From 285241c72e182a608b89e921a81a6484fe92a695 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Mon, 22 Jan 2024 04:50:02 +0000 Subject: [PATCH] Updates from GitHub Actions Format Code workflow --- terraform/environments/cdpt-chaps/database.tf | 16 +- terraform/environments/cdpt-chaps/ecs.tf | 4 +- terraform/environments/cdpt-chaps/secrets.tf | 2 +- .../environments/data-platform-compute/vpc.tf | 20 +- .../transfer_server_capita.tf | 6 +- terraform/environments/maat/api-cognito.tf | 270 +++++++++--------- .../nomis-data-hub/locals_security_groups.tf | 90 +++--- .../nomis/cloudwatch_dashboard/dashboard.tf | 76 ++--- terraform/environments/performance-hub/s3.tf | 12 +- .../modules/baseline/cost_usage_report.tf | 20 +- terraform/modules/baseline/variables.tf | 6 +- terraform/modules/cost_usage_report/main.tf | 4 +- 12 files changed, 263 insertions(+), 263 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 653ad0090ea..7edf5cca8bc 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,20 +3,20 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage - storage_type = "gp2" - engine = "sqlserver-web" - engine_version = "14.00.3381.3.v1" - instance_class = local.application_data.accounts[local.environment].db_instance_class - identifier = local.application_data.accounts[local.environment].db_instance_identifier + allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.application_data.accounts[local.environment].db_instance_class + identifier = local.application_data.accounts[local.environment].db_instance_identifier # username = local.application_data.accounts[local.environment].db_user password = aws_secretsmanager_secret_version.db_password.secret_string vpc_security_group_ids = [aws_security_group.db.id] depends_on = [aws_security_group.db] # snapshot_identifier = "arn:aws:rds:eu-west-2:613903586696:snapshot:chaps-prod-snapshot-2024-01-19" - db_subnet_group_name = aws_db_subnet_group.db.id + db_subnet_group_name = aws_db_subnet_group.db.id final_snapshot_identifier = "final-snapshot" - publicly_accessible = true + publicly_accessible = true } resource "aws_db_instance_role_association" "database" { diff --git a/terraform/environments/cdpt-chaps/ecs.tf b/terraform/environments/cdpt-chaps/ecs.tf index f29c7442025..f9f3e3048d3 100644 --- a/terraform/environments/cdpt-chaps/ecs.tf +++ b/terraform/environments/cdpt-chaps/ecs.tf @@ -116,8 +116,8 @@ resource "aws_ecs_task_definition" "chaps_task_definition" { ], secrets = [ { - name: "RDS_PASSWORD", - valueFrom: aws_secretsmanager_secret_version.db_password.arn + name : "RDS_PASSWORD", + valueFrom : aws_secretsmanager_secret_version.db_password.arn } ] } diff --git a/terraform/environments/cdpt-chaps/secrets.tf b/terraform/environments/cdpt-chaps/secrets.tf index 0306cdcd080..0fb0eb8c757 100644 --- a/terraform/environments/cdpt-chaps/secrets.tf +++ b/terraform/environments/cdpt-chaps/secrets.tf @@ -1,7 +1,7 @@ #### This file can be used to store secrets specific to the member account #### resource "aws_secretsmanager_secret" "db_password" { - name = "database_password" + name = "database_password" } resource "random_password" "password_long" { diff --git a/terraform/environments/data-platform-compute/vpc.tf b/terraform/environments/data-platform-compute/vpc.tf index 8973c89c844..c0ec2fa50cc 100644 --- a/terraform/environments/data-platform-compute/vpc.tf +++ b/terraform/environments/data-platform-compute/vpc.tf @@ -27,40 +27,40 @@ module "vpc_endpoints" { endpoints = { logs = { - service = "logs" - service_type = "Interface" + service = "logs" + service_type = "Interface" tags = merge( local.tags, { Name = format("%s-logs-api-vpc-endpoint", local.application_name) } ) }, sagemaker-api = { - service = "sagemaker.api" - service_type = "Interface" + service = "sagemaker.api" + service_type = "Interface" tags = merge( local.tags, { Name = format("%s-sagemaker-api-vpc-endpoint", local.application_name) } ) }, sagemaker-runtime = { - service = "sagemaker.runtime" - service_type = "Interface" + service = "sagemaker.runtime" + service_type = "Interface" tags = merge( local.tags, { Name = format("%s-sagemaker-runtime-vpc-endpoint", local.application_name) } ) }, sagemaker-catalog = { - service = "servicecatalog" - service_type = "Interface" + service = "servicecatalog" + service_type = "Interface" tags = merge( local.tags, { Name = format("%s-servicecatalog-vpc-endpoint", local.application_name) } ) }, sts = { - service = "sts" - service_type = "Interface" + service = "sts" + service_type = "Interface" tags = merge( local.tags, { Name = format("%s-sts-vpc-endpoint", local.application_name) } diff --git a/terraform/environments/electronic-monitoring-data/transfer_server_capita.tf b/terraform/environments/electronic-monitoring-data/transfer_server_capita.tf index fae85ffb8db..b77e2835871 100644 --- a/terraform/environments/electronic-monitoring-data/transfer_server_capita.tf +++ b/terraform/environments/electronic-monitoring-data/transfer_server_capita.tf @@ -5,7 +5,7 @@ #------------------------------------------------------------------------------ resource "aws_eip" "capita_eip" { - domain = "vpc" + domain = "vpc" } #------------------------------------------------------------------------------ @@ -73,7 +73,7 @@ resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" { resource "aws_transfer_server" "capita_transfer_server" { - protocols = ["SFTP"] + protocols = ["SFTP"] identity_provider_type = "SERVICE_MANAGED" endpoint_type = "VPC" @@ -89,7 +89,7 @@ resource "aws_transfer_server" "capita_transfer_server" { security_policy_name = "TransferSecurityPolicy-2023-05" pre_authentication_login_banner = "Hello there" - logging_role = aws_iam_role.test_transfer_user_iam_role.arn + logging_role = aws_iam_role.test_transfer_user_iam_role.arn structured_log_destinations = [ "${aws_cloudwatch_log_group.transfer.arn}:*" ] diff --git a/terraform/environments/maat/api-cognito.tf b/terraform/environments/maat/api-cognito.tf index 5c6264ed034..63b41deae6d 100644 --- a/terraform/environments/maat/api-cognito.tf +++ b/terraform/environments/maat/api-cognito.tf @@ -26,12 +26,12 @@ resource "aws_cognito_user_pool_domain" "maat_api_cognito_user_pool_domain" { ###################################### resource "aws_cognito_resource_server" "maat_api_cognito_user_pool_server" { - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - identifier = "${local.application_name}-cd-api" - name = "${local.application_name}-cd-api-ResourceServer1" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + identifier = "${local.application_name}-cd-api" + name = "${local.application_name}-cd-api-ResourceServer1" scope { - scope_name = "${local.application_data.accounts[local.environment].api_scope}" + scope_name = local.application_data.accounts[local.environment].api_scope scope_description = "${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}" } } @@ -42,184 +42,184 @@ resource "aws_cognito_resource_server" "maat_api_cognito_user_pool_server" { ###################################### resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_default" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "DEFAULT" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "DEFAULT" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_cda" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "CDA" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "CDA" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_cma" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crime Means Assessment" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crime Means Assessment" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_ccp" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crown Court Proceeding" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crown Court Proceeding" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_ccc" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crown Court Contribution" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crown Court Contribution" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_ce" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crime Evidence" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crime Evidence" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_caa" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crime Apply Adapter" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crime Apply Adapter" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_ats" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Application Tracking Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Application Tracking Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_dcrs" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "DCES Debt collection Report Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "DCES Debt collection Report Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_dirs" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "DCES DRC Integration Report Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "DCES DRC Integration Report Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_chs" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crime Hardship Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crime Hardship Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_cvs" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - name = "Crime Validation Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + name = "Crime Validation Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } resource "aws_cognito_user_pool_client" "maat_api_cognito_pool_client_maatos" { - depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] - - name = "MAAT Orchestration Service" - user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id - allowed_oauth_flows_user_pool_client = true - generate_secret = true - supported_identity_providers = ["COGNITO"] - allowed_oauth_flows = ["client_credentials"] - allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] - prevent_user_existence_errors = "ENABLED" - explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] + depends_on = [aws_cognito_resource_server.maat_api_cognito_user_pool_server] + + name = "MAAT Orchestration Service" + user_pool_id = aws_cognito_user_pool.maat_api_cognito_user_pool.id + allowed_oauth_flows_user_pool_client = true + generate_secret = true + supported_identity_providers = ["COGNITO"] + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = ["${local.application_name}-cd-api/${local.application_data.accounts[local.environment].api_scope}"] + prevent_user_existence_errors = "ENABLED" + explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] } diff --git a/terraform/environments/nomis-data-hub/locals_security_groups.tf b/terraform/environments/nomis-data-hub/locals_security_groups.tf index d7d125af7c2..2bde68ad355 100644 --- a/terraform/environments/nomis-data-hub/locals_security_groups.tf +++ b/terraform/environments/nomis-data-hub/locals_security_groups.tf @@ -84,11 +84,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } @@ -112,11 +112,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } @@ -133,11 +133,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } @@ -159,11 +159,11 @@ locals { security_groups = ["management_server"] } http8555 = { # from oasys - description = "Allow http8555 ingress" - from_port = 8555 - to_port = 8555 - protocol = "tcp" - cidr_blocks = local.security_group_cidrs.http8555 + description = "Allow http8555 ingress" + from_port = 8555 + to_port = 8555 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.http8555 } tcp-ems = { description = "Allow all ems ingress" @@ -175,11 +175,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } @@ -201,18 +201,18 @@ locals { security_groups = ["management_server"] } tcp7222 = { # from nomis (XTAG) - description = "Allow port 7222 ingress" - from_port = 7222 - to_port = 7222 - protocol = "tcp" - cidr_blocks = local.security_group_cidrs.tcp7222 + description = "Allow port 7222 ingress" + from_port = 7222 + to_port = 7222 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.tcp7222 } tcp7224 = { - description = "Allow port 7224 ingress" - from_port = 7224 - to_port = 7224 - protocol = "tcp" - cidr_blocks = local.security_group_cidrs.tcp7222 + description = "Allow port 7224 ingress" + from_port = 7224 + to_port = 7224 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.tcp7222 } tcp-app = { description = "Allow all app ingress" @@ -224,11 +224,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } @@ -253,11 +253,11 @@ locals { } egress = { all = { - description = "Allow all egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } } diff --git a/terraform/environments/nomis/cloudwatch_dashboard/dashboard.tf b/terraform/environments/nomis/cloudwatch_dashboard/dashboard.tf index 1839a1d8a83..c908a9140cb 100644 --- a/terraform/environments/nomis/cloudwatch_dashboard/dashboard.tf +++ b/terraform/environments/nomis/cloudwatch_dashboard/dashboard.tf @@ -39,7 +39,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT MAX(CPUUtilization)\nFROM SCHEMA(\"AWS/EC2\", InstanceId)\nGROUP BY InstanceId\nORDER BY MAX() DESC\nLIMIT 5", "label": "", "id": "q1" } ] + [{ "expression" : "SELECT MAX(CPUUtilization)\nFROM SCHEMA(\"AWS/EC2\", InstanceId)\nGROUP BY InstanceId\nORDER BY MAX() DESC\nLIMIT 5", "label" : "", "id" : "q1" }] ] } } @@ -58,7 +58,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT MAX(mem_used_percent) FROM SCHEMA(CWAgent, InstanceId,name,server_type) GROUP BY InstanceId ORDER BY MAX() DESC", "label": "", "id": "q1", "yAxis": "left" } ] + [{ "expression" : "SELECT MAX(mem_used_percent) FROM SCHEMA(CWAgent, InstanceId,name,server_type) GROUP BY InstanceId ORDER BY MAX() DESC", "label" : "", "id" : "q1", "yAxis" : "left" }] ] } } @@ -77,7 +77,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT MAX(disk_used_percent) FROM SCHEMA(CWAgent, InstanceId) GROUP BY InstanceId ORDER BY MAX() DESC", "label": "", "id": "q1" } ] + [{ "expression" : "SELECT MAX(disk_used_percent) FROM SCHEMA(CWAgent, InstanceId) GROUP BY InstanceId ORDER BY MAX() DESC", "label" : "", "id" : "q1" }] ] } } @@ -96,7 +96,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT MAX(TargetResponseTime) FROM SCHEMA(\"AWS/ApplicationELB\", LoadBalancer,TargetGroup) GROUP BY TargetGroup ORDER BY MAX() DESC", "label": "", "id": "q1" } ] + [{ "expression" : "SELECT MAX(TargetResponseTime) FROM SCHEMA(\"AWS/ApplicationELB\", LoadBalancer,TargetGroup) GROUP BY TargetGroup ORDER BY MAX() DESC", "label" : "", "id" : "q1" }] ] } } @@ -115,7 +115,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT COUNT(RequestCount) FROM \"AWS/ApplicationELB\" GROUP BY LoadBalancer ORDER BY COUNT() DESC", "label": "", "id": "q1" } ] + [{ "expression" : "SELECT COUNT(RequestCount) FROM \"AWS/ApplicationELB\" GROUP BY LoadBalancer ORDER BY COUNT() DESC", "label" : "", "id" : "q1" }] ] } } @@ -134,7 +134,7 @@ locals { stat = "Maximum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT COUNT(HTTPCode_ELB_5XX_Count) FROM SCHEMA(\"AWS/ApplicationELB\", AvailabilityZone,LoadBalancer,TargetGroup) GROUP BY LoadBalancer ORDER BY COUNT() DESC", "label": "", "id": "q1" } ] + [{ "expression" : "SELECT COUNT(HTTPCode_ELB_5XX_Count) FROM