Merge pull request #15 from dominodatalab/govcloud

PLAT-5933: Support govcloud
dominodatalab · Dec 7, 2022 · 26e5d81 · 26e5d81
2 parents 22145bf + 1c8d7a7
commit 26e5d81
Show file tree

Hide file tree

Showing 13 changed files with 70 additions and 50 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -43,6 +43,9 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
+          - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns'
       # - id: terrascan # Skipping until they update lifecycle block; Data resources do not have lifecycle settings, so a lifecycle block is not allowed.
         # args:
         #   - '--args=--non-recursive'

diff --git a/.tflint.hcl b/.tflint.hcl
@@ -1,6 +1,6 @@
 plugin "aws" {
     enabled = true
     deep_check = true
-    version = "0.17.0"
+    version = "0.21.0"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
diff --git a/submodules/bastion/README.md b/submodules/bastion/README.md
@@ -46,7 +46,7 @@ No modules.
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | the bastion's instance type, if null, t2.micro is used | `string` | `null` | no |
 | <a name="input_public_subnet_id"></a> [public\_subnet\_id](#input\_public\_subnet\_id) | Public subnet to create bastion host in. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | Bastion host security group rules. | <pre>map(object({<br>    protocol                 = string<br>    from_port                = string<br>    to_port                  = string<br>    type                     = string<br>    description              = string<br>    cidr_blocks              = list(string)<br>    source_security_group_id = string<br><br>  }))</pre> | <pre>{<br>  "bastion_inbound_ssh": {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Inbound ssh",<br>    "from_port": "22",<br>    "protocol": "-1",<br>    "source_security_group_id": null,<br>    "to_port": "22",<br>    "type": "ingress"<br>  },<br>  "bastion_outbound_traffic": {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow all outbound traffic by default",<br>    "from_port": "0",<br>    "protocol": "-1",<br>    "source_security_group_id": null,<br>    "to_port": "0",<br>    "type": "egress"<br>  }<br>}</pre> | no |
+| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | Bastion host security group rules. | <pre>map(object({<br>    protocol                 = string<br>    from_port                = string<br>    to_port                  = string<br>    type                     = string<br>    description              = string<br>    cidr_blocks              = list(string)<br>    source_security_group_id = string<br><br>  }))</pre> | <pre>{<br>  "bastion_inbound_ssh": {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Inbound ssh",<br>    "from_port": "22",<br>    "protocol": "tcp",<br>    "source_security_group_id": null,<br>    "to_port": "22",<br>    "type": "ingress"<br>  },<br>  "bastion_outbound_traffic": {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow all outbound traffic by default",<br>    "from_port": "0",<br>    "protocol": "-1",<br>    "source_security_group_id": null,<br>    "to_port": "0",<br>    "type": "egress"<br>  }<br>}</pre> | no |
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID. | `string` | n/a | yes |
 

diff --git a/submodules/bastion/main.tf b/submodules/bastion/main.tf
@@ -7,9 +7,10 @@ locals {
 }
 
 resource "aws_security_group" "bastion" {
-  name        = "${var.deploy_id}-bastion"
-  description = "Bastion security group"
-  vpc_id      = var.vpc_id
+  name                   = "${var.deploy_id}-bastion"
+  description            = "Bastion security group"
+  revoke_rules_on_delete = true
+  vpc_id                 = var.vpc_id
 
   lifecycle {
     create_before_destroy = true
@@ -48,7 +49,7 @@ data "aws_iam_policy_document" "bastion" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:root"]
     }
   }
 }
@@ -62,7 +63,7 @@ resource "aws_iam_role" "bastion" {
 }
 
 resource "aws_iam_role_policy_attachment" "bastion" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
   role       = aws_iam_role.bastion.name
 }
 
@@ -80,6 +81,11 @@ data "aws_ami" "amazon_linux_2" {
     name   = "name"
     values = ["amzn2-ami-hvm*"]
   }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
 }
 
 locals {

diff --git a/submodules/bastion/variables.tf b/submodules/bastion/variables.tf
@@ -60,7 +60,7 @@ variable "security_group_rules" {
       source_security_group_id = null
     }
     bastion_inbound_ssh = {
-      protocol                 = "-1"
+      protocol                 = "tcp"
       from_port                = "22"
       to_port                  = "22"
       type                     = "ingress"

diff --git a/submodules/eks/cluster.tf b/submodules/eks/cluster.tf
@@ -22,7 +22,7 @@ data "aws_iam_policy_document" "kms_key" {
     effect    = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:root"]
     }
   }
 }

diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "domino_ecr_restricted" {
   statement {
 
     effect    = "Deny"
-    resources = ["arn:aws:ecr:*:${local.aws_account_id}:*"]
+    resources = ["arn:${data.aws_partition.current.partition}:ecr:*:${local.aws_account_id}:*"]
 
     actions = [
       "ecr:BatchCheckLayerAvailability",
@@ -115,8 +115,8 @@ data "aws_iam_policy_document" "ebs_csi" {
     effect = "Allow"
 
     resources = [
-      "arn:aws:ec2:*:*:volume/*",
-      "arn:aws:ec2:*:*:snapshot/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
     ]
 
     actions = ["ec2:CreateTags"]
@@ -137,8 +137,8 @@ data "aws_iam_policy_document" "ebs_csi" {
     effect = "Allow"
 
     resources = [
-      "arn:aws:ec2:*:*:volume/*",
-      "arn:aws:ec2:*:*:snapshot/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
     ]
 
     actions = ["ec2:DeleteTags"]
@@ -210,19 +210,19 @@ resource "aws_iam_policy" "custom_eks_node_policy" {
 
 locals {
   eks_aws_node_iam_policies = toset([
-    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
-    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
-    "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess",
+    "AmazonEKSWorkerNodePolicy",
+    "AmazonEKS_CNI_Policy",
+    "AmazonEC2ContainerRegistryReadOnly",
+    "AmazonSSMManagedInstanceCore",
+    "AmazonElasticFileSystemReadOnlyAccess",
   ])
 
   custom_node_policies = concat([aws_iam_policy.custom_eks_node_policy.arn], var.node_iam_policies)
 }
 
 resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
   for_each   = toset(local.eks_aws_node_iam_policies)
-  policy_arn = each.key
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
   role       = aws_iam_role.eks_nodes.name
 }
 

diff --git a/submodules/eks/main.tf b/submodules/eks/main.tf
@@ -246,7 +246,7 @@ locals {
 
   bastion_eks_security_group_rules = {
     bastion_to_eks_api = {
-      description              = "Bastion outbound to eks cluster ${local.eks_cluster_name}:443 API"
+      description              = "To ${local.eks_cluster_name}:443"
       protocol                 = "tcp"
       from_port                = "443"
       to_port                  = "443"
@@ -255,7 +255,7 @@ locals {
       source_security_group_id = aws_security_group.eks_cluster.id
     }
     bastion_to_eks_nodes_ssh = {
-      description              = "Bastion ssh to eks cluster nodes outbound"
+      description              = "To eks nodes over ssh"
       protocol                 = "tcp"
       from_port                = "22"
       to_port                  = "22"
@@ -264,7 +264,7 @@ locals {
       source_security_group_id = aws_security_group.eks_nodes.id
     }
     eks_api_from_bastion = {
-      description              = "Eks cluster ${local.eks_cluster_name}:443 inbound from bastion"
+      description              = "From Bastion over https"
       protocol                 = "tcp"
       from_port                = "443"
       to_port                  = "443"
@@ -273,13 +273,13 @@ locals {
       source_security_group_id = var.bastion_security_group_id
     }
     eks_nodes_ssh_from_bastion = {
-      description              = "Bastion ssh to eks cluster nodes inbound"
+      description              = "From Bastion over ssh"
       protocol                 = "tcp"
       from_port                = "22"
       to_port                  = "22"
       type                     = "ingress"
-      security_group_id        = var.bastion_security_group_id
-      source_security_group_id = aws_security_group.eks_nodes.id
+      security_group_id        = aws_security_group.eks_nodes.id
+      source_security_group_id = var.bastion_security_group_id
     }
   }
 }
diff --git a/submodules/k8s/main.tf b/submodules/k8s/main.tf
@@ -56,6 +56,10 @@ resource "local_file" "templates" {
 }
 
 resource "null_resource" "run_k8s_pre_setup" {
+  triggers = {
+    script_hash = md5(local_file.templates["k8s_presetup"].content)
+  }
+
   provisioner "local-exec" {
     command     = basename(local_file.templates["k8s_presetup"].filename)
     interpreter = ["bash"]

