From 08ee43efca9a87a610b365d04c45553fe3bf1e24 Mon Sep 17 00:00:00 2001 From: James Griffiths Date: Wed, 22 Jan 2025 10:37:17 +0000 Subject: [PATCH] EHD-1057: Simplify hosting: Remove old terraform code --- terraform/.terraform.lock.hcl | 62 --- .../aws-windows-deployment-manifest.json | 14 - terraform/cloudfront.tf | 160 ------ terraform/cloudwatch.tf | 83 --- terraform/dev-app.tfbackend | 6 - terraform/dev-app.tfvars | 26 - terraform/elasticbeanstalk.tf | 502 ------------------ terraform/loadbalancer.tf | 84 --- terraform/loadtest.tfbackend | 6 - terraform/loadtest.tfvars | 26 - terraform/postgres.tf | 96 ---- terraform/preprod-app.tfbackend | 6 - terraform/preprod-app.tfvars | 26 - terraform/prod-app.tfbackend | 6 - terraform/prod-app.tfvars | 26 - terraform/provider.tf | 32 -- terraform/variables.tf | 193 ------- terraform/vpc.tf | 109 ---- terraform/waf.tf | 132 ----- 19 files changed, 1595 deletions(-) delete mode 100644 terraform/.terraform.lock.hcl delete mode 100644 terraform/aws-windows-deployment-manifest.json delete mode 100644 terraform/cloudfront.tf delete mode 100644 terraform/cloudwatch.tf delete mode 100644 terraform/dev-app.tfbackend delete mode 100644 terraform/dev-app.tfvars delete mode 100644 terraform/elasticbeanstalk.tf delete mode 100644 terraform/loadbalancer.tf delete mode 100644 terraform/loadtest.tfbackend delete mode 100644 terraform/loadtest.tfvars delete mode 100644 terraform/postgres.tf delete mode 100644 terraform/preprod-app.tfbackend delete mode 100644 terraform/preprod-app.tfvars delete mode 100644 terraform/prod-app.tfbackend delete mode 100644 terraform/prod-app.tfvars delete mode 100644 terraform/provider.tf delete mode 100644 terraform/variables.tf delete mode 100644 terraform/vpc.tf delete mode 100644 terraform/waf.tf diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl deleted file mode 100644 index 97d47ee33..000000000 --- a/terraform/.terraform.lock.hcl +++ /dev/null @@ -1,62 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.30.0" - constraints = ">= 3.63.0, ~> 4.16" - hashes = [ - "h1:fpaXSRg0XiQ4bDKxdHNUgDaNVySr49WB5B5jowY6MBU=", - "zh:08213f3ba960621448754211f148730edb59194919ee476b0231b769a5355028", - "zh:29c90d6f8bdae0e1469417ade28fa79c74c2af49593c1e2f24f07bacbca9e2c9", - "zh:5c6e9fab64ad68de6cd4ec6cbb20b0f75ba1e51a8efaeda3fe65419f096a06cb", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9bf42718580e8c5097227df34e1bfa0a10a23eac9f527d97c2819c163087b402", - "zh:9f87e42e0f3d145fb0ad4aaff7ddded5720a64f9303956b33bd274c6dd05c05b", - "zh:bf0519ed9615bc408b72a0aebe1cc075d4c2042325590ba13dd264cd264907ea", - "zh:c3ac9e1cbd0935614f5a3c9cdb4cf9c6a1045937fe38e61da7c5c0fb7a069870", - "zh:d0c184476ada38c50acc068214ed1252b4fcf80b6be900fc1aed32cbb49f8ff6", - "zh:d4987dc7b7a69ea58f2b3ff0ea4ffc1b61a97881dbb8583c9fcf9444b753a6c2", - "zh:e8037376c81aeb98d8286dc19fba7f8eb053444d4b9484ea6a922382cffc1a85", - "zh:ecdabb44b48addc8483bca7bd683614a347367ae950ca8b6a6880679f5c12abd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.1.1" - constraints = "3.1.1" - hashes = [ - "h1:1J3nqAREzuaLE7x98LEELCCaMV6BRiawHSg9MmFvfQo=", - "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", - "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", - "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", - "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", - "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", - "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", - "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", - "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", - "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", - "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.3.2" - constraints = "3.3.2" - hashes = [ - "h1:rGCyrtzi+H9apmpwzMSJ4xNra7veNM7y6JRkBhO68wM=", - "zh:038293aebfede983e45ee55c328e3fde82ae2e5719c9bd233c324cfacc437f9c", - "zh:07eaeab03a723d83ac1cc218f3a59fceb7bbf301b38e89a26807d1c93c81cef8", - "zh:427611a4ce9d856b1c73bea986d841a969e4c2799c8ac7c18798d0cc42b78d32", - "zh:49718d2da653c06a70ba81fd055e2b99dfd52dcb86820a6aeea620df22cd3b30", - "zh:5574828d90b19ab762604c6306337e6cd430e65868e13ef6ddb4e25ddb9ad4c0", - "zh:7222e16f7833199dabf1bc5401c56d708ec052b2a5870988bc89ff85b68a5388", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b1b2d7d934784d2aee98b0f8f07a8ccfc0410de63493ae2bf2222c165becf938", - "zh:b8f85b6a20bd264fcd0814866f415f0a368d1123cd7879c8ebbf905d370babc8", - "zh:c3813133acc02bbebddf046d9942e8ba5c35fc99191e3eb057957dafc2929912", - "zh:e7a41dbc919d1de800689a81c240c27eec6b9395564630764ebb323ea82ac8a9", - "zh:ee6d23208449a8eaa6c4f203e33f5176fa795b4b9ecf32903dffe6e2574732c2", - ] -} diff --git a/terraform/aws-windows-deployment-manifest.json b/terraform/aws-windows-deployment-manifest.json deleted file mode 100644 index b868ad8dc..000000000 --- a/terraform/aws-windows-deployment-manifest.