Plt 1605 establish cdap-test and cdap-prod codebuild runners (#400)

## 🎫 Ticket

https://jira.cms.gov/browse/...

## 🛠 Changes

<!-- What was added, updated, or removed in this PR? -->
Establishes new codebuild runners in the cdap-test and cdap-prod
environments.
Allows for continued use of bcda-prod, as is, with x86 available to all
repositories.
Allows for continued use of bcda-app-arm64 and bcda-ssas-app-arm64.

## ℹ️ Context
These changes are made to ensure that all codebuild resources are
operating in cdap-test and cdap-prod so that cdap-mgmt may be
deprecated.

<!-- Why were these changes made? Add background context suitable for a
non-technical audience. -->

<!-- If any of the following security implications apply, this PR must
not be merged without Stephen Walter's approval. Explain in this section
and add @SJWalter11 as a reviewer.
  - Adds a new software dependency or dependencies.
  - Modifies or invalidates one or more of our security controls.
  - Stores or transmits data that was not stored or transmitted before.
- Requires additional review of security implications for other reasons.
-->

## 🧪 Validation
There is no change for the bcda-prod runner resources, including the new
arm64 runners.

The changes in cdap-prod and cdap-test configurations introduce 40
resources. These will be established and then follow up PRs will be
submitted to test their use with cdap lambdas and cdap actions.

<!-- How were the changes verified? Did you fully test the acceptance
criteria in the ticket? Provide reproducible testing instructions and
screenshots if applicable. -->

Author: mianava

terraform/modules/standards/outputs.tf

@@ -40,6 +40,12 @@ output "env" {
   value       = local.env
 }
 
+output "account_env_suffix" {
+  description = "[\"prod\" or \"non-prod\"] The AWS account shorthand to distinguish environment hierarchy."
+  sensitive   = false
+  value       = (var.env == "prod" || var.env == "sandbox") ? "prod" : "non-prod"
+}
+
 output "default_tags" {
   description = "Map of tags for use in AWS provider block `default_tags`. Merges collection of standard tags with optional, user-specificed `additional_tags`"
   sensitive   = false

terraform/services/codebuild-projects/conf.sh

@@ -1 +1 @@
-TARGET_ENVS="bcda-prod" # TODO this should be cdap-mgmt
+TARGET_ENVS="bcda-prod cdap-test" # TODO deprecate bcda-prod usage once all teams are using new codebuild images

terraform/services/codebuild-projects/data.tf

@@ -1,12 +1,13 @@
 data "aws_caller_identity" "current" {}
 
 data "aws_security_group" "security_tools" {
-  vpc_id = module.vpc.id
+  vpc_id = var.app == "bcda" ? module.vpc[0].id : module.standards.cdap_vpc.id
   name   = "cmscloud-security-tools"
 }
 
 data "aws_security_group" "security_validation_egress" {
-  vpc_id = module.vpc.id
+  count  = var.app == "bcda" ? 1 : 0
+  vpc_id = module.vpc[0].id
   name   = "cms-cloud-security-validation-egress"
 }
 

terraform/services/codebuild-projects/main.tf

@@ -1,5 +1,9 @@
 locals {
-  x86_repos = [
+  arm64_image               = "aws/codebuild/amazonlinux2-aarch64-standard:2.0"
+  x86_image                 = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+  arm64_changeover_projects = var.app == "bcda" ? ["bcda-app", "bcda-ssas-app"] : []
+
+  repos = [
     "ab2d",
     "ab2d-website",
     "bcda-app",
@@ -10,36 +14,19 @@ locals {
     "dpc-ops",
     "dpc-static-site",
   ]
-
-  arm64_repos = [
-    "bcda-app",
-    "bcda-ssas-app"
-  ]
 }
 
 module "standards" {
   source = "../../modules/standards"
 
   app         = "cdap"
-  env         = "mgmt"
+  env         = var.app == "bcda" ? "mgmt" : var.env
   root_module = "https://github.com/CMSgov/cdap/tree/main/terraform/services/codebuild-projects"
   service     = "codebuild-projects"
   providers   = { aws = aws, aws.secondary = aws.secondary }
 }
 
-module "vpc" {
-  source = "../../modules/vpc"
-
-  app = "cdap"
-  env = "mgmt"
-}
-
-module "subnets" {
-  source = "../../modules/subnets"
-
-  vpc_id = module.vpc.id
-  use    = "private"
-}
+# IAM
 
 resource "aws_iam_role" "codebuild" {
   name                 = "codebuild-runner"
@@ -64,8 +51,48 @@ resource "aws_iam_role_policy_attachment" "ssm_read_only" {
   policy_arn = data.aws_iam_policy.ssm_read_only.arn
 }
 
