Merge pull request #2402 from govuk-one-login/whi-tw/AUT-3906/cost-al…

…location-tags

AUT-3906: Add cost allocation tags and upgrade terraform

.pre-commit-config.yaml

@@ -2,7 +2,7 @@ default_language_version:
   node: 20.17.0
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -11,23 +11,17 @@ repos:
       - id: check-executables-have-shebangs
       - id: check-shebang-scripts-are-executable
 
-  - repo: https://github.com/awslabs/cfn-python-lint
-    rev: v1.5.0
+  - repo: https://github.com/aws-cloudformation/cfn-lint
+    rev: v1.21.0
     hooks:
-      - id: cfn-python-lint
+      - id: cfn-lint
         exclude: ^(ci|.github)/.*|docker-compose.*|.pre-commit-config.yaml$
-        files: ^.*\.(yml|yaml)$
+        files: template\.ya?ml$
 
-  - repo: https://github.com/govuk-one-login/pre-commit-hooks.git
-    rev: 0.0.1
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.2
     hooks:
-      - id: terraform-format
-      - id: terraform-validate
-
-  - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.1
-    hooks:
-      - id: actionlint
+      - id: terraform_fmt
 
   - repo: local
     hooks:
@@ -43,6 +37,38 @@ repos:
         name: Run prettier
         language: node
         types: [text]
-        stages: [commit]
+        stages: [pre-commit]
         entry: yarn run prettier --write --ignore-unknown
         pass_filenames: true
+      - id: tfupdate-lock
+        name: Update terraform provider locks
+        files: ^ci/terraform/site.tf$
+        pass_filenames: false
+        types:
+          - file
+        language: golang
+        additional_dependencies:
+          - github.com/minamijoyo/[email protected]
+        entry: tfupdate lock
+        args:
+          - --platform
+          - linux_amd64
+          - --platform
+          - linux_arm64
+          - --platform
+          - darwin_amd64
+          - --platform
+          - darwin_arm64
+          - --platform
+          - windows_amd64
+          - -r
+          - ci/terraform
+
+  - repo: https://github.com/lalten/check-gha-pinning
+    rev: v1.3.0
+    hooks:
+      - id: check-gha-pinning
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.4
+    hooks:
+      - id: actionlint

ci/terraform/alb.tf

@@ -21,8 +21,6 @@ resource "aws_lb" "frontend_alb" {
       prefix  = "frontend-alb"
     }
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_wafv2_web_acl_association" "alb_waf_association" {
@@ -47,8 +45,6 @@ resource "aws_alb_target_group" "frontend_alb_target_group" {
     path                = "/healthcheck/"
     unhealthy_threshold = "2"
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_alb_listener" "frontend_alb_listener_https" {
@@ -67,8 +63,6 @@ resource "aws_alb_listener" "frontend_alb_listener_https" {
   depends_on = [
     aws_acm_certificate_validation.frontend_acm_alb_certificate_validation
   ]
-
-  tags = local.default_tags
 }
 
 resource "aws_alb_listener_rule" "frontend_alb_listener_https_robots" {
@@ -105,8 +99,6 @@ resource "aws_alb_listener" "frontend_alb_listener_http" {
       status_code = "HTTP_301"
     }
   }
-
-  tags = local.default_tags
 }
 
 #S3 Bucket for ElB access logs
@@ -164,8 +156,9 @@ resource "aws_alb_target_group" "frontend_service_down_alb_target_group" {
     path                = "/healthcheck/"
     unhealthy_threshold = "2"
   }
-
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_alb_listener_rule" "service_down_rule" {
@@ -183,4 +176,7 @@ resource "aws_alb_listener_rule" "service_down_rule" {
       values = ["/service-page-disabled/*"]
     }
   }
+  tags = {
+    Service = "service-down-page"
+  }
 }

ci/terraform/cloudfront.tf

@@ -16,7 +16,6 @@ resource "aws_cloudformation_stack" "cloudfront" {
     StandardLoggingEnabled       = true
     LogDestination               = var.cloudfront_WafAcl_Logdestination
   }
-  tags = local.default_tags
 
