Skip to content

VED-270: Terraform fixes.#408

Merged
mfjarvis merged 22 commits intomasterfrom
VED-270-terraform-fixes
May 30, 2025
Merged

VED-270: Terraform fixes.#408
mfjarvis merged 22 commits intomasterfrom
VED-270-terraform-fixes

Conversation

@mfjarvis
Copy link
Contributor

@mfjarvis mfjarvis commented May 9, 2025

Summary

  • ❗ Breaking Change
  • 🤖 Operational or Infrastructure Change
  • ⚠️ Potential issues that might be caused by this change

Main changes:

  • Consolidate non-prod and prod folders in infra Terraform
  • Move environment-specific resources from infra to instance-level Terraform:
    • DynamoDB tables (audit, delta and events)
    • Batch destination S3 buckets
    • Config S3 buckets
  • Add dynamodb:BatchGetItem permission to delta access role in non-prod environments
  • Remove redundant data sources for resources managed in the same Terraform workspace
  • Inline some policy documents for readability
  • General tidying up
  • Format everything with terraform fmt

Before merging, we'll need to import various resources into Terraform state:

# internal-dev
terraform import aws_dynamodb_table.audit-table immunisation-batch-internal-dev-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-internal-dev-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-internal-dev-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-internal-dev-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-internal-dev-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-internal-dev-data-destinations

terraform import "aws_s3_bucket.batch_config_bucket[0]" imms-internal-dev-supplier-config
terraform import "aws_s3_bucket_public_access_block.batch_config_bucket_public_access_block[0]" imms-internal-dev-supplier-config
terraform import "aws_s3_bucket_policy.batch_config_bucket_policy[0]" imms-internal-dev-supplier-config

# int
terraform import aws_dynamodb_table.audit-table immunisation-batch-int-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-int-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-int-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-int-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-int-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-int-data-destinations

# ref
terraform import aws_dynamodb_table.audit-table immunisation-batch-ref-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-ref-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-ref-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-ref-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-ref-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-ref-data-destinations

# prod
terraform import aws_dynamodb_table.audit-table immunisation-batch-prod-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-prod-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-prod-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_lifecycle_configuration.data_destinations immunisation-batch-prod-data-destinations

terraform import "aws_s3_bucket.batch_config_bucket[0]" imms-prod-supplier-config
terraform import "aws_s3_bucket_public_access_block.batch_config_bucket_public_access_block[0]" imms-prod-supplier-config
terraform import "aws_s3_bucket_policy.batch_config_bucket_policy[0]" imms-prod-supplier-config

Reviews Required

  • Dev
  • Test
  • Tech Author
  • Product Owner

Review Checklist

ℹ️ This section is to be filled in by the reviewer.

  • I have reviewed the changes in this PR and they fill all or part of the acceptance criteria of the ticket, and the code is in a mergeable state.
  • If there were infrastructure, operational, or build changes, I have made sure there is sufficient evidence that the changes will work.
  • I have ensured the changelog has been updated by the submitter, if necessary.

}

# TODO - remove and use the key we manage in this Terraform workspace
data "aws_kms_key" "existing_lambda_env_encryption" {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seemed safest to add this in, but I'm not actually sure it's even used. The Lambda functions all seem to use the default KMS key for env var encryption.

source_arn = "arn:aws:s3:::local-immunisation-mesh"
}

# TODO - This is scoped to the bucket, so is overwritten by each deployment
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for this

retention_in_days = 30
}

# TODO - This is global, so is overwritten by each deployment - move to infra Terraform?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for this

project_domain_name = data.aws_route53_zone.project_zone.name
service_domain_name = "${local.env}.${local.project_domain_name}"

# For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for a better fix - if we didn't use a whole Redis instance for config, we could have one bucket per instance of the API

@mfjarvis mfjarvis force-pushed the VED-270-terraform-fixes branch from 4fe3286 to 1773d5f Compare May 26, 2025 01:08
@robertnovac1
Copy link
Contributor

Generally looks really good. Sonar reported some security hotspots maybe it's worth looking into those or resolving them later. Also the docker provider is pinned to 3.0.2 in main.tf in both infra and terraform folders. Might be the cause of the issues we are seeing with debendabot

docker = { source = "kreuzwerker/docker" version = "3.0.2" }

@mfjarvis mfjarvis marked this pull request as ready for review May 30, 2025 15:41
@mfjarvis mfjarvis enabled auto-merge (squash) May 30, 2025 15:41
@sonarqubecloud
Copy link

@mfjarvis mfjarvis merged commit 84e10aa into master May 30, 2025
8 checks passed
@mfjarvis mfjarvis deleted the VED-270-terraform-fixes branch May 30, 2025 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants