Merge main into db-migration-step-1 (#1150)

* Update infrastructure_version.txt (#1136) * VPN Internal DNS (#1133) * The beginning of internal DNS for VPN * conditional parameter group name (#1138) * conditional parameter group name * Update aws/rds/rds.tf Co-authored-by: Steve Astels <[email protected]> --------- Co-authored-by: Steve Astels <[email protected]> * Worker node update (#1139) * Fixing double mock outputs (#1141) * Prod dns cfg path (#1142) * Fixing double mock outputs * adding config path --------- Co-authored-by: Jumana B <[email protected]> * Release 2.5.8 (#1140) * Release 2.5.8 * Update infrastructure_version.txt * Update infrastructure_version.txt * chore: synced local '.github/workflows/ossf-scorecard.yml' with remote 'tools/sre_file_sync/ossf-scorecard.yml' (#1137) Co-authored-by: sre-read-write[bot] <92993749+sre-read-write[bot]@users.noreply.github.com> * Adding account id to secret (#1144) * K8s upgraded to 1.29 (#1143) * K8s upgraded to 1.29 * Fixing prod hcl * chore(deps): update all minor dependencies (#555) * chore(deps): update all minor dependencies * changes for new version of rds_proxy --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Stephen Astels <[email protected]> Co-authored-by: Ben Larabie <[email protected]> * chore(deps): lock file maintenance (#594) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update all non-major github action dependencies (#597) * chore(deps): update all non-major github action dependencies * use tfsec v1.28.1 --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Stephen Astels <[email protected]> Co-authored-by: Ben Larabie <[email protected]> * release 2.5.15 (#1145) * Adding internal HTTP ingress/egress to eks SG (#1146) * Refresh all QuickSight datasets (#1132) * refresh all the things * order refresh by dependancies --------- Co-authored-by: Jumana B <[email protected]> Co-authored-by: Ben Larabie <[email protected]> Co-authored-by: sre-read-write[bot] <92993749+sre-read-write[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
cds-snc · Feb 9, 2024 · 0c35dcf · 0c35dcf
1 parent 2d2e985
commit 0c35dcf
Show file tree

Hide file tree

Showing 105 changed files with 3,754 additions and 1,705 deletions.
diff --git a/.github/workflows/infrastructure_version.txt b/.github/workflows/infrastructure_version.txt
@@ -1 +1 @@
-2.5.2
+2.5.15
diff --git a/.github/workflows/merge_to_main_production.yml b/.github/workflows/merge_to_main_production.yml
@@ -57,7 +57,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set environment variables
         uses: ./.github/actions/setvars

diff --git a/.github/workflows/merge_to_main_staging.yml b/.github/workflows/merge_to_main_staging.yml
@@ -63,7 +63,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           # Fetches entire history, so we can analyze commits since last tag
           fetch-depth: 0
@@ -183,7 +183,7 @@ jobs:
 
       - name: Bump version and push tag
         if: github.event_name != 'workflow_dispatch' # We don't want to tag new versions when launched via workflow_dispatch since only environment variables changed
-        uses: mathieudutour/[email protected]
+        uses: mathieudutour/github-tag-action@bcb832838e1612ff92089d914bccc0fd39458223 # v4.6
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           release_branches: main

diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@75cb7af1033cfb77c9fc7d8abc30420008f558f4
+        uses: ossf/scorecard-action@155cf0ea68b491a7c47af606d2741b54963ecb04
         with:
           results_file: ossf-results.json
           results_format: json

diff --git a/.github/workflows/terraform_static_analysis.yml b/.github/workflows/terraform_static_analysis.yml
@@ -13,7 +13,7 @@ jobs:
     continue-on-error: false
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Test with Checkov
         id: checkov

diff --git a/.github/workflows/terragrunt_plan_production.yml b/.github/workflows/terragrunt_plan_production.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set environment variables
         uses: ./.github/actions/setvars
@@ -72,7 +72,7 @@ jobs:
           echo "INFRASTRUCTURE_VERSION=$INFRASTRUCTURE_VERSION" >> $GITHUB_ENV
 
       - name: Terragrunt plan common
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/common"
           comment-delete: "true"
@@ -81,7 +81,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan ECR
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/ecr"
           comment-delete: "true"
@@ -90,7 +90,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan ses_receiving_emails
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/ses_receiving_emails"
           comment-delete: "true"
@@ -99,7 +99,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan ses_to_sqs_email_callbacks
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/ses_to_sqs_email_callbacks"
           comment-delete: "true"
@@ -108,7 +108,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan sns_to_sqs_sms_callbacks
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/sns_to_sqs_sms_callbacks"
           comment-delete: "true"
@@ -117,7 +117,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan dns
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/dns"
           comment-delete: "true"
@@ -126,7 +126,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan ses_validation_dns_entries
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/ses_validation_dns_entries"
           comment-delete: "true"
@@ -135,7 +135,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan eks
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/eks"
           comment-delete: "true"
@@ -144,7 +144,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan elasticache
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/elasticache"
           comment-delete: "true"
@@ -153,7 +153,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan rds
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/rds"
           comment-delete: "true"
@@ -162,7 +162,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan cloudfront
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/cloudfront"
           comment-delete: "true"
@@ -171,7 +171,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan lambda-api
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/lambda-api"
           comment-delete: "true"
@@ -180,7 +180,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan heartbeat
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/heartbeat"
           comment-delete: "true"
@@ -189,7 +189,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan database-tools
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/database-tools"
           comment-delete: "true"
@@ -207,7 +207,7 @@ jobs:
           terragrunt: "true"
 