SCHEMA(\"AWS/ApplicationELB\", AvailabilityZone,LoadBalancer,TargetGroup) GROUP BY LoadBalancer ORDER BY COUNT() DESC", "label" : "", "id" : "q1" }] ] } } @@ -153,11 +153,11 @@ locals { stat = "Sum" period = local.cloudwatch_period metrics = [ - [ { "expression": "m1/PERIOD(m1)", "label": "Read IOPs", "id": "e1" } ], - [ { "expression": "m2/PERIOD(m2)", "label": "Write IOPs", "id": "e2" } ], - [ { "expression": "e1+e2", "label": "Total IOPs", "id": "e3" } ], - [ "AWS/EBS", "VolumeReadOps", "VolumeId", "*", { "id": "m1", "visible": false } ], - [ "AWS/EBS", "VolumeWriteOps", "VolumeId", "*", { "id": "m2", "visible": false } ] + [{ "expression" : "m1/PERIOD(m1)", "label" : "Read IOPs", "id" : "e1" }], + [{ "expression" : "m2/PERIOD(m2)", "label" : "Write IOPs", "id" : "e2" }], + [{ "expression" : "e1+e2", "label" : "Total IOPs", "id" : "e3" }], + ["AWS/EBS", "VolumeReadOps", "VolumeId", "*", { "id" : "m1", "visible" : false }], + ["AWS/EBS", "VolumeWriteOps", "VolumeId", "*", { "id" : "m2", "visible" : false }] ] } } @@ -176,11 +176,11 @@ locals { stat = "Sum" period = local.cloudwatch_period metrics = [ - [ { "expression": "SELECT SUM(VolumeWriteBytes)\nFROM SCHEMA(\"AWS/EBS\", VolumeId)\nGROUP BY VolumeId\nORDER BY SUM() DESC\nLIMIT 10", "label": "VolumeWriteBytes", "id": "m3", "stat": "Sum", "visible": false } ], - [ { "expression": "SELECT SUM(VolumeReadBytes) FROM SCHEMA(\"AWS/EBS\", VolumeId) GROUP BY VolumeId ORDER BY SUM() DESC LIMIT 10", "label": "VolumeReadBytes", "id": "m4", "stat": "Sum", "visible": false } ], - [ { "expression": "(m4/(1024*1024))/PERIOD(m4)", "label": "MB Read Per Second", "id": "e4" } ], - [ { "expression": "(m3/(1024*1024))/PERIOD(m3)", "label": "MB Write Per Second", "id": "e5" } ], - [ { "expression": "e4+e5", "label": "Total Consumed MB/s", "id": "e6" } ] + [{ "expression" : "SELECT SUM(VolumeWriteBytes)\nFROM SCHEMA(\"AWS/EBS\", VolumeId)\nGROUP BY VolumeId\nORDER BY SUM() DESC\nLIMIT 10", "label" : "VolumeWriteBytes", "id" : "m3", "stat" : "Sum", "visible" : false }], + [{ "expression" : "SELECT SUM(VolumeReadBytes) FROM SCHEMA(\"AWS/EBS\", VolumeId) GROUP BY VolumeId ORDER BY SUM() DESC LIMIT 10", "label" : "VolumeReadBytes", "id" : "m4", "stat" : "Sum", "visible" : false }], + [{ "expression" : "(m4/(1024*1024))/PERIOD(m4)", "label" : "MB Read Per Second", "id" : "e4" }], + [{ "expression" : "(m3/(1024*1024))/PERIOD(m3)", "label" : "MB Write Per Second", "id" : "e5" }], + [{ "expression" : "e4+e5", "label" : "Total Consumed MB/s", "id" : "e6" }] ] } } @@ -192,10 +192,10 @@ locals { width = 24 height = 15 properties = { - region = local.region - title = "All EBS Volume Stats" - stat = "Sum" - period = local.cloudwatch_period + region = local.region + title = "All EBS Volume Stats" + stat = "Sum" + period = local.cloudwatch_period widgetOptions = { view = "timeSeries" stacked = false @@ -203,33 +203,33 @@ locals { widgetsPerRow = 2 } labels = [ - { key: "application", value: "nomis" } + { key : "application", value : "nomis" } ] metrics = [ - { - "metricName": "VolumeReadBytes", - "resourceType": "AWS::EC2::Volume", - "stat": "Sum" + { + "metricName" : "VolumeReadBytes", + "resourceType" : "AWS::EC2::Volume", + "stat" : "Sum" }, { - "metricName": "VolumeWriteBytes", - "resourceType": "AWS::EC2::Volume", - "stat": "Sum" + "metricName" : "VolumeWriteBytes", + "resourceType" : "AWS::EC2::Volume", + "stat" : "Sum" }, { - "metricName": "VolumeIdleTime", - "resourceType": "AWS::EC2::Volume", - "stat": "Average" + "metricName" : "VolumeIdleTime", + "resourceType" : "AWS::EC2::Volume", + "stat" : "Average" }, { - "metricName": "VolumeReadOps", - "resourceType": "AWS::EC2::Volume", - "stat": "Sum" + "metricName" : "VolumeReadOps", + "resourceType" : "AWS::EC2::Volume", + "stat" : "Sum" }, { - "metricName": "VolumeWriteOps", - "resourceType": "AWS::EC2::Volume", - "stat": "Sum" + "metricName" : "VolumeWriteOps", + "resourceType" : "AWS::EC2::Volume", + "stat" : "Sum" } ] } @@ -244,7 +244,7 @@ locals { properties = { markdown = "## LoadBalancer Graphed Metrics" background = "solid" - } + } } EC2GraphedMetricsHeading = { diff --git a/terraform/environments/performance-hub/s3.tf b/terraform/environments/performance-hub/s3.tf index 655d9f5d1a8..c546326f4fd 100644 --- a/terraform/environments/performance-hub/s3.tf +++ b/terraform/environments/performance-hub/s3.tf @@ -166,13 +166,13 @@ resource "aws_iam_role_policy_attachment" "s3_uploads_attachment" { module "ap_landing_bucket" { source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0" - bucket_name = "${local.application_name}-land-${local.environment}" - ownership_controls = "BucketOwnerEnforced" + bucket_name = "${local.application_name}-land-${local.environment}" + ownership_controls = "BucketOwnerEnforced" versioning_enabled = false replication_enabled = false - bucket_policy = [data.aws_iam_policy_document.allow_ap_write_to_landing.json] + bucket_policy = [data.aws_iam_policy_document.allow_ap_write_to_landing.json] providers = { # Leave this provider block in even if you are not using replication @@ -215,7 +215,7 @@ data "aws_iam_policy_document" "allow_ap_write_to_landing" { # See also: https://github.com/moj-analytical-services/data-engineering-exports/tree/main/push_datasets statement { principals { - type = "AWS" + type = "AWS" identifiers = [ "arn:aws:iam::593291632749:role/service-role/export_prison_incidents-move", "arn:aws:iam::593291632749:role/service-role/export_prison_performance-move" @@ -223,8 +223,8 @@ data "aws_iam_policy_document" "allow_ap_write_to_landing" { } actions = [ - "s3:PutObject", - "s3:PutObjectAcl" + "s3:PutObject", + "s3:PutObjectAcl" ] resources = [ diff --git a/terraform/modules/baseline/cost_usage_report.tf b/terraform/modules/baseline/cost_usage_report.tf index b2147c92670..c551d9e81f6 100644 --- a/terraform/modules/baseline/cost_usage_report.tf +++ b/terraform/modules/baseline/cost_usage_report.tf @@ -1,17 +1,17 @@ module "cost_usage_report" { - count = lookup(var.cost_usage_report, "create", false) ? 1 : 0 + count = lookup(var.cost_usage_report, "create", false) ? 1 : 0 - source = "../../modules/cost_usage_report" + source = "../../modules/cost_usage_report" - providers = { - aws.us-east-1 = aws.us-east-1 - aws.bucket-replication = aws - } + providers = { + aws.us-east-1 = aws.us-east-1 + aws.bucket-replication = aws + } - application_name = var.environment.application_name - account_number = var.environment.account_id - environment = var.environment.environment - tags = local.tags + application_name = var.environment.application_name + account_number = var.environment.account_id + environment = var.environment.environment + tags = local.tags } diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 912b8c0ca6c..15b447ac6a8 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -1024,10 +1024,10 @@ variable "resource_explorer" { variable "cost_usage_report" { description = "Enables AWS Cost Usage Report" - type = object({ + type = object({ create = bool - }) - default = { + }) + default = { create = false } } diff --git a/terraform/modules/cost_usage_report/main.tf b/terraform/modules/cost_usage_report/main.tf index 9a9aeeb5fd2..2e0532feee7 100644 --- a/terraform/modules/cost_usage_report/main.tf +++ b/terraform/modules/cost_usage_report/main.tf @@ -111,8 +111,8 @@ resource "aws_athena_workgroup" "cur" { selected_engine_version = "Athena engine version 3" } result_configuration { - output_location = "s3://${module.s3_bucket.bucket.id}/output/" - encryption_configuration { + output_location = "s3://${module.s3_bucket.bucket.id}/output/" + encryption_configuration { encryption_option = "SSE_S3" } }