Skip to content

Commit 1c1ff3d

Browse files
Merge remote-tracking branch 'origin/main' into PRMP-739
# Conflicts: # .github/workflows/automated-deploy-dev.yml
2 parents 7fa93d5 + b51db70 commit 1c1ff3d

File tree

4 files changed

+70
-20
lines changed

4 files changed

+70
-20
lines changed

.github/workflows/automated-deploy-dev.yml

Lines changed: 31 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,37 @@ permissions:
1313
actions: read # This is required for Plan comment
1414
id-token: write # This is required for requesting the JWT
1515
contents: write # This is required for SBOM action
16-
16+
1717
jobs:
18+
19+
# Terraform apply of base_iam will only occur on a push (merge request completion)
20+
terraform_plan_apply_base_iam:
21+
if: github.ref == 'refs/heads/main'
22+
name: Terraform Plan/Apply (base_iam)
23+
runs-on: ubuntu-latest
24+
environment: development
25+
steps:
26+
- name: Checkout branch
27+
uses: actions/checkout@v6
28+
29+
- name: Apply base_iam
30+
uses: ./.github/actions/tf-plan-apply
31+
with:
32+
aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/dev-github-bootstrap
33+
bucket_prefix: "dev"
34+
aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
35+
aws_region: ${{ vars.AWS_REGION }}
36+
working_directory: "./base_iam" # Use separate base_iam directory
37+
workspace: ${{ secrets.AWS_WORKSPACE }}
38+
tf_vars_file: ${{ vars.TF_VARS_FILE }}
39+
tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
40+
1841
terraform_plan_apply:
1942
name: Terraform Plan/Apply (ndr-dev)
2043
runs-on: ubuntu-latest
44+
needs: terraform_plan_apply_base_iam
45+
# Will run when terraform_plan_apply_base_iam completes or is skipped
46+
if: always() && (needs.terraform_plan_apply_base_iam.result == 'skipped' || needs.terraform_plan_apply_base_iam.result == 'success')
2147
environment: development
2248
steps:
2349
- name: Checkout
@@ -73,7 +99,7 @@ jobs:
7399
echo "::add-mask::$cert_block"
74100
fi
75101
done || echo "No certificate blocks found to mask."
76-
102+
77103
# Mask sensitive URLs in the Terraform Plan output
78104
grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
79105
if [ -n "$api_url" ]; then
@@ -97,6 +123,7 @@ jobs:
97123
98124
# Mask GitHub secrets
99125
echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
126+
echo "::add-mask::arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role"
100127
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
101128
102129
# Mask Terraform variables
@@ -153,7 +180,7 @@ jobs:
153180
154181
// 2. Prepare format of the comment
155182
const output = `### Report for environment: ndr-dev
156-
183+
157184
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
158185
<details><summary>Initialization Output</summary>
159186
@@ -191,7 +218,7 @@ jobs:
191218
body: output
192219
})
193220
}
194-
221+
195222
github.rest.issues.createComment({
196223
issue_number: context.issue.number,
197224
owner: context.repo.owner,

infrastructure/cloudwatch_rum.tf

Lines changed: 8 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ locals {
44
}
55

66
resource "aws_iam_role" "cognito_unauthenticated" {
7-
count = local.is_production ? 0 : 1
8-
name = local.cognito_role_name
7+
name = local.cognito_role_name
98

109
assume_role_policy = jsonencode({
1110
Version = "2012-10-17",
@@ -18,7 +17,7 @@ resource "aws_iam_role" "cognito_unauthenticated" {
1817
Action = "sts:AssumeRoleWithWebIdentity",
1918
Condition = {
2019
StringEquals = {
21-
"cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum[0].id
20+
"cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum.id
2221
},
2322
"ForAnyValue:StringLike" = {
2423
"cognito-identity.amazonaws.com:amr" = "unauthenticated"
@@ -30,7 +29,6 @@ resource "aws_iam_role" "cognito_unauthenticated" {
3029
}
3130

3231
resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
33-
count = local.is_production ? 0 : 1
3432
name = "${terraform.workspace}-cloudwatch-rum-cognito-access-policy"
3533
description = "Policy for unauthenticated Cognito identities"
3634

