fix tf format

.release-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "5.11.0"
+  ".": "5.12.1"
 }

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [5.12.1](https://github.com/uktrade/terraform-platform-modules/compare/5.12.0...5.12.1) (2024-12-04)
+
+
+### Bug Fixes
+
+* Environment pipeline permissions ([#299](https://github.com/uktrade/terraform-platform-modules/issues/299)) ([7eb1a63](https://github.com/uktrade/terraform-platform-modules/commit/7eb1a63c5ffde9767ed9a71fd9739378fd56976d))
+
+## [5.12.0](https://github.com/uktrade/terraform-platform-modules/compare/5.11.0...5.12.0) (2024-12-03)
+
+
+### Features
+
+* DBTP-1299 - Cross account database copy ([#294](https://github.com/uktrade/terraform-platform-modules/issues/294)) ([ac84ca8](https://github.com/uktrade/terraform-platform-modules/commit/ac84ca8690ab530e74efadabf179fa8b38059c70))
+
 ## [5.11.0](https://github.com/uktrade/terraform-platform-modules/compare/5.10.0...5.11.0) (2024-11-29)
 
 

application-load-balancer/lambda_function/rotate_secret_lambda.py

@@ -1,5 +1,3 @@
-# import os
-# import json
 import boto3
 import logging
 
@@ -10,9 +8,6 @@
 
 service_client = boto3.client('secretsmanager')
 
-AWSPENDING = "AWSPENDING"
-AWSCURRENT = "AWSCURRENT"
-
 
 def lambda_handler(event, context):
     secret_id = event.get('SecretId')

application-load-balancer/lambda_function/secret_rotator.py

@@ -4,7 +4,6 @@
 import logging
 import requests
 import time
-#import uuid
 from typing import Tuple, Dict, Any, List, Optional
 from slack_service import SlackNotificationService
 from requests.exceptions import RequestException
@@ -246,6 +245,9 @@ def process_cf_distributions_and_WAF_rules(self, matching_distributions, pending
         """
         Process CloudFront distributions based on whether the custom header is already present.
         If the custom header is missing, it will be added to the distribution.
+        Updates the WAF ACL & the CloudFront distributions with the AWSPENDING & AWSCURRENT secret values.
+        This method should set the AWSPENDING secret in the service that the secret belongs to.
+        Sleep 75 seconds to allow resources to update
         """
         all_have_header = True  # Assume all distributions have the header initially
 

application-load-balancer/secret_manager.tf

@@ -13,11 +13,14 @@ data "aws_iam_policy_document" "secret_manager_policy" {
     effect = "Allow"
 
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.dns_account_id}:role/environment-pipeline-assumed-role"]
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.dns_account_id}:role/environment-pipeline-assumed-role"
+      ]
     }
 
-    actions = ["secretsmanager:GetSecretValue",
+    actions = [
+      "secretsmanager:GetSecretValue",
     "secretsmanager:DescribeSecret"]
     resources = [aws_secretsmanager_secret.origin-verify-secret.arn]
   }

cdn/main.tf

@@ -164,7 +164,7 @@ resource "aws_cloudfront_distribution" "standard" {
   }
 
   lifecycle {
-    # Use `ignore_changes` to allow rotation without Terraform overwriting the value
+    # Use `ignore_changes` to allow custom_header secret rotation without Terraform overwriting the value
     ignore_changes = [origin]
   }
 

environment-pipelines/iam.tf

@@ -503,7 +503,7 @@ data "aws_iam_policy_document" "kms_key" {
         "kms:DeleteAlias"
       ]
       resources = [
-        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-*-key"
+        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-*",
       ]
     }
   }
@@ -746,16 +746,25 @@ data "aws_iam_policy_document" "ecs" {
   }
 
   statement {
-    sid = "AllowRegisterAndDeregister"
+    sid = "AllowRegister"
     actions = [
-      "ecs:DeregisterTaskDefinition",
       "ecs:RegisterTaskDefinition",
     ]
     resources = [
       "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:task-definition/*",
       "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:task-definition/"
     ]
   }
+
+  statement {
+    sid = "AllowDeregister"
+    actions = [
+      "ecs:DeregisterTaskDefinition"
+    ]
+    resources = [
+      "*"
+    ]
+  }
 }
 
 resource "aws_iam_policy" "ecs" {

postgres/database-copy.tf

@@ -1,10 +1,11 @@
 module "database-dump" {
-  count  = length(local.data_dump_tasks)
+  count  = length(local.data_dump_tasks) > 0 ? 1 : 0
   source = "./database-dump"
 
   application   = var.application
   environment   = var.environment
   database_name = var.name
+  tasks         = local.data_dump_tasks
 }
 
