Merge pull request #1330 from govuk-one-login/AUT-2306/upgrade-terraform

AUT-2306: Upgrade terraform and providers

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# Reformatting of deploy-authdevs.sh
+4cf011b283c9b95e4733d4463d0f5352379ad8cb

.terraform-version

@@ -0,0 +1 @@
+ci/terraform/.terraform-version

ci/terraform/.terraform-version

@@ -1 +1 @@
-1.0.4
+1.7.1

ci/terraform/redis.tf

@@ -21,18 +21,18 @@ resource "random_password" "redis_password" {
 }
 
 resource "aws_elasticache_replication_group" "frontend_sessions_store" {
-  automatic_failover_enabled    = true
-  availability_zones            = data.aws_availability_zones.available.names
-  replication_group_id          = "${var.environment}-frontend-cache"
-  replication_group_description = "A Redis cluster for storing user session data for the frontend"
-  node_type                     = var.redis_node_size
-  number_cache_clusters         = length(data.aws_availability_zones.available.names)
-  engine                        = "redis"
-  engine_version                = "6.x"
-  parameter_group_name          = "default.redis6.x"
-  port                          = local.redis_port_number
-  maintenance_window            = "sun:22:00-sun:23:00"
-  notification_topic_arn        = data.aws_sns_topic.slack_events.arn
+  automatic_failover_enabled  = true
+  preferred_cache_cluster_azs = data.aws_availability_zones.available.names
+  replication_group_id        = "${var.environment}-frontend-cache"
+  description                 = "A Redis cluster for storing user session data for the frontend"
+  node_type                   = var.redis_node_size
+  num_cache_clusters          = length(data.aws_availability_zones.available.names)
+  engine                      = "redis"
+  engine_version              = "6.x"
+  parameter_group_name        = "default.redis6.x"
+  port                        = local.redis_port_number
+  maintenance_window          = "sun:22:00-sun:23:00"
+  notification_topic_arn      = data.aws_sns_topic.slack_events.arn
 
   multi_az_enabled = true
 

ci/terraform/site.tf

@@ -1,14 +1,14 @@
 terraform {
-  required_version = ">= 1.0.4"
+  required_version = ">= 1.7.1"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.10.0"
+      version = "= 5.34.0"
     }
     random = {
       source  = "hashicorp/random"
-      version = ">= 3.1.0"
+      version = "= 3.6.0"
     }
   }
 

ci/terraform/waf.tf

@@ -100,25 +100,40 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
         name        = "AWSManagedRulesCommonRuleSet"
         vendor_name = "AWS"
 
-        excluded_rule {
+        rule_action_override {
           name = "GenericRFI_QUERYARGUMENTS"
+          action_to_use {
+            count {}
+          }
         }
-        excluded_rule {
+        rule_action_override {
           name = "GenericRFI_BODY"
+          action_to_use {
+            count {}
+          }
         }
-        excluded_rule {
+        rule_action_override {
           name = "SizeRestrictions_QUERYSTRING"
+          action_to_use {
+            count {}
+          }
         }
-        dynamic "excluded_rule" {
+        dynamic "rule_action_override" {
           for_each = var.environment != "production" ? ["1"] : []
           content {
             name = "EC2MetaDataSSRF_BODY"
+            action_to_use {
+              count {}
+            }
           }
         }
-        dynamic "excluded_rule" {
+        dynamic "rule_action_override" {
           for_each = var.environment != "production" ? ["1"] : []
           content {
             name = "EC2MetaDataSSRF_QUERYARGUMENTS"
+            action_to_use {
+              count {}
+            }
           }
         }
       }

deploy-authdevs.sh

@@ -6,27 +6,26 @@ REPO_NAME="frontend-image-repository"
 REPO_URL="706615647326.dkr.ecr.eu-west-2.amazonaws.com/frontend-image-repository"
 IMAGE_TAG=latest
 
-envvalue=( "authdev1" "authdev2"  )
+envvalue=("authdev1" "authdev2")
 
 select word in "${envvalue[@]}"; do
-    if [[ -z "$word" ]]; then
-        printf '"%s" is not a valid choice\n' "$REPLY" >&2
-    else
-        user_in="$(( REPLY - 1 ))"
-        break
-    fi
+  if [[ -z "$word" ]]; then
+    printf '"%s" is not a valid choice\n' "$REPLY" >&2
+  else
+    user_in="$((REPLY - 1))"
+    break
+  fi
 done
 
-for (( i = 0; i < ${#envvalue[@]}; ++i )); do
-    if (( i == user_in )); then
-        printf 'You picked "%s"\n' "${envvalue[$i]}"
-        export env=${envvalue[$i]}
-        printf "deploying in enviorment %s\n" "$env"
-        read -r -p "Press enter to continue or ctr c to abort"
-    fi
+for ((i = 0; i < ${#envvalue[@]}; ++i)); do
+  if ((i == user_in)); then
+    printf 'You picked "%s"\n' "${envvalue[$i]}"
+    export env=${envvalue[$i]}
+    printf "deploying in enviorment %s\n" "$env"
+    read -r -p "Press enter to continue or ctr c to abort"
+  fi
 done
 