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "manifestVersion": 1, - "deployments": { - "aspNetCoreWeb": [ - { - "name": "gpg-application", - "parameters": { - "appBundle": "publish.zip", - "iisPath": "/" - } - } - ] - } -} \ No newline at end of file diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf deleted file mode 100644 index 694b7c938..000000000 --- a/terraform/cloudfront.tf +++ /dev/null @@ -1,160 +0,0 @@ -locals { - cloudfront_origin_id = "${local.env_prefix}-load-balancer-origin" -} - -resource "aws_cloudfront_distribution" "gpg_distribution" { - provider = aws.us-east-1 - - origin { - domain_name = data.aws_lb.load_balancer.dns_name - origin_id = local.cloudfront_origin_id - - custom_header { - name = "X-Custom-Header" - value = random_integer.load_balancer_custom_header.id - } - custom_origin_config { - http_port = "80" - https_port = "443" - origin_protocol_policy = "https-only" - origin_ssl_protocols = ["TLSv1.2"] - } - - origin_shield { - enabled = true - origin_shield_region = "eu-west-2" - } - } - - enabled = true - is_ipv6_enabled = true - web_acl_id = aws_wafv2_web_acl.ehrc.arn - - aliases = [var.cloudfront_alternate_domain_name] - - default_cache_behavior { - allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] - cached_methods = ["GET", "HEAD", "OPTIONS"] - target_origin_id = local.cloudfront_origin_id - cache_policy_id = aws_cloudfront_cache_policy.gpg_default.id - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - # Cache behaviour with precedent 0 - ordered_cache_behavior { - allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] - cached_methods = ["GET", "HEAD", "OPTIONS"] - target_origin_id = local.cloudfront_origin_id - cache_policy_id = aws_cloudfront_cache_policy.static_assets_caching.id - - viewer_protocol_policy = "redirect-to-https" - default_ttl = 604800 // caches static assets for 1 week as standard - max_ttl = 864000 - min_ttl = 1 - path_pattern = "assets/*" - } - - # Cache behaviour with precedent 1 - ordered_cache_behavior { - allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] - cached_methods = ["GET", "HEAD", "OPTIONS"] - target_origin_id = local.cloudfront_origin_id - cache_policy_id = aws_cloudfront_cache_policy.static_assets_caching.id - - viewer_protocol_policy = "redirect-to-https" - default_ttl = 604800 // caches static assets for 1 week as standard - max_ttl = 864000 - min_ttl = 1 - path_pattern = "compiled/*" - } - - price_class = "PriceClass_200" - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - acm_certificate_arn = var.CLOUDFRONT_ACM_CERT_ARN - cloudfront_default_certificate = true - ssl_support_method = "sni-only" - } - - logging_config { - include_cookies = true - bucket = data.aws_s3_bucket.resource_logs_bucket.bucket_domain_name - prefix = local.env_prefix - } - - depends_on = [data.aws_s3_bucket.resource_logs_bucket] - - retain_on_delete = true // QQ remove when application is live -} - -resource "aws_cloudfront_cache_policy" "gpg_default" { - name = "${local.env_prefix}-default" - default_ttl = 84600 - max_ttl = 3156000 - min_ttl = 1 - parameters_in_cache_key_and_forwarded_to_origin { - cookies_config { - cookie_behavior = "all" - } - headers_config { - header_behavior = "whitelist" - headers { - items = ["Authorization", "Host", "Origin", "Referer", "User-Agent", "X-Forwarded-For"] - } - } - query_strings_config { - query_string_behavior = "all" - } - - enable_accept_encoding_brotli = true - enable_accept_encoding_gzip = true - } -} - -resource "aws_cloudfront_cache_policy" "static_assets_caching" { - name = "${local.env_prefix}-static-assets-caching" - default_ttl = 604800 // caches static assets for 1 week as standard - max_ttl = 864000 - min_ttl = 1 - parameters_in_cache_key_and_forwarded_to_origin { - cookies_config { - cookie_behavior = "none" - } - headers_config { - header_behavior = "whitelist" - headers { - items = ["Authorization", "Host", "Origin", "Referer", "User-Agent", "X-Forwarded-For"] - } - } - query_strings_config { - query_string_behavior = "none" - } - - enable_accept_encoding_brotli = true - enable_accept_encoding_gzip = true - } -} - -// Contains resource logs that are not automatically exported to cloudwatch -data "aws_s3_bucket" "resource_logs_bucket" { - bucket = "${local.account_prefix}-resource-logs-bucket" -} - -resource "random_integer" "load_balancer_custom_header" { - min = 1 - max = 50000 - keepers = { - # Generate a new integer each time we switch to a new load balancer ARN - load_balancer_arn = data.aws_lb.load_balancer.arn - } -} \ No newline at end of file diff --git a/terraform/cloudwatch.tf b/terraform/cloudwatch.tf deleted file mode 100644 index 7d0901e9e..000000000 --- a/terraform/cloudwatch.tf +++ /dev/null @@ -1,83 +0,0 @@ -// Alarms -resource "aws_cloudwatch_metric_alarm" "no_healthy_hosts" { - alarm_name = "${local.env_prefix}-no-healthy-hosts" - metric_name = "HealthyHostCount" - namespace = "AWS/ApplicationELB" - comparison_operator = "LessThanOrEqualToThreshold" - statistic = "Minimum" - period = 300 - evaluation_periods = 1 - threshold = 0 - alarm_description = "${local.env_prefix} has no healthy hosts." - alarm_actions = [aws_sns_topic.EC2_topic.arn] - ok_actions = [aws_sns_topic.EC2_topic.arn] - dimensions = { - LoadBalancer = data.aws_lb.load_balancer.arn - } -} - -resource "aws_cloudwatch_metric_alarm" "http_errors" { - alarm_name = "${local.env_prefix}-http-errors" - metric_name = "HTTPCode_Target_5XX_Count" - namespace = "AWS/ApplicationELB" - comparison_operator = "GreaterThanThreshold" - statistic = "Maximum" - period = 300 - evaluation_periods = 1 - threshold = 0 - alarm_description = "${local.env_prefix} has HTTP 5xx errors." - alarm_actions = [aws_sns_topic.EC2_topic.arn] - ok_actions = [aws_sns_topic.EC2_topic.arn] - treat_missing_data = "notBreaching" - dimensions = { - LoadBalancer = data.aws_lb.load_balancer.arn - } -} - -# No instances should fail the health checks unless they failed to boot. -# This usually means a release failed and will need manual intervention. -resource "aws_cloudwatch_metric_alarm" "unhealthy_hosts" { - alarm_name = "${local.env_prefix}-unhealthy-hosts" - metric_name = "UnHealthyHostCount" - namespace = "AWS/ApplicationELB" - comparison_operator = "GreaterThanThreshold" - statistic = "Maximum" - period = 300 - evaluation_periods = 1 - threshold = 0 - alarm_description = "${local.env_prefix} has unhealthy hosts. A release likely failed and will need manual intervention." - alarm_actions = [aws_sns_topic.EC2_topic.arn] - ok_actions = [aws_sns_topic.EC2_topic.arn] - treat_missing_data = "notBreaching" - dimensions = { - LoadBalancer = data.aws_lb.load_balancer.arn - } -} - -resource "aws_cloudwatch_metric_alarm" "cpu_utilisation" { - alarm_name = "${local.env_prefix}-cpu-too-high" - metric_name = "CPUUtilization" - namespace = "AWS/EC2" - comparison_operator = "GreaterThanOrEqualToThreshold" - statistic = "Average" - period = "60" - evaluation_periods = "2" - threshold = "70" - alarm_actions = [aws_sns_topic.EC2_topic.arn] - ok_actions = [aws_sns_topic.EC2_topic.arn] - treat_missing_data = "notBreaching" - alarm_description = "${local.env_prefix}'s EC2 CPU utilisation is exceeding 70%" - dimensions = { - InstanceId = data.aws_instance.elb_primary_instance.id - } -} - -resource "aws_sns_topic" "EC2_topic" { - name = "${local.env_prefix}-ec2-cloudwatch-alarms" -} - -resource "aws_sns_topic_subscription" "EC2_Subscription" { - topic_arn = aws_sns_topic.EC2_topic.arn - protocol = "email" - endpoint = var.CLOUDWATCH_NOTIFICATION_EMAILS -} \ No newline at end of file diff --git a/terraform/dev-app.tfbackend b/terraform/dev-app.tfbackend deleted file mode 100644 index f46f4335e..000000000 --- a/terraform/dev-app.tfbackend +++ /dev/null @@ -1,6 +0,0 @@ -bucket = "gender-pay-gap-preproduction-tfstate" -key = "dev/terraform.tfstate" -dynamodb_table = "gender-pay-gap-tf-locks-dev" -region = "eu-west-2" -encrypt = true -workspace_key_prefix = "gpg" \ No newline at end of file diff --git a/terraform/dev-app.tfvars b/terraform/dev-app.tfvars deleted file mode 100644 index 09d41b5bf..000000000 --- a/terraform/dev-app.tfvars +++ /dev/null @@ -1,26 +0,0 @@ -env = "dev" -account = "preproduction" - -#region Relational database configuration - -rds_config_db_name = "gpgDevDb" -rds_config_identifier = "gpg-dev-db" -rds_config_instance_class = "db.t3.small" -rds_config_multi_az = false - -#endregion - -#region Elastic Beanstalk configuration - -elb_deployment_policy = "Rolling" -elb_instance_max_size = 2 -elb_instance_min_size = 1 -elb_instance_type = "t2.small" - -#endregion - -#region Cloudfront configuration - -cloudfront_alternate_domain_name = "dev.gender-pay-gap.service.gov.uk" - -#end region \ No newline at end of file diff --git a/terraform/elasticbeanstalk.tf b/terraform/elasticbeanstalk.tf deleted file mode 100644 index 320e0ae7a..000000000 --- a/terraform/elasticbeanstalk.tf +++ /dev/null @@ -1,502 +0,0 @@ -locals { - env_prefix = "gpg-${var.env}" // prefix env specific resources - account_prefix = "gpg-${var.account}" // prefix account specific resources - - elb_environment_tier = "WebServer" - elb_lb_scheme = "public" - elb_load_balancer_ssl_policy = "ELBSecurityPolicy-2016-08" - elb_load_balancer_type = "application" - elb_solution_stack_name = "64bit Amazon Linux 2 v2.4.0 running .NET Core" - elb_health_check_path = "/health-check" - elb_matcher_http_code = 200 - - managed_policy_arns = ["arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker", "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier", "arn:aws:iam::aws:policy/AmazonRDSFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier","arn:aws:iam::aws:policy/AmazonSSMManagedEC2InstanceDefaultPolicy"] -} - -data "aws_iam_instance_profile" "elastic_beanstalk" { - name = "aws-elasticbeanstalk-ec2-role" -} - -// Load balancer id -data "aws_instance" "elb_primary_instance" { - instance_id = aws_elastic_beanstalk_environment.gpg_elastic_beanstalk_environment.instances[0] -} - -//S3 bucket containing application versions for all env in account -data "aws_s3_bucket" "gpg_application_version_storage" { - bucket = "${local.account_prefix}-application-version-storage" -} - -// File storage bucket for each env -resource "aws_s3_bucket" "gpg_filestorage" { - bucket = "${local.env_prefix}-filestorage" - - lifecycle { - prevent_destroy = false // QQ turn to true when live - } -} - -resource "aws_s3_bucket_versioning" "gpg-filestorage" { - bucket = aws_s3_bucket.gpg_filestorage.id - versioning_configuration { - status = "Enabled" - } -} - -// Archive file -data "aws_s3_object" "gpg_archive_zip" { - bucket = data.aws_s3_bucket.gpg_application_version_storage.id - key = "publish-${var.env}.zip" -} - -// Application -resource "aws_elastic_beanstalk_application" "gpg_application" { - name = "${local.env_prefix}-application" - description = "The GPG application in ${var.env}." -} - -// Application version -resource "aws_elastic_beanstalk_application_version" "gpg_application_version" { - name = "${local.env_prefix}-version" - application = aws_elastic_beanstalk_application.gpg_application.name - description = "The application version used to create the elastic beanstalk resource." - bucket = data.aws_s3_bucket.gpg_application_version_storage.bucket - key = data.aws_s3_object.gpg_archive_zip.key -} - -// Elastic beanstalk environment -resource "aws_elastic_beanstalk_environment" "gpg_elastic_beanstalk_environment" { - name = "${local.env_prefix}-elb-environment" - application = aws_elastic_beanstalk_application.gpg_application.name - solution_stack_name = local.elb_solution_stack_name - version_label = aws_elastic_beanstalk_application_version.gpg_application_version.name - cname_prefix = local.env_prefix // must check availability in console before changing - - // Life cycle methods - lifecycle { - prevent_destroy = false // QQ turn to true when live - } - - // See this documentation for all the available settings - // https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html - - // Deployment strategy - setting { - namespace = "aws:elasticbeanstalk:command" - name = "DeploymentPolicy" - value = var.elb_deployment_policy - } - - // Elastic beanstalk VPC config - setting { - namespace = "aws:ec2:vpc" - name = "DBSubnets" - value = join(",", module.vpc.database_subnets) - } - - setting { - namespace = "aws:ec2:vpc" - name = "Subnets" - value = join(",", module.vpc.public_subnets) - } - - setting { - namespace = "aws:ec2:vpc" - name = "VPCId" - value = module.vpc.vpc_id - } - - // Elastic beanstalk load balancer config - setting { - namespace = "aws:ec2:vpc" - name = "ELBScheme" - value = local.elb_lb_scheme - } - - setting { - namespace = "aws:elasticbeanstalk:environment" - name = "LoadBalancerType" - value = local.elb_load_balancer_type - } - - // HTTP listener config - - setting { - namespace = "aws:elbv2:listener:default" - name = "ListenerEnabled" - value = "false" // disabled. we create our own port 80 listener which redirects to https - } - - // HTTPS secure listener config - setting { - namespace = "aws:elbv2:listener:443" - name = "ListenerEnabled" - value = "true" - } - - setting { - namespace = "aws:elbv2:listener:443" - name = "Protocol" - value = "HTTPS" - } - - setting { - namespace = "aws:elbv2:listener:443" - name = "SSLCertificateArns" - value = var.ELB_LOAD_BALANCER_SSL_CERTIFICATE_ARN - } - - setting { - namespace = "aws:elbv2:listener:default" - name = "SSLPolicy" - value = "ELBSecurityPolicy-2016-08" - } - - // HTTPS secure listener rules - setting { - namespace = "aws:elasticbeanstalk:environment:process:https" - name = "HealthCheckPath" - value = local.elb_health_check_path - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:https" - name = "MatcherHTTPCode" - value = local.elb_matcher_http_code - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:https" - name = "Port" - value = "443" - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:https" - name = "Protocol" - value = "HTTPS" - } - - // Elastic beanstalk autoscaling config - setting { - namespace = "aws:autoscaling:launchconfiguration" - name = "IamInstanceProfile" - value = data.aws_iam_instance_profile.elastic_beanstalk.name - } - - setting { - namespace = "aws:ec2:instances" - name = "InstanceTypes" - value = var.elb_instance_type - } - - setting { - namespace = "aws:autoscaling:asg" - name = "MaxSize" - value = var.elb_instance_max_size - } - - setting { - namespace = "aws:autoscaling:asg" - name = "MinSize" - value = var.elb_instance_min_size - } - - // Auto-scaling Triggers - setting { - namespace = "aws:autoscaling:trigger" - name = "MeasureName" - value = "CPUUtilization" - } - setting { - namespace = "aws:autoscaling:trigger" - name = "Statistic" - value = "Average" - } - setting { - namespace = "aws:autoscaling:trigger" - name = "Unit" - value = "Percent" - } - setting { - namespace = "aws:autoscaling:trigger" - name = "Period" - value = 1 // Time (in minutes) between checks - // Note: remember to update the other settings - } // BreachDuration = Period * EvaluationPeriods - setting { - namespace = "aws:autoscaling:trigger" - name = "EvaluationPeriods" - value = 3 // Number of consecutive checks that must be too high/low to trigger a scaling action - // Note: remember to update the other settings - } // BreachDuration = Period * EvaluationPeriods - setting { - namespace = "aws:autoscaling:trigger" - name = "BreachDuration" - value = 3 // How long (in minutes) must the checks be toon high/low before scaling up/down - // Note: remember to update the other settings - } // BreachDuration = Period * EvaluationPeriods - setting { - namespace = "aws:autoscaling:trigger" - name = "UpperThreshold" - value = 80 // If the CPU % stays above this level, we scale up - } - setting { - namespace = "aws:autoscaling:trigger" - name = "UpperBreachScaleIncrement" - value = 1 // How many instances to add when we scale up - } - setting { - namespace = "aws:autoscaling:trigger" - name = "LowerThreshold" - value = 50 // If the CPU % stays below this level, we scale down - } - setting { - namespace = "aws:autoscaling:trigger" - name = "LowerBreachScaleIncrement" - value = -1 // How many instances to ADD when we scale down - } // (this needs to be a negative number so we scale down!) - - // Elastic beanstalk log config - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs" - name = "DeleteOnTerminate" - value = false - } - - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs" - name = "RetentionInDays" - value = 7 - } - - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs" - name = "StreamLogs" - value = true - } - - // Elastic beanstalk health check config - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs:health" - name = "DeleteOnTerminate" - value = false - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "DeregistrationDelay" - value = 20 - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthCheckInterval" - value = 15 - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthCheckPath" - value = local.elb_health_check_path - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthCheckTimeout" - value = 5 - } - - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs:health" - name = "HealthStreamingEnabled" - value = true - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthyThresholdCount" - value = 3 - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "MatcherHTTPCode" - value = local.elb_matcher_http_code - } - - setting { - namespace = "aws:elasticbeanstalk:cloudwatch:logs:health" - name = "RetentionInDays" - value = 7 - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "StickinessEnabled" - value = true - } - - setting { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "UnhealthyThresholdCount" - value = 5 - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DATABASE_HOST" - value = aws_db_instance.gpg-dev-db.address - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DATABASE_PORT" - value = aws_db_instance.gpg-dev-db.port - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DATABASE_USERNAME" - value = aws_db_instance.gpg-dev-db.username - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DATABASE_PASSWORD" - value = aws_db_instance.gpg-dev-db.password - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DATABASE_DB_NAME" - value = aws_db_instance.gpg-dev-db.name - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "S3_BUCKET_NAME" - value = aws_s3_bucket.gpg_filestorage.bucket - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "S3_BUCKET_AWS_ACCESS_KEY_ID" - value = var.AWS_ACCESS_KEY_ID - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "S3_BUCKET_AWS_SECRET_ACCESS_KEY" - value = var.AWS_SECRET_ACCESS_KEY - } - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "S3_BUCKET_AWS_REGION" - value = var.aws_region - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "ASPNETCORE_ENVIRONMENT" - value = var.ELB_ASPNETCORE_ENVIRONMENT - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "BasicAuthPassword" - value = var.ELB_BASIC_AUTH_PASSWORD - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "BasicAuthUsername" - value = var.ELB_BASIC_AUTH_USERNAME - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "CompaniesHouseApiKey" - value = var.ELB_COMPANIES_HOUSE_API_KEY - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DataMigrationPassword" - value = var.ELB_DATA_MIGRATION_PASSWORD - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DefaultEncryptionKey" - value = var.ELB_DEFAULT_ENCRYPTION_KEY - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DefaultEncryptionIv" - value = var.ELB_DEFAULT_ENCRYPTION_IV - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "DisableSearchCache" - value = var.ELB_DISABLE_SEARCH_CACHE - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "EhrcApiToken" - value = var.ELB_EHRC_API_TOKEN - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "FeatureFlagPrivateManualRegistration" - value = var.ELB_FEATURE_FLAG_PRIVATE_MANUAL_REGISTRATION - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "FeatureFlagSendRegistrationReviewEmails" - value = var.ELB_FEATURE_FLAG_SEND_REGISTRATION_REVIEW_EMAILS - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "GEODistributionList" - value = var.ELB_GEO_DISTRIBUTION_LIST - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "GovUkNotifyApiKey" - value = var.ELB_GOVUK_NOTIFY_API_KEY - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "OffsetCurrentDateTimeForSite" - value = var.ELB_OFFSET_CURRENT_DATE_TIME_FOR_SITE - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "ReminderEmailDays" - value = var.ELB_REMINDER_EMAIL_DAYS - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "ReportingStartYearsToExcludeFromLateFlagEnforcement" - value = var.ELB_REPORTING_START_YEARS_TO_EXCLUDE_FROM_LATE_FLAG_ENFORCEMENT - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "ReportingStartYearsWithFurloughScheme" - value = var.ELB_REPORTING_START_YEARS_WITH_FURLOUGH_SCHEME - } - - setting { - namespace = "aws:elasticbeanstalk:application:environment" - name = "WEBJOBS_STOPPED" - value = var.ELB_WEBJOBS_STOPPED - } - -} - diff --git a/terraform/loadbalancer.tf b/terraform/loadbalancer.tf deleted file mode 100644 index b8dc26750..000000000 --- a/terraform/loadbalancer.tf +++ /dev/null @@ -1,84 +0,0 @@ -// Additional rules set on elastic beanstalk load balancer. Other rules set within ELB settings. - -data "aws_lb" "load_balancer" { - arn = aws_elastic_beanstalk_environment.gpg_elastic_beanstalk_environment.load_balancers[0] -} - -resource "aws_lb_listener" "port_80_listener" { - load_balancer_arn = data.aws_lb.load_balancer.arn - port = "80" - - default_action { - type = "fixed-response" - - fixed_response { - content_type = "text/plain" - message_body = "Not Authorised" - status_code = "401" - } - } -} - -resource "aws_lb_listener_rule" "redirect_cloudfront_only_to_443" { - listener_arn = aws_lb_listener.port_80_listener.arn - - action { - type = "redirect" - - redirect { - port = "443" - protocol = "HTTPS" - status_code = "HTTP_301" - } - } - - // This header restricts access to load balancer to requests that include our custom header - condition { - http_header { - http_header_name = "X-Custom-Header" - values = [random_integer.load_balancer_custom_header.id] - } - } -} - -resource "aws_security_group" "load_balancer" { - name = "${local.env_prefix}-load-balancer" - vpc_id = module.vpc.vpc_id - description = "Allow connection between ALB and target instance" - - ingress { - description = "HTTPS INGRESS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] - } - - ingress { - description = "HTTP INGRESS" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] - } - - egress { - description = "HTTPS EGRESS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] - } - - egress { - description = "HTTP EGRESS" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] - } -} diff --git a/terraform/loadtest.tfbackend b/terraform/loadtest.tfbackend deleted file mode 100644 index e6cce2ad1..000000000 --- a/terraform/loadtest.tfbackend +++ /dev/null @@ -1,6 +0,0 @@ -bucket = "gender-pay-gap-preproduction-tfstate" -key = "loadtest/terraform.tfstate" -dynamodb_table = "gender-pay-gap-tf-locks-loadtest" -region = "eu-west-2" -encrypt = true -workspace_key_prefix = "gpg" \ No newline at end of file diff --git a/terraform/loadtest.tfvars b/terraform/loadtest.tfvars deleted file mode 100644 index 77514576a..000000000 --- a/terraform/loadtest.tfvars +++ /dev/null @@ -1,26 +0,0 @@ -env = "loadtest" -account = "preproduction" - -#region Relational database configuration - -rds_config_db_name = "gpgLoadTestDb" -rds_config_identifier = "gpg-loadtest-db" -rds_config_instance_class = "db.t3.small" -rds_config_multi_az = false - -#endregion - -#region Elastic Beanstalk configuration - -elb_deployment_policy = "Rolling" -elb_instance_max_size = 2 -elb_instance_min_size = 1 -elb_instance_type = "t2.small" - -#endregion - -#region Cloudfront configuration - -cloudfront_alternate_domain_name = "loadtest.gender-pay-gap.service.gov.uk" - -#end region \ No newline at end of file diff --git a/terraform/postgres.tf b/terraform/postgres.tf deleted file mode 100644 index cc23d6670..000000000 --- a/terraform/postgres.tf +++ /dev/null @@ -1,96 +0,0 @@ -locals { - rds_config_port = 5432 -} - -// The security group the database will belong to -resource "aws_security_group" "allow_postgres_connection" { - name = "${local.env_prefix}-allow_postgres_connection" - description = "Allow Postgres DB traffic" - vpc_id = module.vpc.vpc_id -} - -// Incoming rules -resource "aws_security_group_rule" "postgres_in" { - security_group_id = aws_security_group.allow_postgres_connection.id - type = "ingress" - from_port = local.rds_config_port - to_port = local.rds_config_port - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] -} - -// Outgoing rules -resource "aws_security_group_rule" "postgres_out" { - security_group_id = aws_security_group.allow_postgres_connection.id - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [module.vpc.vpc_cidr_block] - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] -} - -// The database resource -resource "aws_db_instance" "gpg-dev-db" { - allocated_storage = 100 - engine = "postgres" - engine_version = 14 - instance_class = var.rds_config_instance_class - identifier = var.rds_config_identifier - db_name = var.rds_config_db_name - port = local.rds_config_port - username = var.POSTGRES_CONFIG_USERNAME - password = var.POSTGRES_CONFIG_PASSWORD - backup_retention_period = 30 - backup_window = "04:00-05:00" - vpc_security_group_ids = [aws_security_group.allow_postgres_connection.id] - db_subnet_group_name = module.vpc.database_subnet_group_name - storage_encrypted = true - publicly_accessible = false - allow_major_version_upgrade = false - multi_az = var.rds_config_multi_az - skip_final_snapshot = false - final_snapshot_identifier = join("-", [var.rds_config_identifier, "final-snapshot", replace(timestamp(), ":", "-")]) - - // Backups and deletion - deletion_protection = false // QQ should be true when application goes live - delete_automated_backups = false - - lifecycle { - ignore_changes = [ - // This will always be different because of the timestamp function, so we ignore it - final_snapshot_identifier - ] - } - - // Logging and monitoring - enabled_cloudwatch_logs_exports = ["postgresql"] - monitoring_interval = 60 - monitoring_role_arn = aws_iam_role.rds_enhanced_monitoring.arn -} - -resource "aws_iam_role" "rds_enhanced_monitoring" { - name_prefix = "rds-enhanced-monitoring-" - assume_role_policy = data.aws_iam_policy_document.rds_enhanced_monitoring.json -} - -resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" { - role = aws_iam_role.rds_enhanced_monitoring.