diff --git a/submodules/k8s/templates/k8s-functions.sh.tftpl b/submodules/k8s/templates/k8s-functions.sh.tftpl
@@ -35,10 +35,10 @@ set_k8s_auth() {
 install_calico() {
   local CALICO_OPERATOR_YAML_URL=${calico_operator_url}
   printf "$GREEN Installing Calico Operator $EC \n"
-  kubectl_apply $CALICO_OPERATOR_YAML_URL || printf "$RED There was an error installing the calico operator"
+  kubectl_apply $CALICO_OPERATOR_YAML_URL
   echo
   local CALICO_CRD_YAML_URL=${calico_custom_resources_url}
-  printf "$GREEN Installing Calico Custom resources $EC \n" || printf "$RED There was an error installing the calico CRD"
+  printf "$GREEN Installing Calico Custom resources $EC \n"
   kubectl_apply $CALICO_CRD_YAML_URL
   echo
 }
@@ -58,8 +58,13 @@ kubectl_apply() {
   if test -f "$k8s_manifest" || validate_url "$k8s_manifest"; then
     echo "Applying $k8s_manifest..."
     HTTPS_PROXY=socks5://127.0.0.1:${k8s_tunnel_port} kubectl --kubeconfig "${kubeconfig_path}" apply -f "$k8s_manifest"
+    if [ $? -ne 0 ]; then
+      printf "$RED Error applying $k8s_manifest \n"
+      exit 1
+    fi
   else
-    printf "$RED $k8s_manifest does not exist. $EC \n" && exit 1
+    printf "$RED $k8s_manifest does not exist. $EC \n"
+    exit 1
   fi
 }
 

diff --git a/submodules/storage/README.md b/submodules/storage/README.md
@@ -47,6 +47,7 @@ No modules.
 | [aws_iam_policy_document.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

diff --git a/submodules/storage/main.tf b/submodules/storage/main.tf
@@ -1,5 +1,6 @@
 data "aws_canonical_user_id" "current" {}
 data "aws_elb_service_account" "this" {}
+data "aws_partition" "current" {}
 
 locals {
   s3_buckets = {

diff --git a/submodules/storage/s3.tf b/submodules/storage/s3.tf
@@ -14,8 +14,8 @@ data "aws_iam_policy_document" "backups" {
     effect = "Deny"
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.backups.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*",
     ]
 
     actions = ["s3:*"]
@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "backups" {
   statement {
     sid       = "DenyIncorrectEncryptionHeader"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "backups" {
   statement {
     sid       = "DenyUnEncryptedObjectUploads"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -82,8 +82,8 @@ data "aws_iam_policy_document" "blobs" {
     effect = "Deny"
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*",
     ]
 
     actions = ["s3:*"]
@@ -104,7 +104,7 @@ data "aws_iam_policy_document" "blobs" {
   statement {
     sid       = "DenyIncorrectEncryptionHeader"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -122,7 +122,7 @@ data "aws_iam_policy_document" "blobs" {
   statement {
     sid       = "DenyUnEncryptedObjectUploads"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -151,8 +151,8 @@ data "aws_iam_policy_document" "logs" {
     effect = "Deny"
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.logs.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*",
     ]
 
     actions = ["s3:*"]
@@ -172,7 +172,7 @@ data "aws_iam_policy_document" "logs" {
   statement {
     sid       = "DenyIncorrectEncryptionHeader"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -190,7 +190,7 @@ data "aws_iam_policy_document" "logs" {
   statement {
     sid       = "DenyUnEncryptedObjectUploads"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -219,8 +219,8 @@ data "aws_iam_policy_document" "monitoring" {
     effect = "Deny"
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*",
     ]
 
     actions = ["s3:*"]
@@ -240,7 +240,7 @@ data "aws_iam_policy_document" "monitoring" {
   statement {
     sid       = ""
     effect    = "Allow"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
 
     actions = [
       "s3:PutObject*",
@@ -256,7 +256,7 @@ data "aws_iam_policy_document" "monitoring" {
   statement {
     sid       = "AWSLogDeliveryWrite"
     effect    = "Allow"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -274,7 +274,7 @@ data "aws_iam_policy_document" "monitoring" {
   statement {
     sid       = "AWSLogDeliveryCheck"
     effect    = "Allow"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}"]
 
     actions = [
       "s3:GetBucketAcl",
@@ -334,8 +334,8 @@ data "aws_iam_policy_document" "registry" {
   statement {
     effect = "Deny"
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.registry.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}",
+      "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*",
     ]
 
     actions = ["s3:*"]
@@ -355,7 +355,7 @@ data "aws_iam_policy_document" "registry" {
   statement {
     sid       = "DenyIncorrectEncryptionHeader"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {
@@ -373,7 +373,7 @@ data "aws_iam_policy_document" "registry" {
   statement {
     sid       = "DenyUnEncryptedObjectUploads"
     effect    = "Deny"
-    resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*"]
     actions   = ["s3:PutObject"]
 
     condition {