diff --git a/ci/terraform/alb.tf b/ci/terraform/alb.tf index 3cfa45215..e46bdd07e 100644 --- a/ci/terraform/alb.tf +++ b/ci/terraform/alb.tf @@ -21,8 +21,6 @@ resource "aws_lb" "frontend_alb" { prefix = "frontend-alb" } } - - tags = local.default_tags } resource "aws_wafv2_web_acl_association" "alb_waf_association" { @@ -47,8 +45,6 @@ resource "aws_alb_target_group" "frontend_alb_target_group" { path = "/healthcheck/" unhealthy_threshold = "2" } - - tags = local.default_tags } resource "aws_alb_listener" "frontend_alb_listener_https" { @@ -67,8 +63,6 @@ resource "aws_alb_listener" "frontend_alb_listener_https" { depends_on = [ aws_acm_certificate_validation.frontend_acm_alb_certificate_validation ] - - tags = local.default_tags } resource "aws_alb_listener_rule" "frontend_alb_listener_https_robots" { @@ -105,8 +99,6 @@ resource "aws_alb_listener" "frontend_alb_listener_http" { status_code = "HTTP_301" } } - - tags = local.default_tags } #S3 Bucket for ElB access logs @@ -164,8 +156,9 @@ resource "aws_alb_target_group" "frontend_service_down_alb_target_group" { path = "/healthcheck/" unhealthy_threshold = "2" } - - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_alb_listener_rule" "service_down_rule" { @@ -183,4 +176,7 @@ resource "aws_alb_listener_rule" "service_down_rule" { values = ["/service-page-disabled/*"] } } + tags = { + Service = "service-down-page" + } } diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf index c1608d349..870e80b03 100644 --- a/ci/terraform/cloudfront.tf +++ b/ci/terraform/cloudfront.tf @@ -16,7 +16,6 @@ resource "aws_cloudformation_stack" "cloudfront" { StandardLoggingEnabled = true LogDestination = var.cloudfront_WafAcl_Logdestination } - tags = local.default_tags #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value @@ -40,5 +39,4 @@ resource "aws_cloudformation_stack" "cloudfront-monitoring" { CloudfrontDistribution = aws_cloudformation_stack.cloudfront.outputs["DistributionId"] } depends_on = [aws_cloudformation_stack.cloudfront] - tags = local.default_tags } diff --git a/ci/terraform/cloudwatch.tf b/ci/terraform/cloudwatch.tf index bcf00941c..8efc6f928 100644 --- a/ci/terraform/cloudwatch.tf +++ b/ci/terraform/cloudwatch.tf @@ -46,16 +46,12 @@ resource "aws_kms_key" "cloudwatch_log_encryption" { deletion_window_in_days = 30 enable_key_rotation = true policy = data.aws_iam_policy_document.cloudwatch.json - - tags = local.default_tags } resource "aws_cloudwatch_log_group" "ecs_frontend_task_log" { name = "/ecs/${var.environment}-frontend" kms_key_id = aws_kms_key.cloudwatch_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_cloudwatch_log_subscription_filter" "ecs_frontend_task_log_subscription" { @@ -106,8 +102,6 @@ resource "aws_cloudwatch_log_group" "alb_waf_log" { name = "aws-waf-logs-frontend-alb-${var.environment}" kms_key_id = aws_kms_key.cloudwatch_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_cloudwatch_log_subscription_filter" "alb_waf_log_subscription" { diff --git a/ci/terraform/dynatrace.tf b/ci/terraform/dynatrace.tf index de263f4ca..186277675 100644 --- a/ci/terraform/dynatrace.tf +++ b/ci/terraform/dynatrace.tf @@ -28,6 +28,4 @@ resource "aws_iam_policy" "dynatrace_policy" { policy = data.aws_iam_policy_document.dynatrace_policy.json path = "/${var.environment}/" name_prefix = "dynatrace-secret-policy" - - tags = local.default_tags } diff --git a/ci/terraform/ecs-roles.tf b/ci/terraform/ecs-roles.tf index c0e07a575..ff2e0aca4 100644 --- a/ci/terraform/ecs-roles.tf +++ b/ci/terraform/ecs-roles.tf @@ -13,8 +13,6 @@ data "aws_iam_policy_document" "ecs_assume_role_policy" { resource "aws_iam_role" "ecs_task_execution_role" { name = "${var.environment}-frontend-ecs-task-execution-role" assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attachment" { @@ -30,8 +28,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach resource "aws_iam_role" "ecs_task_role" { name = "${var.environment}-frontend-ecs-task-role" assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "account_management_ecs_task_role_ssm_policy_attachment" { @@ -59,7 +55,9 @@ resource "aws_iam_role" "service_down_ecs_task_execution_role" { name_prefix = "${var.environment}-service-down-page-exec-" assume_role_policy = data.aws_iam_policy_document.service_down_ecs_assume_role_policy[0].json - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_iam_role_policy_attachment" "service_down_ecs_task_execution_role_policy_attachment" { diff --git a/ci/terraform/ecs.tf b/ci/terraform/ecs.tf index 6402c1a92..d1b392229 100644 --- a/ci/terraform/ecs.tf +++ b/ci/terraform/ecs.tf @@ -309,8 +309,6 @@ resource "aws_ecs_service" "frontend_ecs_service" { container_name = var.basic_auth_password == "" ? local.frontend_container_definition.name : local.sidecar_container_definition.name container_port = local.application_port } - - tags = local.default_tags } resource "aws_ecs_task_definition" "frontend_task_definition" { @@ -327,8 +325,6 @@ resource "aws_ecs_task_definition" "frontend_task_definition" { local.frontend_container_definition, local.sidecar_container_definition, ]) - - tags = local.default_tags } @@ -367,7 +363,9 @@ resource "aws_ecs_service" "service_down_ecs_service" { container_port = local.service_down_page_app_port } - tags = local.default_tags + tags = { + Service = "service-down-page" + } depends_on = [ aws_alb_listener_rule.service_down_rule[0], @@ -403,7 +401,9 @@ resource "aws_ecs_task_definition" "service_down_page_task_definition" { }] }]) - tags = local.default_tags + tags = { + Service = "service-down-page" + } } resource "aws_cloudwatch_log_group" "service_down_page" { @@ -411,4 +411,8 @@ resource "aws_cloudwatch_log_group" "service_down_page" { name = "/ecs/${var.environment}-service-down-page" retention_in_days = 1 + + tags = { + Service = "service-down-page" + } } diff --git a/ci/terraform/kms.tf b/ci/terraform/kms.tf index 5f89b4553..3d6ce6d44 100644 --- a/ci/terraform/kms.tf +++ b/ci/terraform/kms.tf @@ -3,8 +3,6 @@ resource "aws_kms_key" "authentication_encryption_key" { deletion_window_in_days = 30 key_usage = "ENCRYPT_DECRYPT" customer_master_key_spec = "RSA_2048" - - tags = local.default_tags } resource "aws_kms_key_policy" "authentication_encryption_key_access_policy" { diff --git a/ci/terraform/redis.tf b/ci/terraform/redis.tf index 0b96ff007..bbac471ac 100644 --- a/ci/terraform/redis.tf +++ b/ci/terraform/redis.tf @@ -5,8 +5,6 @@ locals { resource "aws_elasticache_subnet_group" "frontend_redis_session_store" { name = "${var.environment}-frontend-redis-subnet" subnet_ids = local.private_subnet_ids - - tags = local.default_tags } @@ -51,6 +49,4 @@ resource "aws_elasticache_replication_group" "frontend_sessions_store" { engine_version ] } - - tags = local.default_tags } diff --git a/ci/terraform/route53.tf b/ci/terraform/route53.tf index 601e5b98c..1837f84b2 100644 --- a/ci/terraform/route53.tf +++ b/ci/terraform/route53.tf @@ -34,8 +34,6 @@ resource "aws_acm_certificate" "frontend_alb_certificate" { domain_name = aws_route53_record.frontend.name validation_method = "DNS" - tags = local.default_tags - lifecycle { create_before_destroy = true } @@ -103,8 +101,6 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" { domain_name = local.frontend_fqdn validation_method = "DNS" - tags = local.default_tags - lifecycle { create_before_destroy = true } diff --git a/ci/terraform/security-groups.tf b/ci/terraform/security-groups.tf index 98ce70d4d..4a6fc0ee8 100644 --- a/ci/terraform/security-groups.tf +++ b/ci/terraform/security-groups.tf @@ -6,8 +6,6 @@ resource "aws_security_group" "frontend_redis_security_group" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_incoming_frontend_redis_from_private_subnet" { @@ -41,8 +39,6 @@ resource "aws_security_group" "allow_access_to_frontend_redis" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_connection_to_frontend_redis" { @@ -62,8 +58,6 @@ resource "aws_security_group" "frontend_alb_sg" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_alb_http_ingress_from_anywhere" { @@ -106,8 +100,6 @@ resource "aws_security_group" "frontend_ecs_tasks_sg" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_security_group_rule" "allow_ecs_task_ingress_from_alb" { @@ -132,6 +124,9 @@ resource "aws_security_group" "service_down_page" { lifecycle { create_before_destroy = true } + tags = { + Service = "service-down-page" + } } resource "aws_security_group_rule" "allow_incoming_http_from_frontend_alb" { diff --git a/ci/terraform/site.tf b/ci/terraform/site.tf index b21c1c337..d6cc24f34 100644 --- a/ci/terraform/site.tf +++ b/ci/terraform/site.tf @@ -16,11 +16,29 @@ terraform { } } +locals { + provider_default_tags = { + Environment = var.environment + Owner = "di-authentication@digital.cabinet-office.gov.uk" + Product = "GOV.UK Sign In" + System = "Authentication" + Service = "frontend" + application = "auth-frontend" + } +} + provider "aws" { region = var.aws_region - assume_role { - role_arn = var.deployer_role_arn + dynamic "assume_role" { + for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : [] + content { + role_arn = assume_role.value + } + } + + default_tags { + tags = local.provider_default_tags } } @@ -29,8 +47,15 @@ provider "aws" { region = "us-east-1" - assume_role { - role_arn = var.deployer_role_arn + dynamic "assume_role" { + for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : [] + content { + role_arn = assume_role.value + } + } + + default_tags { + tags = local.provider_default_tags } } @@ -41,10 +66,3 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} data "aws_partition" "current" {} - -locals { - default_tags = { - environment = var.environment - application = "auth-frontend" - } -} diff --git a/ci/terraform/sns.tf b/ci/terraform/sns.tf index 5913e0d5f..ebe302901 100644 --- a/ci/terraform/sns.tf +++ b/ci/terraform/sns.tf @@ -4,8 +4,6 @@ resource "aws_sns_topic" "slack_events" { provider = aws.cloudfront name = "${var.environment}-cloudfront-alerts" lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn - - tags = local.default_tags } data "aws_iam_policy_document" "sns_topic_policy" { @@ -56,8 +54,6 @@ resource "aws_iam_role" "sns_logging_iam_role" { name_prefix = "sns-failed-slack-alerts-role" path = "/${var.environment}/" assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy.json - - tags = local.default_tags } data "aws_iam_policy_document" "sns_can_assume_policy" { @@ -112,8 +108,6 @@ resource "aws_iam_policy" "api_gateway_logging_policy" { lifecycle { create_before_destroy = true } - - tags = local.default_tags } resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" { diff --git a/ci/terraform/ssm.tf b/ci/terraform/ssm.tf index a55f01df3..30d6b9bb0 100644 --- a/ci/terraform/ssm.tf +++ b/ci/terraform/ssm.tf @@ -32,8 +32,6 @@ resource "aws_kms_key" "parameter_store_key" { customer_master_key_spec = "SYMMETRIC_DEFAULT" key_usage = "ENCRYPT_DECRYPT" - - tags = local.default_tags } resource "aws_kms_alias" "parameter_store_key_alias" { @@ -46,8 +44,6 @@ resource "aws_ssm_parameter" "redis_master_host" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.primary_endpoint_address - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_replica_host" { @@ -55,8 +51,6 @@ resource "aws_ssm_parameter" "redis_replica_host" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.reader_endpoint_address - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_tls" { @@ -64,8 +58,6 @@ resource "aws_ssm_parameter" "redis_tls" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = "true" - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_password" { @@ -73,8 +65,6 @@ resource "aws_ssm_parameter" "redis_password" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = random_password.redis_password.result - - tags = local.default_tags } resource "aws_ssm_parameter" "redis_port" { @@ -82,8 +72,6 @@ resource "aws_ssm_parameter" "redis_port" { type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = aws_elasticache_replication_group.frontend_sessions_store.port - - tags = local.default_tags } data "aws_iam_policy_document" "redis_parameter_policy" { @@ -123,6 +111,4 @@ resource "aws_iam_policy" "parameter_policy" { policy = data.aws_iam_policy_document.redis_parameter_policy.json path = "/${var.environment}/redis/${local.redis_key}/" name_prefix = "parameter-store-policy" - - tags = local.default_tags } diff --git a/ci/terraform/waf.tf b/ci/terraform/waf.tf index 27df753d4..cea7c91ca 100644 --- a/ci/terraform/waf.tf +++ b/ci/terraform/waf.tf @@ -23,8 +23,6 @@ resource "aws_wafv2_ip_set" "cf_gds_ip_set" { "18.132.149.145/32" ] - - tags = local.default_tags } resource "aws_wafv2_web_acl" "frontend_cloudfront_waf_web_acl" { @@ -384,8 +382,6 @@ resource "aws_wafv2_web_acl" "frontend_cloudfront_waf_web_acl" { metric_name = "${replace(var.environment, "-", "")}FrontendcloudfrontWafRules" sampled_requests_enabled = true } - - tags = local.default_tags } # Cloudwatch Logging for frontend Cloudfront WAF @@ -442,8 +438,6 @@ resource "aws_kms_key" "frontent_cloudfront_cw_log_encryption" { deletion_window_in_days = 30 enable_key_rotation = true policy = data.aws_iam_policy_document.frontend_cloudfront_cloudwatch.json - - tags = local.default_tags } resource "aws_cloudwatch_log_group" "frontend_cloudfront_waf_log_group" { @@ -452,8 +446,6 @@ resource "aws_cloudwatch_log_group" "frontend_cloudfront_waf_log_group" { name = "aws-waf-logs-frontend-cloudfront-${var.environment}" kms_key_id = aws_kms_key.frontent_cloudfront_cw_log_encryption.arn retention_in_days = var.cloudwatch_log_retention - - tags = local.default_tags } resource "aws_wafv2_web_acl_logging_configuration" "frontend_cloudfront_waf_logging_config" {