       - name: Terragrunt plan lambda-google-cidr
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/production/lambda-google-cidr"
           comment-delete: "true"

diff --git a/.github/workflows/terragrunt_plan_staging.yml b/.github/workflows/terragrunt_plan_staging.yml
@@ -58,7 +58,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set environment variables
         uses: ./.github/actions/setvars
@@ -73,7 +73,7 @@ jobs:
             TERRAGRUNT_VERSION: 0.44.4
             TF_SUMMARIZE_VERSION: 0.2.3           
 
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter
         with:
           filters: |
@@ -143,7 +143,7 @@ jobs:
 
       - name: Terragrunt plan common
         if: ${{ steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/common"
           comment-delete: "true"
@@ -153,7 +153,7 @@ jobs:
 
       - name: Terragrunt plan ECR
         if: ${{ steps.filter.outputs.ecr == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/ecr"
           comment-delete: "true"
@@ -163,7 +163,7 @@ jobs:
 
       - name: Terragrunt plan ses_receiving_emails
         if: ${{ steps.filter.outputs.ses_receiving_emails == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/ses_receiving_emails"
           comment-delete: "true"
@@ -173,7 +173,7 @@ jobs:
 
       - name: Terragrunt plan dns
         if: ${{ steps.filter.outputs.dns == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/dns"
           comment-delete: "true"
@@ -183,7 +183,7 @@ jobs:
 
       - name: Terragrunt plan ses_validation_dns_entries
         if: ${{ steps.filter.outputs.ses_validation_dns_entries == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/ses_validation_dns_entries"
           comment-delete: "true"
@@ -193,7 +193,7 @@ jobs:
 
       - name: Terragrunt plan eks
         if: ${{ steps.filter.outputs.eks == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/eks"
           comment-delete: "true"
@@ -203,7 +203,7 @@ jobs:
 
       - name: Terragrunt plan elasticache
         if: ${{ steps.filter.outputs.elasticache == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/elasticache"
           comment-delete: "true"
@@ -213,7 +213,7 @@ jobs:
 
       - name: Terragrunt plan rds
         if: ${{ steps.filter.outputs.rds == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/rds"
           comment-delete: "true"
@@ -223,7 +223,7 @@ jobs:
 
       - name: Terragrunt plan cloudfront
         if: ${{ steps.filter.outputs.cloudfront == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/cloudfront"
           comment-delete: "true"
@@ -233,7 +233,7 @@ jobs:
 
       - name: Terragrunt plan lambda-api
         if: ${{ steps.filter.outputs.lambda-api == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/lambda-api"
           comment-delete: "true"
@@ -243,7 +243,7 @@ jobs:
 
       - name: Terragrunt plan lambda-admin-pr
         if: ${{ steps.filter.outputs.lambda-admin-pr == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/lambda-admin-pr"
           comment-delete: "true"
@@ -253,7 +253,7 @@ jobs:
 
       - name: Terragrunt plan performance-test
         if: ${{ steps.filter.outputs.performance-test == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/performance-test"
           comment-delete: "true"
@@ -263,7 +263,7 @@ jobs:
 
       - name: Terragrunt plan heartbeat
         if: ${{ steps.filter.outputs.heartbeat == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/heartbeat"
           comment-delete: "true"
@@ -273,7 +273,7 @@ jobs:
 
       - name: Terragrunt plan database-tools
         if: ${{ steps.filter.outputs.database-tools == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/database-tools"
           comment-delete: "true"
@@ -283,7 +283,7 @@ jobs:
 
       - name: Terragrunt plan quicksight
         if: ${{ steps.filter.outputs.quicksight == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/quicksight"
           comment-delete: "true"
@@ -293,7 +293,7 @@ jobs:
 
       - name: Terragrunt plan lambda-google-cidr
         if: ${{ steps.filter.outputs.lambda-google-cidr == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/lambda-google-cidr"
           comment-delete: "true"
@@ -303,7 +303,7 @@ jobs:
 
       - name: Terragrunt plan ses_to_sqs_email_callbacks
         if: ${{ steps.filter.outputs.ses_to_sqs_email_callbacks == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/ses_to_sqs_email_callbacks"
           comment-delete: "true"
@@ -313,7 +313,7 @@ jobs:
 
       - name: Terragrunt plan sns_to_sqs_sms_callbacks
         if: ${{ steps.filter.outputs.sns_to_sqs_sms_callbacks == 'true' || steps.filter.outputs.common == 'true' }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
         with:
           directory: "env/staging/sns_to_sqs_sms_callbacks"
           comment-delete: "true"

diff --git a/aws/common/file_scanning.tf b/aws/common/file_scanning.tf
@@ -3,7 +3,7 @@ locals {
 }
 
 module "s3_scan_objects" {
-  source = "github.com/cds-snc/terraform-modules//S3_scan_object?ref=v6.0.1"
+  source = "github.com/cds-snc/terraform-modules//S3_scan_object?ref=v6.1.5"
 
   s3_upload_bucket_name   = "notification-canada-ca-${var.env}-document-download-scan-files"
   s3_scan_object_role_arn = "arn:aws:iam::${local.scan_files_account}:role/s3-scan-object"

diff --git a/aws/common/secrets.tf b/aws/common/secrets.tf
@@ -0,0 +1,8 @@
+resource "aws_secretsmanager_secret" "aws_account_id" {
+  name = "AWS_ACCOUNT_ID"
+}
+
+resource "aws_secretsmanager_secret_version" "aws_account_id" {
+  secret_id     = aws_secretsmanager_secret.aws_account_id.id
+  secret_string = var.account_id
+}