 
@@ -16,4 +17,4 @@ module "database-load" {
   environment   = var.environment
   database_name = var.name
   task          = local.data_load_tasks[count.index]
-}
+}

postgres/database-dump/locals.tf

@@ -12,5 +12,4 @@ locals {
   dump_bucket_name   = local.task_name
 
   ecr_repository_arn = "arn:aws:ecr-public::763451185160:repository/database-copy"
-
-}
+}

postgres/database-dump/main.tf

@@ -56,7 +56,6 @@ resource "aws_iam_role_policy" "allow_task_creation" {
   policy = data.aws_iam_policy_document.allow_task_creation.json
 }
 
-
 data "aws_iam_policy_document" "data_dump" {
   policy_id = "data_dump"
   statement {
@@ -163,7 +162,6 @@ resource "aws_ecs_task_definition" "service" {
   }
 }
 
-
 resource "aws_s3_bucket" "data_dump_bucket" {
   # checkov:skip=CKV_AWS_144: Cross Region Replication not Required
   # checkov:skip=CKV2_AWS_62: Requires wider discussion around log/event ingestion before implementing. To be picked up on conclusion of DBTP-974
@@ -182,22 +180,40 @@ data "aws_iam_policy_document" "data_dump_bucket_policy" {
       type        = "*"
       identifiers = ["*"]
     }
-
     actions = [
       "s3:*",
     ]
-
     effect = "Deny"
-
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"
-
       values = [
         "false",
       ]
     }
+    resources = [
+      aws_s3_bucket.data_dump_bucket.arn,
+      "${aws_s3_bucket.data_dump_bucket.arn}/*",
+    ]
+  }
 
+  statement {
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        for el in var.tasks :
+        "arn:aws:iam::${coalesce(el.to_account, data.aws_caller_identity.current.account_id)}:role/${var.application}-${el.to}-${var.database_name}-load-task"
+      ]
+    }
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionTagging",
+      "s3:DeleteObject"
+    ]
     resources = [
       aws_s3_bucket.data_dump_bucket.arn,
       "${aws_s3_bucket.data_dump_bucket.arn}/*",
@@ -216,13 +232,17 @@ resource "aws_kms_key" "data_dump_kms_key" {
   tags        = local.tags
 
   policy = jsonencode({
-    Id = "key-default-1"
     Statement = [
       {
         "Sid" : "Enable IAM User Permissions",
         "Effect" : "Allow",
         "Principal" : {
-          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+          "AWS" : flatten([
+            "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+            [for el in var.tasks :
+              "arn:aws:iam::${coalesce(el.to_account, data.aws_caller_identity.current.account_id)}:role/${var.application}-${el.to}-${var.database_name}-load-task"
+            ]
+          ])
         },
         "Action" : "kms:*",
         "Resource" : "*"

postgres/database-dump/tests/unit.tftest.hcl

@@ -2,6 +2,12 @@ variables {
   application   = "test-app"
   environment   = "test-env"
   database_name = "test-db"
+  tasks = [
+    {
+      from : "prod"
+      to : "dev"
+    }
+  ]
 }
 
 mock_provider "aws" {}
@@ -68,8 +74,12 @@ run "data_dump_unit_test" {
       for el in data.aws_iam_policy_document.assume_ecs_task_role.statement[0].principals :
       true if el.type == "Service" && [
         for identifier in el.identifiers : true if identifier == "ecs-tasks.amazonaws.com"
-      ][0] == true
-    ][0] == true
+        ][
+        0
+      ] == true
+      ][
+      0
+    ] == true
     error_message = "Principal identifier should be: 'ecs-tasks.amazonaws.com'"
   }
 
@@ -142,7 +152,7 @@ run "data_dump_unit_test" {
 
   assert {
     condition     = contains(data.aws_iam_policy_document.data_dump.statement[1].actions, "kms:Decrypt")
-    error_message = "Permission not found: kms:Encrypt"
+    error_message = "Permission not found: kms:Decrypt"
   }
 
   assert {
@@ -262,13 +272,37 @@ run "data_dump_unit_test" {
   }
 
   assert {
-    condition     = [for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[0].condition : true if(el.variable == "aws:SecureTransport" && contains(el.values, "false"))] == [true]
+    condition = [
+      for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[0].condition : true
+      if(el.variable == "aws:SecureTransport" && contains(el.values, "false"))
+    ] == [true]
     error_message = "Should be denied if not aws:SecureTransport"
   }
 
