Replace faulty identity vault curator with Terraform

bheesham · bheesham · commit 32ae0d89dba5 · 2025-07-28T22:32:57.000-04:00
This doesn't completely replicate the functionality, but something's better
than nothing. And now we get to x-ref using Terraform!

Jira: IAM-1668
diff --git a/terraform/infra/dev/dynamo.tf b/terraform/infra/dev/dynamo.tf
@@ -0,0 +1,68 @@
+resource "aws_dynamodb_table" "dynamo" {
+  name                        = "${var.environment}-identity-vault"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = false
+  hash_key                    = "id"
+  region                      = "us-west-2"
+  stream_enabled              = true
+  stream_view_type            = "KEYS_ONLY"
+  table_class                 = "STANDARD"
+  attribute {
+    name = "id"
+    type = "S"
+  }
+  attribute {
+    name = "primary_email"
+    type = "S"
+  }
+  attribute {
+    name = "primary_username"
+    type = "S"
+  }
+  attribute {
+    name = "sequence_number"
+    type = "S"
+  }
+  attribute {
+    name = "user_uuid"
+    type = "S"
+  }
+  global_secondary_index {
+    hash_key           = "primary_email"
+    name               = "${var.environment}-identity-vault-primary_email"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "primary_username"
+    name               = "${var.environment}-identity-vault-primary_username"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "sequence_number"
+    name               = "${var.environment}-identity-vault-sequence_number"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = null
+  }
+  global_secondary_index {
+    hash_key           = "user_uuid"
+    name               = "${var.environment}-identity-vault-user_uuid"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  point_in_time_recovery {
+    enabled = false
+  }
+  ttl {
+    enabled = false
+  }
+  tags = {
+    application     = "identity-vault"
+    cis_environment = "development"
+  }
+}
diff --git a/terraform/infra/dev/imports.tf b/terraform/infra/dev/imports.tf
@@ -0,0 +1,4 @@
+import {
+  id = "development-identity-vault"
+  to = aws_dynamodb_table.dynamo
+}
diff --git a/terraform/infra/prod/.terraform.lock.hcl b/terraform/infra/prod/.terraform.lock.hcl
diff --git a/terraform/infra/prod/defaults.auto.tfvars b/terraform/infra/prod/defaults.auto.tfvars
@@ -0,0 +1 @@
+environment = "production"
diff --git a/terraform/infra/prod/dynamo.tf b/terraform/infra/prod/dynamo.tf
@@ -0,0 +1,68 @@
+resource "aws_dynamodb_table" "dynamo" {
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = false
+  hash_key                    = "id"
+  name                        = "${var.environment}-identity-vault"
+  region                      = "us-west-2"
+  stream_enabled              = true
+  stream_view_type            = "KEYS_ONLY"
+  table_class                 = "STANDARD"
+  attribute {
+    name = "id"
+    type = "S"
+  }
+  attribute {
+    name = "primary_email"
+    type = "S"
+  }
+  attribute {
+    name = "primary_username"
+    type = "S"
+  }
+  attribute {
+    name = "sequence_number"
+    type = "S"
+  }
+  attribute {
+    name = "user_uuid"
+    type = "S"
+  }
+  global_secondary_index {
+    hash_key           = "primary_email"
+    name               = "${var.environment}-identity-vault-primary_email"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "primary_username"
+    name               = "${var.environment}-identity-vault-primary_username"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "sequence_number"
+    name               = "${var.environment}-identity-vault-sequence_number"
+    non_key_attributes = []
+    projection_type    = "ALL"
+  }
+  global_secondary_index {
+    hash_key           = "user_uuid"
+    name               = "${var.environment}-identity-vault-user_uuid"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  point_in_time_recovery {
+    enabled                 = true
+    recovery_period_in_days = 35
+  }
+  ttl {
+    enabled        = false
+  }
+  tags = {
+    application     = "identity-vault"
+    cis_environment = "production"
+  }
+}
diff --git a/terraform/infra/prod/imports.tf b/terraform/infra/prod/imports.tf
@@ -0,0 +1,4 @@
+import {
+  id = "production-identity-vault"
+  to = aws_dynamodb_table.dynamo
+}
diff --git a/terraform/infra/prod/provider.tf b/terraform/infra/prod/provider.tf
@@ -0,0 +1,32 @@
+# Locked with:
+# terraform providers lock -platform darwin_amd64 -platform darwin_arm64 -platform linux_amd64 -platform linux_arm64
+terraform {
+  required_version = ">= 1.5.0"
+  backend "s3" {
+    # Re-using the one from mozilla-iam/iam-infra, to save having multiple
+    # places to audit.
