MLPAB-1570 - create a fault injection simulator template the ecs app (#…

…936)

* Create a role for Fault Injection Simulator to use

* Create an experiment template for ECS task faults

* deploy an SSM agent prerequisite in ECS task

* create these resources and deploy prerequisites when experiments are enabled

terraform/account/README.md

@@ -90,17 +90,17 @@ For terraform_environment, this will be based on your PR and can be found in the
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.7.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.7.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.eu_west_1"></a> [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.34.0 |
-| <a name="provider_aws.eu_west_2"></a> [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.34.0 |
-| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | 5.34.0 |
-| <a name="provider_aws.management_global"></a> [aws.management\_global](#provider\_aws.management\_global) | 5.34.0 |
+| <a name="provider_aws.eu_west_1"></a> [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.35.0 |
+| <a name="provider_aws.eu_west_2"></a> [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.35.0 |
+| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | 5.35.0 |
+| <a name="provider_aws.management_global"></a> [aws.management\_global](#provider\_aws.management\_global) | 5.35.0 |
 
 ## Modules
 

terraform/account/region/README.md

@@ -4,16 +4,16 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.34.0 |
-| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | ~> 5.34.0 |
-| <a name="provider_aws.management"></a> [aws.management](#provider\_aws.management) | ~> 5.34.0 |
-| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.34.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.35.0 |
+| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | ~> 5.35.0 |
+| <a name="provider_aws.management"></a> [aws.management](#provider\_aws.management) | ~> 5.35.0 |
+| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.35.0 |
 
 ## Modules
 

terraform/account/region/modules/antivirus_definitions/README.md

@@ -8,13 +8,13 @@ This module creates a S3 bucket for antivirus definitions, and a Lambda function
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.34.0 |
+| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.35.0 |
 
 ## Modules
 

terraform/account/region/modules/dns_firewall/README.md

@@ -8,13 +8,13 @@ This module creates a DNS Firewall rule group and  rule group associations.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.34.0 |
+| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.35.0 |
 
 ## Modules
 

terraform/account/region/modules/s3_batch_manifests/README.md

@@ -8,13 +8,13 @@ This module creates a S3 bucket for S3 Batch Job Manifests.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.34.0 |
+| <a name="provider_aws.region"></a> [aws.region](#provider\_aws.region) | ~> 5.35.0 |
 
 ## Modules
 

terraform/account/region/modules/s3_bucket_event_notifications/README.md

@@ -8,13 +8,13 @@ This module creates a S3 bucket event notifications and event notification filte
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.34.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.35.0 |
 
 ## Modules
 

terraform/environment/README.md

@@ -113,19 +113,19 @@ For terraform_environment, this will be based on your PR and can be found in the
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.7.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
-| <a name="requirement_pagerduty"></a> [pagerduty](#requirement\_pagerduty) | 3.5.2 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.7.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
+| <a name="requirement_pagerduty"></a> [pagerduty](#requirement\_pagerduty) | 3.7.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.eu_west_1"></a> [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.34.0 |
-| <a name="provider_aws.eu_west_2"></a> [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.34.0 |
-| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | 5.34.0 |
-| <a name="provider_aws.management_eu_west_1"></a> [aws.management\_eu\_west\_1](#provider\_aws.management\_eu\_west\_1) | 5.34.0 |
-| <a name="provider_aws.management_global"></a> [aws.management\_global](#provider\_aws.management\_global) | 5.34.0 |
+| <a name="provider_aws.eu_west_1"></a> [aws.eu\_west\_1](#provider\_aws.eu\_west\_1) | 5.35.0 |
+| <a name="provider_aws.eu_west_2"></a> [aws.eu\_west\_2](#provider\_aws.eu\_west\_2) | 5.35.0 |
+| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | 5.35.0 |
+| <a name="provider_aws.management_eu_west_1"></a> [aws.management\_eu\_west\_1](#provider\_aws.management\_eu\_west\_1) | 5.35.0 |
+| <a name="provider_aws.management_global"></a> [aws.management\_global](#provider\_aws.management\_global) | 5.35.0 |
 
