Revert "Feature | build.env to tf 1.0.9 + configs updated to .tfvars …

…=> leverage cli 1.1.0 + deactivate cf-s3-www.binbash.com.ar"

.gitignore

@@ -21,7 +21,12 @@
 ############
 id_rsa
 id_dsa
-*keys/
+keys/
+!/apps-devstg/base-identities/keys/
+!/apps-prd/base-identities/keys/
+!/security/base-identities/keys/
+!/shared/base-identities/keys/
+!/root/base-identities/keys/
 
 # OS generated files #
 ######################
@@ -93,7 +98,7 @@ Thumbs.db
 #
 # Config Files
 #
-*common.tfvars
+*common.config
 #
 # Scripts and Makefiles
 #

apps-devstg/us-east-1/cdn-s3-frontend --/config.tf → apps-devstg/us-east-1/cdn-s3-frontend/config.tf

@@ -2,6 +2,7 @@
 # AWS Provider Settings       #
 #=============================#
 provider "aws" {
+  version                 = "~> 3.0"
   region                  = var.region
   profile                 = var.profile
   shared_credentials_file = "~/.aws/${var.project}/config"
@@ -13,9 +14,9 @@ provider "aws" {
 # binbash-shared route53 cross-account ACM dns validation update
 #
 provider "aws" {
+  version                 = "~> 3.0"
   region                  = var.region
-  profile                 = "${var.project}-shared-devops"
-//  profile                 = var.profile_shared
+  profile                 = var.profile_shared
   shared_credentials_file = "~/.aws/${var.project}/config"
   alias                   = "shared-route53"
 }
@@ -24,11 +25,7 @@ provider "aws" {
 # Backend Config (partial)    #
 #=============================#
 terraform {
-  required_version = ">= 0.14.11"
-
-  required_providers {
-    aws = "~> 3.0"
-  }
+  required_version = ">= 0.13.2"
 
   backend "s3" {
     key = "apps-devstg/cdn-s3/terraform.tfstate"

apps-devstg/us-east-1/cdn-s3-frontend --/dev.aws.binbash.com.ar.tf → apps-devstg/us-east-1/cdn-s3-frontend/dev.aws.binbash.com.ar.tf

@@ -2,7 +2,7 @@
 # Statics S3 Bucket + CloudFront CDN for moderncare.com
 #
 module "dev_aws_binbash_com_ar" {
-  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.75.0"
+  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.35.0"
 
   # Common: bucket naming convention is "bb-apps-devstg-frontend-[DOMAIN_NAME]-origin"
   namespace = "${var.project}-${var.environment}-frontend"
@@ -33,7 +33,6 @@ module "dev_aws_binbash_com_ar" {
   minimum_protocol_version = "TLSv1"
   encryption_enabled       = true
   additional_bucket_policy = data.aws_iam_policy_document.additional_bucket_policy.json
-  versioning_enabled       = true
 
   logging_enabled     = true
   log_expiration_days = 90 # N° of days after which to expunge the objects

apps-devstg/us-east-1/cdn-s3-frontend --/variables.tf → apps-devstg/us-east-1/cdn-s3-frontend/variables.tf

@@ -91,16 +91,6 @@ variable "appsprd_account_id" {
   description = "Account: Prod Modules & Libs"
 }
 
-variable "vault_address" {
-  type        = string
-  description = "Vault Address"
-}
-
-variable "vault_token" {
-  type        = string
-  description = "Vault Token"
-}
-
 #=============================#
 # CDN DNS variables           #
 #=============================#

apps-prd/us-east-1/cdn-s3-frontend --/config.tf → apps-prd/us-east-1/cdn-s3-frontend/config.tf

@@ -14,8 +14,7 @@ provider "aws" {
 #
 provider "aws" {
   region                  = var.region
-  profile                 = "${var.project}-shared-devops"
-//  profile                 = var.profile_shared
+  profile                 = var.profile_shared
   shared_credentials_file = "~/.aws/${var.project}/config"
   alias                   = "shared-route53"
 }

apps-prd/us-east-1/cdn-s3-frontend --/statics.tf → apps-prd/us-east-1/cdn-s3-frontend/statics.tf

@@ -2,7 +2,7 @@
 # Statics S3 Bucket + CloudFront CDN for moderncare.com
 #
 module "www_binbash_com_ar_statics" {
-  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.75.0"
+  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.69.0"
 
   # Common: bucket naming convention is "[PROJECT]-[ENV]-statics-[DOMAIN_NAME]"
   namespace = "${var.project}-${var.environment}-statics"

apps-prd/us-east-1/cdn-s3-frontend --/variables.tf → apps-prd/us-east-1/cdn-s3-frontend/variables.tf

