - err := LoginCallback(client, sessionStore)(page.AppData{}, w, r) + err := LoginCallback(client, sessionStore, nil)(page.AppData{}, w, r) assert.Equal(t, expectedError, err) } diff --git a/internal/page/supporter/organisation_created.go b/internal/page/supporter/organisation_created.go index 1d46480d81..924359e49a 100644 --- a/internal/page/supporter/organisation_created.go +++ b/internal/page/supporter/organisation_created.go @@ -4,6 +4,7 @@ import ( "net/http" "github.com/ministryofjustice/opg-go-common/template" + "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/validation" ) @@ -14,13 +15,8 @@ type organisationCreatedData struct { OrganisationName string } -func OrganisationCreated(tmpl template.Template, organisationStore OrganisationStore) Handler { - return func(appData page.AppData, w http.ResponseWriter, r *http.Request) error { - organisation, err := organisationStore.Get(r.Context()) - if err != nil { - return err - } - +func OrganisationCreated(tmpl template.Template) Handler { + return func(appData page.AppData, w http.ResponseWriter, r *http.Request, organisation *actor.Organisation) error { return tmpl(w, organisationCreatedData{ App: appData, OrganisationName: organisation.Name, diff --git a/internal/page/supporter/organisation_created_test.go b/internal/page/supporter/organisation_created_test.go index 3a4b7bf044..674d5844e0 100644 --- a/internal/page/supporter/organisation_created_test.go +++ b/internal/page/supporter/organisation_created_test.go @@ -14,50 +14,27 @@ func TestOrganisationCreated(t *testing.T) { w := httptest.NewRecorder() r, _ := http.NewRequest(http.MethodGet, "/", nil) - organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(&actor.Organisation{Name: "A name"}, nil) - template := newMockTemplate(t) template.EXPECT(). Execute(w, organisationCreatedData{App: testAppData, OrganisationName: "A name"}). Return(nil) - err := OrganisationCreated(template.Execute, organisationStore)(testAppData, w, r) + err := OrganisationCreated(template.Execute)(testAppData, w, r, &actor.Organisation{Name: "A name"}) resp := w.Result() assert.Nil(t, err) assert.Equal(t, http.StatusOK, resp.StatusCode) } -func TestOrganisationCreatedWhenOrganisationStoreErrors(t *testing.T) { - w := httptest.NewRecorder() - r, _ := http.NewRequest(http.MethodGet, "/", nil) - - organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(nil, expectedError) - - err := OrganisationCreated(nil, organisationStore)(testAppData, w, r) - assert.Equal(t, expectedError, err) -} - func TestOrganisationCreatedWhenTemplateErrors(t *testing.T) { w := httptest.NewRecorder() r, _ := http.NewRequest(http.MethodGet, "/", nil) - organisationStore := newMockOrganisationStore(t) - organisationStore.EXPECT(). - Get(r.Context()). - Return(&actor.Organisation{Name: "A name"}, nil) - template := newMockTemplate(t) template.EXPECT(). Execute(w, mock.Anything). Return(expectedError) - err := OrganisationCreated(template.Execute, organisationStore)(testAppData, w, r) + err := OrganisationCreated(template.Execute)(testAppData, w, r, &actor.Organisation{Name: "A name"}) assert.Equal(t, expectedError, err) } diff --git a/internal/page/supporter/register.go b/internal/page/supporter/register.go index a1002aa1ee..0c20f1e43a 100644 --- a/internal/page/supporter/register.go +++ b/internal/page/supporter/register.go @@ -2,7 +2,6 @@ package supporter import ( "context" - "encoding/base64" "io" "net/http" @@ -40,7 +39,7 @@ type NotifyClient interface { type Template func(io.Writer, interface{}) error -type Handler func(data page.AppData, w http.ResponseWriter, r *http.Request) error +type Handler func(data page.AppData, w http.ResponseWriter, r *http.Request, organisation *actor.Organisation) error type ErrorHandler func(http.ResponseWriter, *http.Request, error) @@ -55,25 +54,25 @@ func Register( notifyClient NotifyClient, ) { paths := page.Paths.Supporter - handleRoot := makeHandle(rootMux, errorHandler) + handleRoot := makeHandle(rootMux, sessionStore, errorHandler) - handleRoot(paths.Login, + handleRoot(paths.Login, page.None, page.Login(oneLoginClient, sessionStore, random.String, paths.LoginCallback)) - handleRoot(paths.LoginCallback, - LoginCallback(oneLoginClient, sessionStore)) + handleRoot(paths.LoginCallback, page.None, + LoginCallback(oneLoginClient, sessionStore, organisationStore)) + handleRoot(paths.EnterOrganisationName, page.RequireSession, + EnterOrganisationName(tmpls.Get("enter_organisation_name.gohtml"), organisationStore)) supporterMux := http.NewServeMux() rootMux.Handle("/supporter/", http.StripPrefix("/supporter", supporterMux)) - handleSupporter := makeHandle(supporterMux, errorHandler) - handleWithSupporter := makeSupporterHandle(supporterMux, sessionStore, errorHandler) + handleSupporter := makeHandle(supporterMux, sessionStore, errorHandler) + handleWithSupporter := makeSupporterHandle(supporterMux, sessionStore, errorHandler, organisationStore) - handleSupporter(page.Paths.Root, notFoundHandler) + handleSupporter(page.Paths.Root, page.None, notFoundHandler) - handleWithSupporter(paths.EnterOrganisationName, - EnterOrganisationName(tmpls.Get("enter_organisation_name.gohtml"), organisationStore)) handleWithSupporter(paths.OrganisationCreated, - OrganisationCreated(tmpls.Get("organisation_created.gohtml"), organisationStore)) + OrganisationCreated(tmpls.Get("organisation_created.gohtml"))) handleWithSupporter(paths.Dashboard, Guidance(tmpls.Get("dashboard.gohtml"))) handleWithSupporter(paths.InviteMember, @@ -82,8 +81,8 @@ func Register( Guidance(tmpls.Get("invite_member_confirmation.gohtml"))) } -func makeHandle(mux *http.ServeMux, errorHandler page.ErrorHandler) func(page.Path, page.Handler) { - return func(path page.Path, h page.Handler) { +func makeHandle(mux *http.ServeMux, store sesh.Store, errorHandler page.ErrorHandler) func(page.Path, page.HandleOpt, page.Handler) { + return func(path page.Path, opt page.HandleOpt, h page.Handler) { mux.HandleFunc(path.String(), func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() @@ -91,6 +90,17 @@ func makeHandle(mux *http.ServeMux, errorHandler page.ErrorHandler) func(page.Pa appData.Page = path.Format() appData.IsSupporter = true + if opt&page.RequireSession != 0 { + session, err := sesh.Login(store, r) + if err != nil { + http.Redirect(w, r, page.Paths.Supporter.Start.Format(), http.StatusFound) + return + } + + appData.SessionID = session.SessionID() + ctx = page.ContextWithSessionData(ctx, &page.SessionData{SessionID: appData.SessionID}) + } + if err := h(appData, w, r.WithContext(page.ContextWithAppData(ctx, appData))); err != nil { errorHandler(w, r, err) } @@ -98,7 +108,7 @@ func makeHandle(mux *http.ServeMux, errorHandler page.ErrorHandler) func(page.Pa } } -func makeSupporterHandle(mux *http.ServeMux, store sesh.Store, errorHandler page.ErrorHandler) func(page.SupporterPath, Handler) { +func makeSupporterHandle(mux *http.ServeMux, store sesh.Store, errorHandler page.ErrorHandler, organisationStore OrganisationStore) func(page.SupporterPath, Handler) { return func(path page.SupporterPath, h Handler) { mux.HandleFunc(path.String(), func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() @@ -110,13 +120,20 @@ func makeSupporterHandle(mux *http.ServeMux, store sesh.Store, errorHandler page return } + appData.SessionID = session.SessionID() + ctx = page.ContextWithSessionData(ctx, &page.SessionData{SessionID: appData.SessionID}) + + organisation, err := organisationStore.Get(ctx) + if err != nil { + errorHandler(w, r, err) + return + } + appData.Page = path.Format() appData.IsSupporter = true - appData.SessionID = base64.StdEncoding.EncodeToString([]byte(session.Sub)) + appData.OrganisationName = organisation.Name - ctx = page.ContextWithSessionData(ctx, &page.SessionData{SessionID: appData.SessionID}) - - if err := h(appData, w, r.WithContext(page.ContextWithAppData(ctx, appData))); err != nil { + if err := h(appData, w, r.WithContext(page.ContextWithAppData(ctx, appData)), organisation); err != nil { errorHandler(w, r, err) } }) diff --git