+    bucket = "eks-terraform-shared-state"
+    key    = "cis/terraform/infra/prod/terraform.tfstate"
+    region = "us-west-2"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-west-2"
+  default_tags {
+    tags = {
+      Component      = "CIS"
+      FunctionalArea = "SSO"
+      Owner          = "IAM"
+      Repository     = "github.com/mozilla-iam/cis"
+      Environment    = var.environment
+      ManagedBy      = "Terraform"
+    }
+  }
+}
diff --git a/terraform/infra/prod/variables.tf b/terraform/infra/prod/variables.tf
@@ -0,0 +1,3 @@
+variable "environment" {
+  type = string
+}
diff --git a/terraform/infra/test/.terraform.lock.hcl b/terraform/infra/test/.terraform.lock.hcl
diff --git a/terraform/infra/test/defaults.auto.tfvars b/terraform/infra/test/defaults.auto.tfvars
@@ -0,0 +1 @@
+environment = "testing"
diff --git a/terraform/infra/test/dynamo.tf b/terraform/infra/test/dynamo.tf
@@ -0,0 +1,67 @@
+resource "aws_dynamodb_table" "dynamo" {
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = false
+  hash_key                    = "id"
+  name                        = "${var.environment}-identity-vault"
+  region                      = "us-west-2"
+  stream_enabled              = true
+  stream_view_type            = "KEYS_ONLY"
+  table_class                 = "STANDARD"
+  attribute {
+    name = "id"
+    type = "S"
+  }
+  attribute {
+    name = "primary_email"
+    type = "S"
+  }
+  attribute {
+    name = "primary_username"
+    type = "S"
+  }
+  attribute {
+    name = "sequence_number"
+    type = "S"
+  }
+  attribute {
+    name = "user_uuid"
+    type = "S"
+  }
+  global_secondary_index {
+    hash_key           = "primary_email"
+    name               = "production-identity-vault-primary_email"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "primary_username"
+    name               = "production-identity-vault-primary_username"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  global_secondary_index {
+    hash_key           = "sequence_number"
+    name               = "production-identity-vault-sequence_number"
+    non_key_attributes = []
+    projection_type    = "ALL"
+  }
+  global_secondary_index {
+    hash_key           = "user_uuid"
+    name               = "production-identity-vault-user_uuid"
+    non_key_attributes = []
+    projection_type    = "ALL"
+    range_key          = "id"
+  }
+  point_in_time_recovery {
+    enabled = false
+  }
+  ttl {
+    enabled = false
+  }
+  tags = {
+    application     = "identity-vault"
+    cis_environment = "testing"
+  }
+}
diff --git a/terraform/infra/test/imports.tf b/terraform/infra/test/imports.tf
@@ -0,0 +1,4 @@
+import {
+  id = "testing-identity-vault"
+  to = aws_dynamodb_table.dynamo
+}
diff --git a/terraform/infra/test/provider.tf b/terraform/infra/test/provider.tf
@@ -0,0 +1,32 @@
+# Locked with:
+# terraform providers lock -platform darwin_amd64 -platform darwin_arm64 -platform linux_amd64 -platform linux_arm64
+terraform {
+  required_version = ">= 1.5.0"
+  backend "s3" {
+    # Re-using the one from mozilla-iam/iam-infra, to save having multiple
+    # places to audit.
+    bucket = "eks-terraform-shared-state"
+    key    = "cis/terraform/infra/test/terraform.tfstate"
+    region = "us-west-2"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-west-2"
+  default_tags {
+    tags = {
+      Component      = "CIS"
+      FunctionalArea = "SSO"
+      Owner          = "IAM"
+      Repository     = "github.com/mozilla-iam/cis"
+      Environment    = var.environment
+      ManagedBy      = "Terraform"
+    }
+  }
+}
diff --git a/terraform/infra/test/variables.tf b/terraform/infra/test/variables.tf
@@ -0,0 +1,3 @@
+variable "environment" {
+  type = string
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+variable "environment" {`
	`2`	`+ type = string`
	`3`	`+}`