@@ -91,16 +91,6 @@ variable "appsprd_account_id" {
   description = "Account: Prod Modules & Libs"
 }
 
-variable "vault_address" {
-  type        = string
-  description = "Vault Address"
-}
-
-variable "vault_token" {
-  type        = string
-  description = "Vault Token"
-}
-
 #=============================#
 # CDN DNS variables           #
 #=============================#

apps-prd/us-east-1/cdn-s3-frontend --/www.binbash.com.ar.tf → apps-prd/us-east-1/cdn-s3-frontend/www.binbash.com.ar.tf

@@ -2,7 +2,7 @@
 # Statics S3 Bucket + CloudFront CDN for moderncare.com
 #
 module "www_binbash_com_ar" {
-  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.75.0"
+  source = "github.com/binbashar/terraform-aws-cloudfront-s3-cdn.git?ref=0.69.0"
 
   # Common: bucket naming convention is "bb-apps-prd-frontend-[DOMAIN_NAME]-origin"
   namespace            = "${var.project}-${var.environment}-frontend"

build.env

@@ -6,6 +6,6 @@ MFA_ENABLED=true
 
 # Terraform
 TERRAFORM_IMAGE_NAME=binbash/terraform-awscli-slim
-TERRAFORM_IMAGE_TAG=1.0.9
+TERRAFORM_IMAGE_TAG=0.14.11
 TERRAFORM_ENTRYPOINT=/bin/terraform
 TERRAFORM_MFA_ENTRYPOINT=/root/scripts/aws-mfa/aws-mfa-entrypoint.sh

network/us-east-1/base-network/variables.tf → network/base-network/variables.tf

@@ -218,7 +218,7 @@ variable "vpc_endpoints" {
 variable "enable_tgw" {
   description = "Enable Transit Gateway Support"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "enable_vpc_attach" {

network/security-keys/build.env

@@ -0,0 +1 @@
+TERRAFORM_IMAGE_TAG=0.14.11

network/security-keys/config.tf

@@ -0,0 +1,23 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region                  = var.region
+  profile                 = var.profile
+  shared_credentials_file = "~/.aws/${var.project}/config"
+}
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = ">= 0.14.11"
+
+  required_providers {
+    aws = "~> 3.0"
+  }
+
+  backend "s3" {
+    key = "network/security-keys/terraform.tfstate"
+  }
+}

network/security-keys/kms.tf

@@ -0,0 +1,52 @@
+module "kms_key" {
+  source = "github.com/binbashar/terraform-aws-kms-key.git?ref=0.10.0"
+
+  enabled                 = true
+  namespace               = var.project
+  stage                   = var.environment
+  name                    = var.kms_key_name
+  delimiter               = "-"
+  description             = "KMS key for ${var.environment} Account"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  alias                   = "alias/${var.project}_${var.environment}_${var.kms_key_name}_key"
+  policy                  = data.aws_iam_policy_document.kms.json
+  tags                    = local.tags
+}
+
+data "aws_iam_policy_document" "kms" {
+  statement {
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.network_account_id}:root"]
+    }
+  }
+
+  statement {
+    sid    = "Enable CloudWatch Logs Service"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values   = ["arn:aws:logs:${var.region}:${var.network_account_id}:*"]
+    }
+  }
+}

network/security-keys/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  tags = {
+    Terraform   = "true"
+    Environment = var.environment
+  }
+}

network/security-keys/outputs.tf

@@ -0,0 +1,29 @@
+#
+# EC2 aws_key_pair name
+#
+output "aws_key_pair_name" {
+  value = aws_key_pair.compute-ssh-key.key_name
+}
+
+#
+# KMS aws_kms_key outputs
+#
+output "aws_kms_key_arn" {
+  description = "Key ARN"
+  value       = module.kms_key.key_arn
+}
+
+output "aws_kms_key_id" {
+  description = "KMS Key ID"
+  value       = module.kms_key.key_id
+}
+
+output "aws_kms_key_alias_arn" {
+  description = "KMS Alias ARN"
+  value       = module.kms_key.alias_arn
+}
+
+output "aws_kms_key_alias_name" {
+  description = "KMS Alias name"
+  value       = module.kms_key.alias_name
+}

network/security-keys/ssh.tf

@@ -0,0 +1,4 @@
+resource "aws_key_pair" "compute-ssh-key" {
+  key_name   = var.compute_ssh_key_name
+  public_key = var.compute_ssh_public_key
+}