AFS
/
xdr-terraform-live


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
							# ---------------------------------------------------------------------------------------------------------------------
# Global Variables and Terragrunt Configuration
# ---------------------------------------------------------------------------------------------------------------------
# This file takes care of the global variables. These are settings that should apply to ALL environments: prod, test,
# *AND* common, across both partitions (govcloud and commercial)
# 
# It also takes care of setting up:
#   The provider file
#     * A default provider for the account you're in
#     * A 'commercial' provider alias for the common services account in commercial
#     * A 'govcloud' provider alias for the common services account in govcloud
#   The backend file
#     * 

# ---------------------------------------------------------------------------------------------------------------------
# Variables
# ---------------------------------------------------------------------------------------------------------------------
locals {
  # Automatically load account-level variables
  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))

  # Automatically load region-level variables
  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))

  # Automatically load partitiot-level variables
  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))

  # Automatically load environment-level variables
  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))

  # Automatically load global-level variables
  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))

  # Generate our standard tags
  standard_tags = merge(
    local.global_vars.locals.global_tags,
    local.environment_vars.locals.environment_tags,
    local.partition_vars.locals.partition_tags,
    local.region_vars.locals.region_tags,
    local.account_vars.locals.account_tags
  )

  # Extract the variables we need for easy access
  account_name   = local.account_vars.locals.account_name
  account_id     = local.account_vars.locals.aws_account_id
  aws_region     = local.region_vars.locals.aws_region
  aws_partition  = local.partition_vars.locals.aws_partition
  common_services_account = local.partition_vars.locals.common_services_account
  legacy_account = local.environment_vars.locals.legacy_account
  tfstate_region = local.partition_vars.locals.tfstate_region

  common_profile = local.partition_vars.locals.common_profile

  # variables created here are available to *.hcl files in this hierarchy, but are not
  # automatically sent via inputs to the modules. Put global variables in global.hcl
  # 
  # (Conversely, inputs are not automatically available to the hcl files)
}

# ---------------------------------------------------------------------------------------------------------------------
# Generate a required providers block
# -- Allows override on a per-module basis
# ---------------------------------------------------------------------------------------------------------------------
generate "required_providers" {
  path      = "required_provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "= 3.37.0" # 2021-04-29: upgrade from 2.66
    }
    template = {
      source = "hashicorp/template"
      version = "= 2.2.0" # 2021-04-29: ugprade from 2.1.0
    }
    vault = {
      source = "hashicorp/vault"
      version = "= 2.19.1" # 2021-04-29: upgrade from 2.18.0
    }
    sensu = {
      source = "jtopjian/sensu"
      version = "= 0.10.5"
    }
  }
}
EOF
}

# ---------------------------------------------------------------------------------------------------------------------
# Generate an AWS provider block
# ---------------------------------------------------------------------------------------------------------------------
generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
provider "template" {
}

provider "aws" {
  region = "${local.aws_region}"

  assume_role {
    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
    session_name = "terraform-default"
  }
  
  profile = "${local.common_profile}"

  # Only these AWS Account IDs may be operated on by this template
  allowed_account_ids = ["${local.account_id}"]
}

# The "common" provider in the respective partition is always available
provider "aws" {
  region = "${local.aws_region}"
  allowed_account_ids = [ "471284459109", "701290387780" ]
  profile = "${local.common_profile}"
  alias   = "common"

  assume_role {
    role_arn = "arn:${local.aws_partition}:iam::${local.common_services_account}:role/user/mdr_terraformer"
    session_name = "terraform-common"
  }
}

# The "mdr-common-services-commercial" provider is used for public DNS entries
provider "aws" {
  region = "us-east-1"
  allowed_account_ids = [ "471284459109" ]
  profile = "commercial"
  alias   = "mdr-common-services-commercial"

  assume_role {
    role_arn = "arn:aws:iam::471284459109:role/user/mdr_terraformer"
    session_name = "terraform-mdr-common-services-commercial"
  }
}

# The "C2" provider, used for private DNS
provider "aws" {
  region = "us-gov-east-1"
  allowed_account_ids = [ "721817724804", "738800754746" ]
  profile = "govcloud"
  alias   = "c2"

  assume_role {
    role_arn = "arn:aws-us-gov:iam::${ local.environment_vars.locals.c2_accounts["aws-us-gov"] }:role/user/mdr_terraformer"
    session_name = "terraform-c2"
  }
}
EOF
}

# Configure Terragrunt to automatically store tfstate files in an S3 bucket
remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket         = local.global_vars.locals.remote_state_bucket
    # This key includes the terraform-0.12 directory name, which i don't like
    #key            = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
    key            = "aws/${path_relative_to_include()}/terraform.tfstate"
    region         = "${local.tfstate_region}"
    encrypt        = true
    dynamodb_table = "afsxdr-terraform-state"
    profile        = "${local.common_profile}"
    role_arn       = "arn:${local.aws_partition}:iam::${local.common_services_account}:role/user/mdr_terraformer"
  }
}


# ---------------------------------------------------------------------------------------------------------------------
# GLOBAL PARAMETERS
# These variables apply to all configurations in this subfolder. These are automatically merged into the child
# `terragrunt.hcl` config via the include block.
# ---------------------------------------------------------------------------------------------------------------------

# Configure root level variables that all resources can inherit. This is especially helpful with multi-account configs
# where terraform_remote_state data sources are placed directly into the modules.
inputs = merge(
  local.global_vars.locals,
  local.environment_vars.locals,
  local.partition_vars.locals,
  local.region_vars.locals,
  local.account_vars.locals,
  { # Variables created in this file that we want to pass through
    standard_tags = local.standard_tags
  }
)