BFD-2963: Migrate Global TF Modules to mgmt (#2079)

Co-authored-by: Michael J Burling <[email protected]>
CMSgov · Dec 6, 2023 · d2eb420 · d2eb420
1 parent 1f09633
commit d2eb420
Show file tree

Hide file tree

Showing 18 changed files with 35 additions and 171 deletions.
diff --git a/ops/terraform/env/global/dynamodb/backend.tf b/ops/terraform/env/global/dynamodb/backend.tf
diff --git a/ops/terraform/env/global/ec2/.terraform-docs.yml b/ops/terraform/env/global/ec2/.terraform-docs.yml
diff --git a/ops/terraform/env/global/ec2/README.md b/ops/terraform/env/global/ec2/README.md
diff --git a/ops/terraform/env/global/ec2/backend.tf b/ops/terraform/env/global/ec2/backend.tf
diff --git a/ops/terraform/env/global/ec2/main.tf b/ops/terraform/env/global/ec2/main.tf
diff --git a/ops/terraform/env/global/s3/terraform.tf b/ops/terraform/env/global/s3/terraform.tf
diff --git a/ops/terraform/env/global/security/backend.tf b/ops/terraform/env/global/security/backend.tf
diff --git a/ops/terraform/env/global/security/managed_prefix_lists.tf b/ops/terraform/env/global/security/managed_prefix_lists.tf
diff --git a/ops/terraform/env/global/security/variables.tf b/ops/terraform/env/global/security/variables.tf
diff --git a/ops/terraform/env/global/dynamodb/main.tf → ops/terraform/env/mgmt/dynamodb.tf b/ops/terraform/env/global/dynamodb/main.tf → ops/terraform/env/mgmt/dynamodb.tf
@@ -1,14 +1,9 @@
-provider "aws" {
-  version = "~> 3.44.0"
-  region  = "us-east-1"
-}
-
 resource "aws_dynamodb_table" "state_table" {
   name           = "bfd-tf-table"
   read_capacity  = 5
   write_capacity = 5
   hash_key       = "LockID"
-  billing_mode   = "PAY_PER_REQUEST"
+  billing_mode   = "PROVISIONED"
 
   attribute {
     name = "LockID"

diff --git a/ops/terraform/env/global/ec2/ebs.tf → ops/terraform/env/mgmt/ebs.tf b/ops/terraform/env/global/ec2/ebs.tf → ops/terraform/env/mgmt/ebs.tf
@@ -1,5 +1,6 @@
 ##
 # Encrypt EBS volumes by default
+##
 
 # Get the default AWS managed key for the current region.
 data "aws_kms_key" "ebs_amk" {

diff --git a/ops/terraform/env/mgmt/managed_prefix_lists.tf b/ops/terraform/env/mgmt/managed_prefix_lists.tf
@@ -0,0 +1,18 @@
+##
+# Globally managed prefix lists that we can reference in terraform, security groups, nacl's, etc.
+##
+
+# Cloudbees core jenkins subnet.
+module "cbc_jenkins" {
+  source         = "../../modules/resources/prefix_list"
+  name           = "bfd-cbc-jenkins"
+  max_entries    = 1
+  entries        = var.cbc_jenkins_prefix_list
+  address_family = "IPv4"
+}
+
+variable "cbc_jenkins_prefix_list" {
+  description = "prefix list entrie(s) for cbc core jenkins"
+  type        = map(string)
+  default     = {}
+}
diff --git a/ops/terraform/env/global/s3/main.tf → ops/terraform/env/mgmt/s3-base.tf b/ops/terraform/env/global/s3/main.tf → ops/terraform/env/mgmt/s3-base.tf
@@ -1,23 +1,20 @@
 locals {
-  account_id              = data.aws_caller_identity.current.account_id
   bfd_state_bucket        = "bfd-tf-state"
   bcda_aws_account_number = data.aws_ssm_parameter.bcda_aws_account_number.value
-  kms_key_id              = data.aws_kms_key.state.arn
+  state_kms_key_id        = data.aws_kms_key.state.arn
   legacy_kms_key_id       = data.aws_kms_key.legacy.arn
   cloudtrail_logs_bucket  = "bfd-cloudtrail-logs"
 
   default_tags = {
-    Environment    = "global"
+    Environment    = "mgmt"
     application    = "bfd"
     business       = "oeda"
-    stack          = "global"
+    stack          = "mgmt"
     Terraform      = true
-    tf_module_root = "ops/terraform/env/global/s3"
+    tf_module_root = "ops/terraform/env/mgmt"
   }
 }
 
-data "aws_caller_identity" "current" {}
-
 data "aws_ssm_parameter" "bcda_aws_account_number" {
   name            = "/bcda/global/terraform/sensitive/aws_account_number"
   with_decryption = true
@@ -96,7 +93,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm     = "aws:kms"
-      kms_master_key_id = local.kms_key_id
+      kms_master_key_id = local.state_kms_key_id
     }
   }
 }

diff --git a/ops/terraform/env/global/s3/legacy.tf → ops/terraform/env/mgmt/s3-legacy.tf b/ops/terraform/env/global/s3/legacy.tf → ops/terraform/env/mgmt/s3-legacy.tf
@@ -1,3 +1,7 @@
+##
+# Original Cloudformation config from ITOPS
+##
+
 resource "aws_s3_bucket" "cf-bfd-management-vpc" {
   bucket = "cf-bfd-management-vpc"
 }

diff --git a/ops/terraform/env/global/s3/temporary.tf → ops/terraform/env/mgmt/s3-temporary.tf b/ops/terraform/env/global/s3/temporary.tf → ops/terraform/env/mgmt/s3-temporary.tf
@@ -1,3 +1,7 @@
+##
+# Moved from global/s3/temporary.tf
+##
+
 resource "aws_s3_bucket" "aws-glue-scripts" {
   bucket = "aws-glue-scripts-${local.account_id}-us-east-1"
 }

diff --git a/ops/terraform/env/mgmt/s3.tf b/ops/terraform/env/mgmt/s3.tf
@@ -158,8 +158,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "bfd_public_test_data" {
     filter {}
 
     transition {
-      days            = 7
-      storage_class   = "GLACIER_IR"
+      days          = 7
+      storage_class = "GLACIER_IR"
     }
 
     status = "Enabled"

diff --git a/ops/terraform/modules/resources/prefix_list/main.tf b/ops/terraform/modules/resources/prefix_list/main.tf
@@ -9,7 +9,6 @@ resource "aws_ec2_managed_prefix_list" "prefix_list" {
   name           = var.name
   address_family = var.address_family
   max_entries    = var.max_entries
-  tags           = var.tags
   dynamic "entry" {
     for_each = var.entries
     content {

diff --git a/ops/terraform/modules/resources/prefix_list/variables.tf b/ops/terraform/modules/resources/prefix_list/variables.tf
@@ -1,8 +1,3 @@
-variable "tags" {
-  description = "tags"
-  type = map(string)
-}
-
 variable "name" {
   description = "(Required) Prefix list name (must not start with com.amazonaws)"
   type = string