a/internal/page/supporter/register_test.go b/internal/page/supporter/register_test.go index 5d1afe5f1f..6888b6e60c 100644 --- a/internal/page/supporter/register_test.go +++ b/internal/page/supporter/register_test.go @@ -8,11 +8,13 @@ import ( "github.com/gorilla/sessions" "github.com/ministryofjustice/opg-go-common/template" + "github.com/ministryofjustice/opg-modernising-lpa/internal/actor" "github.com/ministryofjustice/opg-modernising-lpa/internal/notify" "github.com/ministryofjustice/opg-modernising-lpa/internal/onelogin" "github.com/ministryofjustice/opg-modernising-lpa/internal/page" "github.com/ministryofjustice/opg-modernising-lpa/internal/sesh" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" ) var expectedError = errors.New("err") @@ -30,8 +32,8 @@ func TestMakeHandle(t *testing.T) { r, _ := http.NewRequest(http.MethodGet, "/path?a=b", nil) mux := http.NewServeMux() - handle := makeHandle(mux, nil) - handle("/path", func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { + handle := makeHandle(mux, nil, nil) + handle("/path", page.None, func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { assert.Equal(t, page.AppData{ Page: "/path", IsSupporter: true, @@ -57,15 +59,66 @@ func TestMakeHandleErrors(t *testing.T) { Execute(w, r, expectedError) mux := http.NewServeMux() - handle := makeHandle(mux, errorHandler.Execute) - handle("/path", func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { + handle := makeHandle(mux, nil, errorHandler.Execute) + handle("/path", page.None, func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { return expectedError }) mux.ServeHTTP(w, r) } -func TestMakeSupporterHandleWhenDetailsProvidedAndUIDExists(t *testing.T) { +func TestMakeHandleWhenRequireSession(t *testing.T) { + w := httptest.NewRecorder() + r, _ := http.NewRequest(http.MethodGet, "/path?a=b", nil) + + sessionStore := newMockSessionStore(t) + sessionStore.EXPECT(). + Get(r, "session"). + Return(&sessions.Session{Values: map[any]any{"session": &sesh.LoginSession{Sub: "random"}}}, nil) + + mux := http.NewServeMux() + handle := makeHandle(mux, sessionStore, nil) + handle("/path", page.RequireSession, func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { + assert.Equal(t, page.AppData{ + Page: "/path", + SessionID: "cmFuZG9t", + IsSupporter: true, + }, appData) + assert.Equal(t, w, hw) + + hw.WriteHeader(http.StatusTeapot) + return nil + }) + + mux.ServeHTTP(w, r) + resp := w.Result() + + assert.Equal(t, http.StatusTeapot, resp.StatusCode) +} + +func TestMakeHandleWhenRequireSessionErrors(t *testing.T) { + w := httptest.NewRecorder() + r, _ := http.NewRequest(http.MethodGet, "/path?a=b", nil) + + sessionStore := newMockSessionStore(t) + sessionStore.EXPECT(). + Get(r, "session"). + Return(nil, expectedError) + + mux := http.NewServeMux() + handle := makeHandle(mux, sessionStore, nil) + handle("/path", page.RequireSession, func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { + return nil + }) + + mux.ServeHTTP(w, r) + resp := w.Result() + + assert.Equal(t, http.StatusFound, resp.StatusCode) + assert.Equal(t, page.Paths.Supporter.Start.Format(), resp.Header.Get("Location")) +} + +func TestMakeSupporterHandle(t *testing.T) { w := httptest.NewRecorder() r, _ := http.NewRequest(http.MethodGet, "/path", nil) @@ -76,8 +129,13 @@ func TestMakeSupporterHandleWhenDetailsProvidedAndUIDExists(t *testing.T) { Get(r, "session"). Return(&sessions.Session{Values: map[any]any{"session": &sesh.LoginSession{Sub: "random"}}}, nil) - handle := makeSupporterHandle(mux, sessionStore, nil) - handle("/path", func(appData page.AppData, hw http.ResponseWriter, hr *http.Request) error { + organisationStore := newMockOrganisationStore(t) + organisationStore.EXPECT(). + Get(page.ContextWithSessionData(r.Context(), &page.SessionData{SessionID: "cmFuZG9t"})). + Return(&actor.Organisation{}, nil) + + handle := makeSupporterHandle(mux, sessionStore, nil, organisationStore) + handle("/path", func(appData page.AppData, hw http.ResponseWriter, hr *http.Request, organisation *actor.Organisation) error { assert.Equal(t, page.AppData{ Page: "/supporter/path", SessionID: "cmFuZG9t", @@ -110,9 +168,9 @@ func TestMakeSupporterHandleWhenSessionStoreError(t *testing.T) { Get(r, "session"). Return(&sessions.Session{}, expectedError) - handle := makeSupporterHandle(mux, sessionStore, nil) - handle("/path", func(_ page.AppData, _ http.ResponseWriter, _ *http.Request) error { - return expectedError + handle := makeSupporterHandle(mux, sessionStore, nil, nil) + handle("/path", func(_ page.AppData, _ http.ResponseWriter, _ *http.Request, _ *actor.Organisation) error { + return nil }) mux.ServeHTTP(w, r) @@ -122,6 +180,34 @@ func TestMakeSupporterHandleWhenSessionStoreError(t *testing.T) { assert.Equal(t, page.Paths.Supporter.Start.Format(), resp.Header.Get("Location")) } +func TestMakeSupporterHandleWhenOrganisationStoreErrors(t *testing.T) { + w := httptest.NewRecorder() + r, _ := http.NewRequest(http.MethodGet, "/path", nil) + + mux := http.NewServeMux() + + errorHandler := newMockErrorHandler(t) + errorHandler.EXPECT(). + Execute(w, r, expectedError) + + sessionStore := newMockSessionStore(t) + sessionStore.EXPECT(). + Get(r, "session"). + Return(&sessions.Session{Values: map[any]any{"session": &sesh.LoginSession{Sub: "random"}}}, nil) + + organisationStore := newMockOrganisationStore(t) + organisationStore.EXPECT(). + Get(mock.Anything). + Return(nil, expectedError) + + handle := makeSupporterHandle(mux, sessionStore, errorHandler.Execute, organisationStore) + handle("/path", func(appData page.AppData, hw http.ResponseWriter, hr *http.Request, organisation *actor.Organisation) error { + return nil + }) + + mux.ServeHTTP(w, r) +} + func TestMakeSupporterHandleErrors(t *testing.T) { w := httptest.NewRecorder() r, _ := http.NewRequest(http.MethodGet, "/path", nil) @@ -135,9 +221,14 @@ func TestMakeSupporterHandleErrors(t *testing.T) { Get(r, "session"). Return(&sessions.Session{Values: map[any]any{"session": &sesh.LoginSession{Sub: "random"}}}, nil) + organisationStore := newMockOrganisationStore(t) + organisationStore.EXPECT(). + Get(mock.Anything). + Return(&actor.Organisation{}, nil) + mux := http.NewServeMux() - handle := makeSupporterHandle(mux, sessionStore, errorHandler.Execute) - handle("/path", func(_ page.AppData, _ http.ResponseWriter, _ *http.Request) error { + handle := makeSupporterHandle(mux, sessionStore, errorHandler.Execute, organisationStore) + handle("/path", func(_ page.AppData, _ http.ResponseWriter, _ *http.Request, _ *actor.Organisation) error { return expectedError }) diff --git a/internal/sesh/sesh.go b/internal/sesh/sesh.go index b829ddf53d..6d551a12f6 100644 --- a/internal/sesh/sesh.go +++ b/internal/sesh/sesh.go @@ -1,6 +1,7 @@ package sesh import ( + "encoding/base64" "encoding/gob" "fmt" "net/http" @@ -111,6 +112,10 @@ type LoginSession struct { Email string } +func (s LoginSession) SessionID() string { + return base64.StdEncoding.EncodeToString([]byte(s.Sub)) +} + func (s LoginSession) Valid() bool { return s.Sub != "" } diff --git a/web/assets/scss/main.scss b/web/assets/scss/main.scss index 87ed829b76..65c46793ee 100644 --- a/web/assets/scss/main.scss +++ b/web/assets/scss/main.scss @@ -91,3 +91,17 @@ body:not(.js-enabled) .govuk-back-link { padding-bottom: 0; } } + +.app-service-header-caption { + @include govuk-responsive-padding(1, "top"); + + @include govuk-media-query($from: tablet) { + @include govuk-responsive-padding(4, "bottom"); + } +} + +.app-padding-top-7-non-mobile { + @include govuk-media-query($from: tablet) { + @include govuk-responsive-padding(7, "top"); + } +} diff --git a/web/template/layout/login-header.gohtml b/web/template/layout/login-header.gohtml index 4116d27f6a..2bfe8753f1 100644 --- a/web/template/layout/login-header.gohtml +++ b/web/template/layout/login-header.gohtml @@ -91,8 +91,11 @@

{{ if .App.IsSupporter }}{{ tr .App "helpSomeoneMakeLastingPowerOfAttorney" }}{{ else }}{{ tr .App "serviceName" }}{{ end }}

+ {{ if .App.OrganisationName }} + {{ .App.OrganisationName }} + {{ end }}
-
+