-  # aws_s3_bucket_policy.data_dump_bucket_policy.policy cannot be tested with plan
+  assert {
+    condition     = [for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].principals : el.type][0] == "AWS"
+    error_message = "Should be: AWS"
+  }
+
+  assert {
+    condition     = flatten([for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].principals : el.identifiers]) == ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/test-app-dev-test-db-load-task"]
+    error_message = "Bucket policy principals incorrect"
+  }
+
+  assert {
+    condition = data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].actions == toset(["s3:ListBucket",
+      "s3:GetObject",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionTagging",
+    "s3:DeleteObject"])
+    error_message = "Unexpected actions"
+  }
 
-  # aws_kms_key.data_dump_kms_key policy cannot be tested with plan
+  assert {
+    condition     = strcontains(aws_kms_key.data_dump_kms_key.policy, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root") && !strcontains(aws_kms_key.data_dump_kms_key.policy, "arn:aws:iam::000123456789:role/test-app-dev-test-db-load-task")
+    error_message = "Unexpected KMS key policy principal"
+  }
 
   assert {
     condition     = aws_kms_alias.data_dump_kms_alias.name == "alias/test-app-test-env-test-db-dump"
@@ -281,7 +315,10 @@ run "data_dump_unit_test" {
   }
 
   assert {
-    condition     = [for el in aws_s3_bucket_server_side_encryption_configuration.encryption-config.rule : el.apply_server_side_encryption_by_default[0].sse_algorithm] == ["aws:kms"]
+    condition = [
+      for el in aws_s3_bucket_server_side_encryption_configuration.encryption-config.rule :
+      el.apply_server_side_encryption_by_default[0].sse_algorithm
+    ] == ["aws:kms"]
     error_message = "Server side encryption algorithm should be: aws:kms"
   }
 
@@ -295,3 +332,40 @@ run "data_dump_unit_test" {
     error_message = "Public access block has expected conditions"
   }
 }
+
+run "cross_account_data_dump_unit_test" {
+  command = plan
+
+  variables {
+    tasks = [
+      {
+        from : "prod"
+        from_account : "123456789000"
+        to : "dev"
+        to_account : "000123456789"
+      }
+    ]
+  }
+
+  assert {
+    condition     = [for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].principals : el.type][0] == "AWS"
+    error_message = "Should be: AWS"
+  }
+  assert {
+    condition     = flatten([for el in data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].principals : el.identifiers]) == ["arn:aws:iam::000123456789:role/test-app-dev-test-db-load-task"]
+    error_message = "Bucket policy principals incorrect"
+  }
+  assert {
+    condition = data.aws_iam_policy_document.data_dump_bucket_policy.statement[1].actions == toset(["s3:ListBucket",
+      "s3:GetObject",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionTagging",
+    "s3:DeleteObject"])
+    error_message = "Unexpected actions"
+  }
+  assert {
+    condition     = strcontains(aws_kms_key.data_dump_kms_key.policy, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root") && strcontains(aws_kms_key.data_dump_kms_key.policy, "arn:aws:iam::000123456789:role/test-app-dev-test-db-load-task")
+    error_message = "Unexpected KMS key policy principal"
+  }
+}

postgres/database-dump/variables.tf

@@ -9,3 +9,12 @@ variable "environment" {
 variable "database_name" {
   type = string
 }
+
+variable "tasks" {
+  type = list(object({
+    from         = string
+    to           = string
+    from_account = optional(string)
+    to_account   = optional(string)
+  }))
+}

postgres/database-load/locals.tf

@@ -9,10 +9,10 @@ locals {
 
   task_name = "${var.application}-${var.environment}-${var.database_name}-load"
 
-  dump_task_name     = "${var.application}-${var.task.from}-${var.database_name}-dump"
+  dump_task_name = "${var.application}-${var.task.from}-${var.database_name}-dump"
+  # tflint-ignore: terraform_unused_declarations
   dump_kms_key_alias = "alias/${local.dump_task_name}"
   dump_bucket_name   = local.dump_task_name
 
   ecr_repository_arn = "arn:aws:ecr-public::763451185160:repository/database-copy"
-
 }