@@ -41,7 +39,7 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
4139
{
4240
"Effect" : "Allow",
4341
"Action" : "rum:PutRumEvents",
44-
"Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr[0].id}"
42+
"Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
4543
}
4644
]
4745
})
@@ -75,34 +73,29 @@ resource "aws_cloudwatch_log_resource_policy" "rum_log" {
7573
}
7674

7775
resource "aws_iam_role_policy_attachment" "cloudwatch_rum_cognito_unauth" {
78-
count = local.is_production ? 0 : 1
79-
role = aws_iam_role.cognito_unauthenticated[0].name
80-
policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access[0].arn
76+
role = aws_iam_role.cognito_unauthenticated.name
77+
policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access.arn
8178
}
8279

8380
resource "aws_cognito_identity_pool_roles_attachment" "cloudwatch_rum" {
84-
count = local.is_production ? 0 : 1
85-
identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
86-
81+
identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum.id
8782
roles = {
88-
unauthenticated = aws_iam_role.cognito_unauthenticated[0].arn
83+
unauthenticated = aws_iam_role.cognito_unauthenticated.arn
8984
}
9085
}
9186

9287
resource "aws_cognito_identity_pool" "cloudwatch_rum" {
93-
count = local.is_production ? 0 : 1
9488
identity_pool_name = "${terraform.workspace}-cloudwatch-rum-identity-pool"
9589
allow_unauthenticated_identities = true
9690
}
9791

9892
resource "aws_rum_app_monitor" "ndr" {
99-
count = local.is_production ? 0 : 1
10093
name = "${terraform.workspace}-app-monitor"
10194
domain = "*.${var.domain}"
10295
cw_log_enabled = true
10396

10497
app_monitor_configuration {
105-
identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
98+
identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum.id
10699
allow_cookies = true
107100
enable_xray = false
108101
session_sample_rate = 1.0

infrastructure/modules/lambda/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ module "lambda" {
113113
| <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of environment variables to set in the Lambda function. | `map(string)` | `{}` | no |
114114
| <a name="input_lambda_ephemeral_storage"></a> [lambda\_ephemeral\_storage](#input\_lambda\_ephemeral\_storage) | Amount of ephemeral storage (in MB) to allocate to the Lambda function. | `number` | `512` | no |
115115
| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Function timeout in seconds. | `number` | `30` | no |
116-
| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `5038` | no |
116+
| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `5308` | no |
117117
| <a name="input_name"></a> [name](#input\_name) | Unique name for the Lambda function. | `string` | n/a | yes |
118118
| <a name="input_persistent_workspaces"></a> [persistent\_workspaces](#input\_persistent\_workspaces) | A list of workspaces that require persistent logs | `list(string)` | <pre>[<br/> "ndr-dev",<br/> "ndr-test",<br/> "pre-prod",<br/> "prod"<br/>]</pre> | no |
119119
| <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The number of concurrent execution allowed for lambda. A value of 0 will stop lambda from running, and -1 removes any concurrency limitations. Default to -1. | `number` | `-1` | no |

infrastructure/moved-resources-v1.6.11.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,4 +16,34 @@ moved {
1616
moved {
1717
from = aws_cloudfront_cache_policy.nocache
1818
to = aws_cloudfront_cache_policy.nocache[0]
19+
}
20+
21+
moved {
22+
from = aws_iam_role.cognito_unauthenticated[0]
23+
to = aws_iam_role.cognito_unauthenticated
24+
}
25+
26+
moved {
27+
from = aws_iam_policy.cloudwatch_rum_cognito_access[0]
28+
to = aws_iam_policy.cloudwatch_rum_cognito_access
29+
}
30+
31+
moved {
32+
from = aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth[0]
33+
to = aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth
34+
}
35+
36+
moved {
37+
from = aws_cognito_identity_pool.cloudwatch_rum[0]
38+
to = aws_cognito_identity_pool.cloudwatch_rum
39+
}
40+
41+
moved {
42+
from = aws_cognito_identity_pool_roles_attachment.cloudwatch_rum[0]
43+
to = aws_cognito_identity_pool_roles_attachment.cloudwatch_rum
44+
}
45+
46+
moved {
47+
from = aws_rum_app_monitor.ndr[0]
48+
to = aws_rum_app_monitor.ndr
1949
}

0 commit comments

Comments
 (0)