Planetfm/dsos 2408/use modified lb module

terraform/environments/planetfm/ec2-common.tf

@@ -52,4 +52,4 @@ resource "aws_ssm_document" "ami_build_automation" {
       Name = "ami-build-automation"
     },
   )
-}
+}

terraform/environments/planetfm/locals_development.tf

@@ -4,5 +4,106 @@ locals {
   # baseline config
   development_config = {
 
+    # baseline_s3_buckets = {
+    #   public-lb-logs-bucket = {
+    #     bucket_policy_v2 = [
+    #       {
+    #         effect = "Allow"
+    #         actions = [
+    #           "s3:PutObject",
+    #         ]
+    #         principals = {
+    #           identifiers = ["arn:aws:iam::652711504416:root"]
+    #           type        = "AWS"
+    #         }
+    #       },
+    #       {
+    #         effect = "Allow"
+    #         actions = [
+    #           "s3:PutObject"
+    #         ]
+    #         principals = {
+    #           identifiers = ["delivery.logs.amazonaws.com"]
+    #           type        = "Service"
+    #         }
+
+    #         conditions = [
+    #           {
+    #             test     = "StringEquals"
+    #             variable = "s3:x-amz-acl"
+    #             values   = ["bucket-owner-full-control"]
+    #           }
+    #         ]
+    #       },
+    #       {
+    #         effect = "Allow"
+    #         actions = [
+    #           "s3:GetBucketAcl"
+    #         ]
+    #         principals = {
+    #           identifiers = ["delivery.logs.amazonaws.com"]
+    #           type        = "Service"
+    #         }
+    #       }
+    #     ]
+    #     iam_policies = module.baseline_presets.s3_iam_policies
+    #   }
+    #   network-lb-logs-bucket = {
+    #     sse_algorithm = "AES256"
+    #     bucket_policy_v2 = [
+    #       {
+    #         effect = "Allow"
+    #         actions = [
+    #           "s3:PutObject"
+    #         ]
+    #         principals = {
+    #           identifiers = ["delivery.logs.amazonaws.com"]
+    #           type        = "Service"
+    #         }
+    #         conditions = [
+    #           {
+    #             test     = "StringEquals"
+    #             variable = "s3:x-amz-acl"
+    #             values   = ["bucket-owner-full-control"]
+    #           },
+    #           {
+    #             test     = "StringEquals"
+    #             variable = "aws:SourceAccount"
+    #             values   = [module.environment.account_id]
+    #           },
+    #           {
+    #             test     = "ArnLike"
+    #             variable = "aws:SourceArn"
+    #             values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+    #           }
+    #         ]
+    #       },
+    #       {
+    #         effect = "Allow"
+    #         actions = [
+    #           "s3:GetBucketAcl"
+    #         ]
+    #         principals = {
+    #           identifiers = ["delivery.logs.amazonaws.com"]
+    #           type        = "Service"
+    #         }
+    #         conditions = [
+    #           {
+    #             test     = "StringEquals"
+    #             variable = "aws:SourceAccount"
+    #             values   = [module.environment.account_id]
+    #           },
+    #           {
+    #             test     = "ArnLike"
+    #             variable = "aws:SourceArn"
+    #             values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+    #           }
+    #         ]
+    #       }
+    #     ]
+    #     iam_policies = module.baseline_presets.s3_iam_policies
+    #   }
+    # }
   }
 }
+

terraform/environments/planetfm/locals_preproduction.tf

@@ -154,7 +154,7 @@ locals {
       private = {
         internal_lb                      = true
         enable_delete_protection         = false
-        loadbalancer_type                = "application"
+        load_balancer_type                = "application"
         idle_timeout                     = 3600
         security_groups                  = ["loadbalancer"]
         subnets                          = module.environment.subnets["private"].ids

terraform/modules/baseline/lb.tf

@@ -110,7 +110,11 @@ module "lb" {
 
   for_each = var.lbs
 
-  source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=10b4dc871150e9fa94532be6c60c35b97f55c657"
+  # references my working fork of the module
+  # source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=0d4f8e35ba3605fabbd233b592caaa656a8a03e8"
+
+  # experimental
+  source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=4b518d453bb9743d604ce47186e34edb07767a51"
 
   providers = {
     aws.bucket-replication = aws

terraform/modules/baseline/s3_bucket.tf

@@ -44,8 +44,8 @@ module "s3_bucket" {
   replication_region         = coalesce(each.value.replication_region, var.environment.region)
   bucket_policy              = each.value.bucket_policy
   bucket_policy_v2           = each.value.bucket_policy_v2
-  custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
-  custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
+  custom_kms_key             = each.value.custom_kms_key
+  custom_replication_kms_key = each.value.custom_replication_kms_key
   lifecycle_rule             = each.value.lifecycle_rule
   log_bucket                 = each.value.log_bucket
   log_prefix                 = each.value.log_prefix

terraform/modules/baseline/variables.tf

@@ -577,8 +577,8 @@ variable "lbs" {
     load_balancer_type               = optional(string, "application")
     security_groups                  = list(string)
     subnets                          = list(string)
-    existing_bucket_name             = optional(string, "")                      # NOTE: module default value is empty string ""
-    enable_cross_zone_load_balancing = optional(bool, false)                     # network and gateway lb types only, application lb's this is always true
+    existing_bucket_name             = optional(string, "") # NOTE:  module default value is empty string
+    enable_cross_zone_load_balancing = optional(bool, false) # network and gateway lb types only, application lb's this is always true
     dns_record_client_routing_policy = optional(string, "any_availability_zone") # network load-balancer types only
     s3_versioning                    = optional(bool, true)
     instance_target_groups = optional(map(object({