 ## Modules
 
@@ -167,7 +167,7 @@ For terraform_environment, this will be based on your PR and can be found in the
 |------|-------------|------|---------|:--------:|
 | <a name="input_container_version"></a> [container\_version](#input\_container\_version) | n/a | `string` | `"latest"` | no |
 | <a name="input_default_role"></a> [default\_role](#input\_default\_role) | n/a | `string` | `"modernising-lpa-ci"` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | n/a | <pre>map(<br>    object({<br>      account_id    = string<br>      account_name  = string<br>      is_production = bool<br>      regions       = list(string)<br>      app = object({<br>        env = object({<br>          app_public_url         = string<br>          auth_redirect_base_url = string<br>          notify_is_production   = string<br>          onelogin_url           = string<br>        })<br>        autoscaling = object({<br>          minimum = number<br>          maximum = number<br>        })<br>        dependency_health_check_alarm_enabled   = bool<br>        service_health_check_alarm_enabled      = bool<br>        cloudwatch_application_insights_enabled = bool<br>      })<br>      mock_onelogin_enabled = bool<br>      uid_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      lpa_store_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      backups = object({<br>        backup_plan_enabled = bool<br>        copy_action_enabled = bool<br>      })<br>      dynamodb = object({<br>        region_replica_enabled = bool<br>        stream_enabled         = bool<br>      })<br>      ecs = object({<br>        fargate_spot_capacity_provider_enabled = bool<br><br>      })<br>      cloudwatch_log_groups = object({<br>        application_log_retention_days = number<br>      })<br>      application_load_balancer = object({<br>        deletion_protection_enabled = bool<br>      })<br>      cloudwatch_application_insights_enabled = bool<br>      pagerduty_service_name                  = string<br>      event_bus = object({<br>        target_event_bus_arn = string<br>        receive_account_ids  = list(string)<br>      })<br>      reduced_fees = object({<br>        enabled                                   = bool<br>        s3_object_replication_enabled             = bool<br>        target_environment                        = string<br>        destination_account_id                    = string<br>        enable_s3_batch_job_replication_scheduler = bool<br>      })<br>      s3_antivirus_provisioned_concurrency = number<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_environments"></a> [environments](#input\_environments) | n/a | <pre>map(<br>    object({<br>      account_id    = string<br>      account_name  = string<br>      is_production = bool<br>      regions       = list(string)<br>      app = object({<br>        env = object({<br>          app_public_url         = string<br>          auth_redirect_base_url = string<br>          notify_is_production   = string<br>          onelogin_url           = string<br>        })<br>        autoscaling = object({<br>          minimum = number<br>          maximum = number<br>        })<br>        dependency_health_check_alarm_enabled   = bool<br>        service_health_check_alarm_enabled      = bool<br>        cloudwatch_application_insights_enabled = bool<br>        fault_injection_experiments_enabled     = bool<br>      })<br>      mock_onelogin_enabled = bool<br>      uid_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      lpa_store_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      backups = object({<br>        backup_plan_enabled = bool<br>        copy_action_enabled = bool<br>      })<br>      dynamodb = object({<br>        region_replica_enabled = bool<br>        stream_enabled         = bool<br>      })<br>      ecs = object({<br>        fargate_spot_capacity_provider_enabled = bool<br><br>      })<br>      cloudwatch_log_groups = object({<br>        application_log_retention_days = number<br>      })<br>      application_load_balancer = object({<br>        deletion_protection_enabled = bool<br>      })<br>      cloudwatch_application_insights_enabled = bool<br>      pagerduty_service_name                  = string<br>      event_bus = object({<br>        target_event_bus_arn = string<br>        receive_account_ids  = list(string)<br>      })<br>      reduced_fees = object({<br>        enabled                                   = bool<br>        s3_object_replication_enabled             = bool<br>        target_environment                        = string<br>        destination_account_id                    = string<br>        enable_s3_batch_job_replication_scheduler = bool<br>      })<br>      s3_antivirus_provisioned_concurrency = number<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_pagerduty_api_key"></a> [pagerduty\_api\_key](#input\_pagerduty\_api\_key) | n/a | `string` | n/a | yes |
 | <a name="input_public_access_enabled"></a> [public\_access\_enabled](#input\_public\_access\_enabled) | n/a | `bool` | `false` | no |
 

terraform/environment/global/README.md

@@ -58,14 +58,15 @@ No modules.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.34.0 |
-| <a name="requirement_pagerduty"></a> [pagerduty](#requirement\_pagerduty) | 3.5.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.35.0 |
+| <a name="requirement_pagerduty"></a> [pagerduty](#requirement\_pagerduty) | 3.7.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | ~> 5.34.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.35.0 |
+| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | ~> 5.35.0 |
 
 ## Modules
 
@@ -79,15 +80,27 @@ No modules.
 | [aws_iam_role.app_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_put](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.fault_injection_simulator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.s3_antivirus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.ssm_register_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.fault_injection_simulator_create_fis_service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.ssm_register_instance_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.cloudwatch_logs_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.fault_injection_simulator_ecs_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.fault_injection_simulator_ssm_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.s3_antivirus_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_resourcegroups_group.environment_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
+| [aws_caller_identity.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
 | [aws_iam_policy_document.cross_account_put_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.execution_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.fault_injection_simulator_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.fault_injection_simulator_create_fis_service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm_register_instance_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm_register_instance_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs

terraform/environment/global/data_sources.tf

@@ -1,3 +1,7 @@
 data "aws_default_tags" "current" {
   provider = aws.global
 }
+
+data "aws_caller_identity" "global" {
+  provider = aws.global
+}

terraform/environment/global/iam_ecs_task_roles.tf

@@ -16,3 +16,4 @@ data "aws_iam_policy_document" "task_role_assume_policy" {
   }
   provider = aws.global
 }
+