   #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes
   # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value
@@ -40,5 +39,4 @@ resource "aws_cloudformation_stack" "cloudfront-monitoring" {
     CloudfrontDistribution              = aws_cloudformation_stack.cloudfront.outputs["DistributionId"]
   }
   depends_on = [aws_cloudformation_stack.cloudfront]
-  tags       = local.default_tags
 }

ci/terraform/cloudwatch.tf

@@ -46,16 +46,12 @@ resource "aws_kms_key" "cloudwatch_log_encryption" {
   deletion_window_in_days = 30
   enable_key_rotation     = true
   policy                  = data.aws_iam_policy_document.cloudwatch.json
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_group" "ecs_frontend_task_log" {
   name              = "/ecs/${var.environment}-frontend"
   kms_key_id        = aws_kms_key.cloudwatch_log_encryption.arn
   retention_in_days = var.cloudwatch_log_retention
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "ecs_frontend_task_log_subscription" {
@@ -106,8 +102,6 @@ resource "aws_cloudwatch_log_group" "alb_waf_log" {
   name              = "aws-waf-logs-frontend-alb-${var.environment}"
   kms_key_id        = aws_kms_key.cloudwatch_log_encryption.arn
   retention_in_days = var.cloudwatch_log_retention
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "alb_waf_log_subscription" {

ci/terraform/dynatrace.tf

@@ -28,6 +28,4 @@ resource "aws_iam_policy" "dynatrace_policy" {
   policy      = data.aws_iam_policy_document.dynatrace_policy.json
   path        = "/${var.environment}/"
   name_prefix = "dynatrace-secret-policy"
-
-  tags = local.default_tags
 }

ci/terraform/ecs-roles.tf

@@ -13,8 +13,6 @@ data "aws_iam_policy_document" "ecs_assume_role_policy" {
 resource "aws_iam_role" "ecs_task_execution_role" {
   name               = "${var.environment}-frontend-ecs-task-execution-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
-
-  tags = local.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attachment" {
@@ -30,8 +28,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach
 resource "aws_iam_role" "ecs_task_role" {
   name               = "${var.environment}-frontend-ecs-task-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
-
-  tags = local.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "account_management_ecs_task_role_ssm_policy_attachment" {
@@ -59,7 +55,9 @@ resource "aws_iam_role" "service_down_ecs_task_execution_role" {
   name_prefix        = "${var.environment}-service-down-page-exec-"
   assume_role_policy = data.aws_iam_policy_document.service_down_ecs_assume_role_policy[0].json
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "service_down_ecs_task_execution_role_policy_attachment" {

ci/terraform/ecs.tf

@@ -309,8 +309,6 @@ resource "aws_ecs_service" "frontend_ecs_service" {
     container_name   = var.basic_auth_password == "" ? local.frontend_container_definition.name : local.sidecar_container_definition.name
     container_port   = local.application_port
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_ecs_task_definition" "frontend_task_definition" {
@@ -327,8 +325,6 @@ resource "aws_ecs_task_definition" "frontend_task_definition" {
     local.frontend_container_definition,
     local.sidecar_container_definition,
   ])
-
-  tags = local.default_tags
 }
 
 
@@ -367,7 +363,9 @@ resource "aws_ecs_service" "service_down_ecs_service" {
     container_port   = local.service_down_page_app_port
   }
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 
   depends_on = [
     aws_alb_listener_rule.service_down_rule[0],
@@ -403,12 +401,18 @@ resource "aws_ecs_task_definition" "service_down_page_task_definition" {
       }]
   }])
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_cloudwatch_log_group" "service_down_page" {
   count = var.service_down_page ? 1 : 0
   name  = "/ecs/${var.environment}-service-down-page"
 
   retention_in_days = 1
+
+  tags = {
+    Service = "service-down-page"
+  }
 }

ci/terraform/kms.tf

@@ -3,8 +3,6 @@ resource "aws_kms_key" "authentication_encryption_key" {
   deletion_window_in_days  = 30
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "RSA_2048"
-
-  tags = local.default_tags
 }
 
 resource "aws_kms_key_policy" "authentication_encryption_key_access_policy" {

ci/terraform/redis.tf

@@ -5,8 +5,6 @@ locals {
 resource "aws_elasticache_subnet_group" "frontend_redis_session_store" {
   name       = "${var.environment}-frontend-redis-subnet"
   subnet_ids = local.private_subnet_ids
-
-  tags = local.default_tags
 }
 
 
@@ -51,6 +49,4 @@ resource "aws_elasticache_replication_group" "frontend_sessions_store" {
       engine_version
     ]
   }
-
-  tags = local.default_tags
 }

ci/terraform/route53.tf

@@ -34,8 +34,6 @@ resource "aws_acm_certificate" "frontend_alb_certificate" {
   domain_name       = aws_route53_record.frontend.name
   validation_method = "DNS"
 
-  tags = local.default_tags
-
   lifecycle {
     create_before_destroy = true
   }
@@ -103,8 +101,6 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
   domain_name       = local.frontend_fqdn
   validation_method = "DNS"
 
-  tags = local.default_tags
-
   lifecycle {
     create_before_destroy = true
   }