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" -} - -data "aws_iam_policy_document" "rds_enhanced_monitoring" { - statement { - actions = [ - "sts:AssumeRole", - ] - - effect = "Allow" - - principals { - type = "Service" - identifiers = ["monitoring.rds.amazonaws.com"] - } - } -} diff --git a/terraform/preprod-app.tfbackend b/terraform/preprod-app.tfbackend deleted file mode 100644 index 769e624cf..000000000 --- a/terraform/preprod-app.tfbackend +++ /dev/null @@ -1,6 +0,0 @@ -bucket = "gender-pay-gap-preproduction-tfstate" -key = "preprod/terraform.tfstate" -dynamodb_table = "gender-pay-gap-tf-locks-preprod" -region = "eu-west-2" -encrypt = true -workspace_key_prefix = "gpg" \ No newline at end of file diff --git a/terraform/preprod-app.tfvars b/terraform/preprod-app.tfvars deleted file mode 100644 index 130f873ce..000000000 --- a/terraform/preprod-app.tfvars +++ /dev/null @@ -1,26 +0,0 @@ -env = "preprod" -account = "preproduction" - -#region Relational database configuration - -rds_config_db_name = "gpgPreprodDb" -rds_config_identifier = "gpg-preprod-db" -rds_config_instance_class = "db.t3.small" -rds_config_multi_az = true - -#endregion - -#region Elastic Beanstalk configuration - -elb_deployment_policy = "Rolling" -elb_instance_max_size = 4 -elb_instance_min_size = 2 -elb_instance_type = "t2.large" - -#endregion - -#region Cloudfront configuration - -cloudfront_alternate_domain_name = "preprod.gender-pay-gap.service.gov.uk" - -#endregion diff --git a/terraform/prod-app.tfbackend b/terraform/prod-app.tfbackend deleted file mode 100644 index 08c80f99a..000000000 --- a/terraform/prod-app.tfbackend +++ /dev/null @@ -1,6 +0,0 @@ -bucket = "gender-pay-gap-production-tfstate" -key = "prod/terraform.tfstate" -dynamodb_table = "gender-pay-gap-tf-locks-prod" -region = "eu-west-2" -encrypt = true -workspace_key_prefix = "gpg" \ No newline at end of file diff --git a/terraform/prod-app.tfvars b/terraform/prod-app.tfvars deleted file mode 100644 index 85c1ccc13..000000000 --- a/terraform/prod-app.tfvars +++ /dev/null @@ -1,26 +0,0 @@ -env = "prod" -account = "production" - -#region Relational database configuration - -rds_config_instance_class = "db.t3.small" -rds_config_identifier = "gpg-prod-db" -rds_config_db_name = "gpgProdDb" -rds_config_multi_az = true - -#endregion - -#region Elastic Beanstalk configuration - -elb_deployment_policy = "RollingWithAdditionalBatch" -elb_instance_max_size = 4 -elb_instance_min_size = 2 -elb_instance_type = "t2.large" - -#endregion - -#region Cloudfront configuration - -cloudfront_alternate_domain_name = "gender-pay-gap.service.gov.uk" - -#endregion diff --git a/terraform/provider.tf b/terraform/provider.tf deleted file mode 100644 index b9ce0b3b7..000000000 --- a/terraform/provider.tf +++ /dev/null @@ -1,32 +0,0 @@ -// declarations for the providers being used - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.16" - } - - random = { - source = "hashicorp/random" - version = "3.3.2" - } - - null = { - source = "hashicorp/null" - version = "3.1.1" - } - - } - - backend "s3" {} -} - -provider "aws" { - region = var.aws_region // no alias is provided so will be used as default -} - -provider "aws" { - region = "us-east-1" - alias = "us-east-1" -} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf deleted file mode 100644 index 1f3c5db8e..000000000 --- a/terraform/variables.tf +++ /dev/null @@ -1,193 +0,0 @@ -// all declared input variables - -variable "aws_region" { - type = string - description = "The AWS region used for the provider and resources." - default = "eu-west-2" -} - -variable "env" { - type = string - description = "The environment name." -} - -variable "account" { - type = string - description = "The AWS Cabinet Office account the environment is created in." -} - -#region credentials - -variable "AWS_ACCESS_KEY_ID" { - type = string - description = "AWS access key id for terraform programmatic access. Set as an environment variable." -} - -variable "AWS_SECRET_ACCESS_KEY" { - type = string - description = "AWS secret access key id for terraform programmatic access. Set as an environment variable." -} -#endregion - -#region Relational database configuration - -variable "rds_config_instance_class" { - type = string - description = "The class type of the database e.g. db.t3.small" -} - -variable "rds_config_identifier" { - type = string - description = "Database id" -} - -variable "rds_config_db_name" { - type = string - description = "Database name" -} - -variable "rds_config_multi_az" { - type = bool - default = false - description = "Specifies if the database has multiple availability zones" -} - -// RDS environment variables -variable "POSTGRES_CONFIG_USERNAME" { - type = string - description = "Database username. Initialized as an environment variable." -} - -variable "POSTGRES_CONFIG_PASSWORD" { - type = string - description = "Database password. Initialized as an environment variable." -} - -#endregion - -#region Elastic beanstalk configuration - -variable "elb_deployment_policy" { - type = string - description = "The deployment policy for Elastic Beanstalk application version deployments." -} - -variable "elb_instance_max_size" { - type = number - description = "The maximum number of instances in Elastic Beanstalk Auto Scaling group." -} - -variable "elb_instance_min_size" { - type = number - description = "The minimum number of instances in Elastic Beanstalk Auto Scaling group." -} - -variable "elb_instance_type" { - type = string - description = "The instance type that's used to run the application in the Elastic Beanstalk environment." -} - -variable "ELB_LOAD_BALANCER_SSL_CERTIFICATE_ARN" { - type = string - description = "The certificate arn for Load Balancer. Passed in as secret in azure devops" -} - -// Elastic Beanstalk environment variables -// These are set in azure devops -variable "ELB_ASPNETCORE_ENVIRONMENT" { - type = string -} - -variable "ELB_BASIC_AUTH_PASSWORD" { - type = string -} - -variable "ELB_BASIC_AUTH_USERNAME" { - type = string -} - -variable "ELB_COMPANIES_HOUSE_API_KEY" { - type = string -} - -variable "ELB_DATA_MIGRATION_PASSWORD" { - type = string -} - -variable "ELB_DEFAULT_ENCRYPTION_KEY" { - type = string -} - -variable "ELB_DEFAULT_ENCRYPTION_IV" { - type = string -} - -variable "ELB_DISABLE_SEARCH_CACHE" { - type = string -} - -variable "ELB_EHRC_API_TOKEN" { - type = string -} - -variable "ELB_FEATURE_FLAG_PRIVATE_MANUAL_REGISTRATION" { - type = string -} - -variable "ELB_FEATURE_FLAG_SEND_REGISTRATION_REVIEW_EMAILS" { - type = string -} - -variable "ELB_GEO_DISTRIBUTION_LIST" { - type = string -} - -variable "ELB_GOVUK_NOTIFY_API_KEY" { - type = string -} - -variable "ELB_OFFSET_CURRENT_DATE_TIME_FOR_SITE" { - type = string -} - -variable "ELB_REMINDER_EMAIL_DAYS" { - type = string -} - -variable "ELB_REPORTING_START_YEARS_TO_EXCLUDE_FROM_LATE_FLAG_ENFORCEMENT" { - type = string -} - -variable "ELB_REPORTING_START_YEARS_WITH_FURLOUGH_SCHEME" { - type = string -} - -variable "ELB_WEBJOBS_STOPPED" { - type = string -} - -#endregion - -#region cloudfront config - -variable "CLOUDFRONT_ACM_CERT_ARN" { - type = string - description = "The ARN of the ACM certificate used with this distribution. It must be in the us-east-1 region." -} - -variable "cloudfront_alternate_domain_name" { - type = string - description = "Any additional CNAMEs or Alias records, if any, for this distribution." -} - -#endregion - -#region cloudwatch config - -variable "CLOUDWATCH_NOTIFICATION_EMAILS" { - type = string - description = "An email distribution list to be notified of alarm breaches. Pass in as environment variable." - default = "Team-GenderPayGap@softwire.com" -} - -#endregion \ No newline at end of file diff --git a/terraform/vpc.tf b/terraform/vpc.tf deleted file mode 100644 index e70a716c2..000000000 --- a/terraform/vpc.tf +++ /dev/null @@ -1,109 +0,0 @@ -// Available availability zones -data "aws_availability_zones" "available" { - state = "available" -} - -module "vpc" { - // Keeping the 'registry.terraform.io/' prefix so Rider can find the module for autocompletion purposes - source = "registry.terraform.io/terraform-aws-modules/vpc/aws" - version = "3.14.2" - - name = "${local.env_prefix}-application-vpc" - cidr = "10.0.0.0/16" - - azs = slice(data.aws_availability_zones.available.zone_ids, 0, 2) - public_subnets = [cidrsubnet("10.0.0.0/16", 4, 0), cidrsubnet("10.0.0.0/16", 4, 1)] - database_subnets = [cidrsubnet("10.0.0.0/16", 4, 2), cidrsubnet("10.0.0.0/16", 4, 3)] - - enable_ipv6 = true - assign_ipv6_address_on_creation = true - - database_subnet_assign_ipv6_address_on_creation = false - - public_subnet_ipv6_prefixes = [0, 1] - database_subnet_ipv6_prefixes = [2, 3] - - enable_dns_hostnames = true - enable_dns_support = true - - enable_nat_gateway = true - single_nat_gateway = false - - create_database_subnet_group = true - create_database_subnet_route_table = true - create_database_nat_gateway_route = true - create_database_internet_gateway_route = true - - database_subnet_group_name = "${local.env_prefix}-db-subnet-group" - database_subnet_group_tags = { - Name = "${local.env_prefix}-db-subnet-group" - } - - public_subnet_tags = { - Name = "${local.env_prefix}-public" - } - - private_subnet_tags = { - Name = "${local.env_prefix}-private" - } - - vpc_tags = { - Name = "${local.env_prefix}-vpc" - } - - // Logging and monitoring - enable_flow_log = true - flow_log_cloudwatch_iam_role_arn = aws_iam_role.cloudwatch-flow-log.arn - flow_log_cloudwatch_log_group_retention_in_days = 60 - flow_log_destination_arn = aws_cloudwatch_log_group.gpg-flow-log.arn - flow_log_destination_type = "cloud-watch-logs" - flow_log_per_hour_partition = true -} - -resource "aws_cloudwatch_log_group" "gpg-flow-log" { - name = "${local.env_prefix}-flow-logs" -} - -resource "aws_iam_role" "cloudwatch-flow-log" { - name = "${local.env_prefix}-cloudwatch-flow-logs" - - assume_role_policy = <