+# Network
+resource "aws_security_group" "codebuild_project" {
+  for_each = var.app == "cdap" ? toset(local.repos) : toset([])
+
+  name = "${each.key}-${module.standards.account_env_suffix}-codebuild-project"
+
+  description = "For the ${module.standards.account_env_suffix} ${each.key}"
+  vpc_id      = module.standards.cdap_vpc.id
+}
+
+resource "aws_vpc_security_group_egress_rule" "codebuild_project" {
+  for_each = aws_security_group.codebuild_project
+
+  security_group_id = aws_security_group.codebuild_project[each.key].id
+
+  cidr_ipv4   = "0.0.0.0/0"
+  from_port   = 0
+  ip_protocol = "tcp"
+  to_port     = 0
+}
+
+# TODO: To deprecate cdap-mgmt runners remove conditional logic for vpc_id and set to use standards module only.
+module "subnets" {
+  source = "../../modules/subnets"
+
+  vpc_id = var.app == "bcda" ? module.vpc[0].id : module.standards.cdap_vpc.id
+  use    = "private"
+}
+
+## TO DO: Delete cdap-mgmt codebuilder runners that are managed through bcda-prod terraform and use the cdap-mgmt VPC.
+## Remove all blocks from here until the "per_repo" resource instantiations
+module "vpc" {
+  count  = var.app == "bcda" ? 1 : 0
+  source = "../../modules/vpc"
+
+  app = "cdap"
+  env = "mgmt"
+}
+
+
 resource "aws_codebuild_project" "this" {
-  for_each = toset(local.x86_repos)
+  for_each = var.app == "bcda" ? toset(local.repos) : toset([])
 
   name         = each.key
   description  = "Codebuild project for ${each.key}"
@@ -77,18 +104,18 @@ resource "aws_codebuild_project" "this" {
 
   environment {
     compute_type                = "BUILD_GENERAL1_SMALL"
-    image                       = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+    image                       = local.x86_image
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
     privileged_mode             = true
   }
 
   vpc_config {
-    vpc_id  = module.vpc.id
+    vpc_id  = module.vpc[0].id
     subnets = module.subnets.ids
     security_group_ids = [
       data.aws_security_group.security_tools.id,
-      data.aws_security_group.security_validation_egress.id
+      data.aws_security_group.security_validation_egress[0].id
     ]
   }
 
@@ -117,7 +144,7 @@ resource "aws_codebuild_project" "this" {
 }
 
 resource "aws_codebuild_webhook" "this" {
-  for_each = toset(local.x86_repos)
+  for_each = aws_codebuild_project.this
 
   project_name = each.key
   build_type   = "BUILD"
@@ -129,10 +156,11 @@ resource "aws_codebuild_webhook" "this" {
   }
 }
 
+# ARM64 Configurations that were established before migrating towards a cdap-test and cdap-prod managed codebuild project
+# Moving from these will require code change in bcda-app and bcda-ssas-app
 
-# ARM64 Configurations
 resource "aws_codebuild_project" "arm64" {
-  for_each = toset(local.arm64_repos)
+  for_each = var.app == "bcda" ? toset(local.arm64_changeover_projects) : toset([])
 
   name         = "${each.key}-arm64"
   description  = "Codebuild project for ${each.key} using arm64"
@@ -151,11 +179,11 @@ resource "aws_codebuild_project" "arm64" {
   }
 
   vpc_config {
-    vpc_id  = module.vpc.id
+    vpc_id  = module.vpc[0].id
     subnets = module.subnets.ids
     security_group_ids = [
       data.aws_security_group.security_tools.id,
-      data.aws_security_group.security_validation_egress.id
+      data.aws_security_group.security_validation_egress[0].id
     ]
   }
 
@@ -188,3 +216,73 @@ resource "aws_codebuild_webhook" "arm64" {
     }
   }
 }
+
+## Maintain the following after cdap-mgmt deprecation:
+# Create cdap-test and cdap-prod resources separately for direct deprecation of old resources by block deletion without more code change
+
+resource "aws_codebuild_project" "per_repo" {
+  for_each = var.app == "cdap" ? toset(local.repos) : toset([])
+
+  name         = "${each.key}-${module.standards.account_env_suffix}"
+  description  = "Codebuild project for ${each.key}"
+  service_role = aws_iam_role.codebuild.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = local.arm64_image
+    type                        = "ARM_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+    privileged_mode             = true
+  }
+
+  vpc_config {
+    vpc_id  = module.standards.cdap_vpc.id
+    subnets = module.subnets.ids
+    security_group_ids = [
+      data.aws_security_group.security_tools.id,
+      aws_security_group.codebuild_project[each.key].id
+    ]
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status = "ENABLED"
+    }
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = "https://github.com/CMSgov/${each.key}"
+    git_clone_depth = 1
+
+    git_submodules_config {
+      fetch_submodules = false
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      build_timeout,
+      environment[0].compute_type
+    ]
+  }
+}
+
+resource "aws_codebuild_webhook" "per_repo" {
+  for_each = aws_codebuild_project.per_repo
+
+  project_name = "${each.key}-${module.standards.account_env_suffix}"
+  build_type   = "BUILD"
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "WORKFLOW_JOB_QUEUED"
+    }
+  }
+}
+
+

terraform/services/codebuild-projects/variables.tf

@@ -0,0 +1,17 @@
+variable "app" {
+  description = "The application name (cdap, bcda)"
+  type        = string
+  validation {
+    condition     = contains(["bcda", "cdap"], var.app)
+    error_message = "Valid value for app is bcda or cdap."
+  }
+}
+
+variable "env" {
+  description = "The application environment (dev, test, mgmt, sbx, sandbox, prod)"
+  type        = string
+  validation {
+    condition     = contains(["test", "prod"], var.env)
+    error_message = "Valid value for env is test or prod."
+  }
+}