-
 function usage() {
   cat <<USAGE
   A script to deploy the GOV.UK Sign in APIs to the $env environment.
@@ -48,10 +47,12 @@ USAGE
 BUILD=0
 TERRAFORM=0
 TERRAFORM_OPTS="-auto-approve"
-if [[ $# == 0 ]]; then
+
+if [[ $# == 0 ]] || [[ $* == "-p" ]]; then
   BUILD=1
   TERRAFORM=1
 fi
+
 while [[ $# -gt 0 ]]; do
   case $1 in
   -b | --build)
@@ -76,7 +77,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 echo "Generating temporary ECR credentials..."
-#Add you Tools DEV account Profile if diffrent name in below command 
+#Add you Tools DEV account Profile if diffrent name in below command
 aws ecr get-login-password --region eu-west-2 --profile di-tools-dev | docker login --username AWS --password-stdin "${REPO_URL}"
 
 if [[ $BUILD == "1" ]]; then
@@ -97,7 +98,7 @@ fi
 
 if [[ $TERRAFORM == "1" ]]; then
   echo -n "Getting AWS credentials ... "
-  ###Export The di-Auth-devlopment account profile below 
+  ###Export The di-Auth-devlopment account profile below
   export AWS_PROFILE=di-auth-dev
   echo "done!"
 
@@ -109,11 +110,11 @@ if [[ $TERRAFORM == "1" ]]; then
 
   if [[ $TERRAFORM_OPTS != "-destroy" ]]; then
     echo -n "Waiting for ECS deployment to complete ... "
-    aws ecs wait services-stable --services "$env-frontend-ecs-service" --cluster "$env-app-cluster"
+    aws --region eu-west-2 ecs wait services-stable --services "$env-frontend-ecs-service" --cluster "$env-app-cluster"
     echo "done!"
   fi
 
+  popd >/dev/null
 fi
 
 echo "Deployment complete!"
-popd >/dev/null

deploy-sandpit.sh

@@ -27,7 +27,8 @@ USAGE
 BUILD=0
 TERRAFORM=0
 TERRAFORM_OPTS="-auto-approve"
-if [[ $# == 0 ]]; then
+
+if [[ $# == 0 ]] || [[ $* == "-p" ]]; then
   BUILD=1
   TERRAFORM=1
 fi
@@ -87,10 +88,10 @@ if [[ $TERRAFORM == "1" ]]; then
 
   if [[ $TERRAFORM_OPTS != "-destroy" ]]; then
     echo -n "Waiting for ECS deployment to complete ... "
-    aws ecs wait services-stable --services "sandpit-frontend-ecs-service" --cluster "sandpit-app-cluster"
+    aws --region eu-west-2 ecs wait services-stable --services "sandpit-frontend-ecs-service" --cluster "sandpit-app-cluster"
     echo "done!"
   fi
+  popd >/dev/null
 fi
 
 echo "Deployment complete!"
-popd >/dev/null

scripts/terraform-lint.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+TMPDIR=${TMPDIR:-/tmp}
+TF_DATA_DIR=$(mktemp -d "${TMPDIR}/terraform_lint.XXXXXX")
+trap 'rm -r "${TF_DATA_DIR}"' EXIT
+export TF_DATA_DIR
+
+module_dir="${repo_root}/ci/terraform"
+
+printf "Validating \e[1;93m%s\e[0m...\n" "terraform"
+printf "\e[92m*\e[0m Initializing..."
+terraform -chdir="${module_dir}" init -backend=false &>/dev/null
+printf " done!\n"
+
+terraform -chdir="${module_dir}" validate
+terraform -chdir="${module_dir}" fmt -write=false -diff -recursive >>"${TF_DATA_DIR}"/lint
+if [ -s "${TF_DATA_DIR}"/lint ]; then
+    printf "\e[1;91m%s\e[0m\n" "The following files need to be formatted:"
+    cat "${TF_DATA_DIR}"/lint
+else
+    printf "\e[92m*\e[0m No formatting issues found.\n"
+fi

scripts/terraform-upgrade.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+TMPDIR=${TMPDIR:-/tmp}
+TF_DATA_DIR=$(mktemp -d "${TMPDIR}/terraform_lint.XXXXXX")
+trap 'rm -r "${TF_DATA_DIR}"' EXIT
+export TF_DATA_DIR
+
+module_dir="${repo_root}/ci/terraform"
+
+printf "Upgrading providers...\n"
+
+printf "\e[92m*\e[0m Initializing..."
+terraform -chdir="${module_dir}" init -backend=false -upgrade &>/dev/null
+printf " done!\n"
+
+printf "\e[92m*\e[0m Locking provider versions:\n"
+terraform -chdir="${module_dir}" providers lock \
+    -platform=windows_amd64 \
+    -platform=linux_amd64 \
+    -platform=linux_arm64 \
+    -platform=darwin_amd64 \
+    -platform=darwin_arm64