AFS
/
xdr-terraform-live


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
							# ---------------------------------------------------------------------------------------------------------------------
# Global Variables and Terragrunt Configuration
# ---------------------------------------------------------------------------------------------------------------------
# This file takes care of the global variables. These are settings that should apply to ALL environments: prod, test,
# *AND* common, across both partitions (govcloud and commercial)
# 
# It also takes care of setting up:
#   The provider file
#     * A default provider for the account you're in
#     * A 'commercial' provider alias for the common services account in commercial
#     * A 'govcloud' provider alias for the common services account in govcloud
#   The backend file
#     * 

# ---------------------------------------------------------------------------------------------------------------------
# Variables
# ---------------------------------------------------------------------------------------------------------------------
locals {
  # Globally ignore the checks for tfsec
  ignored_tfsec = [
    "aws-iam-no-policy-wildcards", # We use wildcards in policies
    "aws-lambda-enable-tracing", # We do not enable X-Ray Tracing for Lambda
    "aws-s3-enable-bucket-logging", # TODO: We do not currently log s3 access. We should. MSOCI-
  ]

  # Automatically load account-level variables
  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))

  # Automatically load region-level variables
  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))

  # Automatically load partitiot-level variables
  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))

  # Automatically load environment-level variables
  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))

  # Automatically load global-level variables
  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))

  # Extract the variables we need for easy access
  account_name            = local.account_vars.locals.account_name
  account_id              = local.account_vars.locals.aws_account_id
  aws_region              = local.region_vars.locals.aws_region
  aws_partition           = local.partition_vars.locals.aws_partition
  common_services_account = local.partition_vars.locals.common_services_account
  legacy_account          = local.environment_vars.locals.legacy_account
  tfstate_region          = local.partition_vars.locals.tfstate_region

  common_profile = local.partition_vars.locals.common_profile

  # variables created here are available to *.hcl files in this hierarchy, but are not
  # automatically sent via inputs to the modules. Put global variables in global.hcl
  # 
  # (Conversely, inputs are not automatically available to the hcl files)
}

# ---------------------------------------------------------------------------------------------------------------------
# Apply Static Code Analysis
#   - 2022-04-23 - MSOCI-2143 - Comment out until ready
# ---------------------------------------------------------------------------------------------------------------------
# OS X Users, run:
#   brew install lint
#   brew install tfsec
#   brew install checkov

# This can remain uncommented. The file won't hurt anything.
generate "tflint_configuration" {
  path      = "tflint.hcl"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
plugin "aws" {
    enabled = true
    version = "0.15.0"
    source  = "github.com/terraform-linters/tflint-ruleset-aws"
    deep_check = true
}
EOF
}

# uncomment the following to enable static code analysis
terraform {
  before_hook "tflintinit" {
    commands = ["plan", "apply"]
    execute = [
      "tflint",
      "--config=tflint.hcl",
      "--init"
    ]
  }

  before_hook "tflint" {
    commands = ["plan", "apply"]
    execute = [
      "tflint",
      "--config=tflint.hcl",
      ".",
    ]
  }

  before_hook "tfsec" {
    commands = ["plan", "apply"]
    execute = [
      "tfsec",
      "--concise-output",
      "--exclude", join(",", local.ignored_tfsec),
    ]
  }

#  before_hook "checkov" {
#    commands = ["plan", "apply"]
#    execute = [
#      "checkov",
#      "-d", ".",
#      "--quiet",
#      "--framework", "terraform",
#      "--skip-check", "CKV_AWS_150", # We do not enable deletion protection for LBs
#    ]
#  }
}

# ---------------------------------------------------------------------------------------------------------------------
# Generate a required providers block
# -- Allows override on a per-module basis
# ---------------------------------------------------------------------------------------------------------------------
generate "required_providers" {
  path      = "required_provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.22.0" # 2022-07-21: Upgrade from 4.4.0; 2022-03-08: upgrade from 3.63.0
    }
    vault = {
      source  = "hashicorp/vault"
      version = "3.8.0" # 2022-07-28: upgrade from 3.4.1; 2022-04-08: upgrade from 2.19.1
    }
    sensu = {
      source  = "jtopjian/sensu"
      version = "0.12.1" # 2022-04-06: upgrade from 0.10.5
    }
  }
}
EOF
}

# ---------------------------------------------------------------------------------------------------------------------
# Generate an AWS provider block
# ---------------------------------------------------------------------------------------------------------------------
generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
provider "template" {
}

provider "aws" {
  region = "${local.aws_region}"

  assume_role {
    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
    session_name = "terraform-default"
  }
  
  profile = "${local.common_profile}"

  # Only these AWS Account IDs may be operated on by this template
  allowed_account_ids = ["${local.account_id}"]
}

# The "common" provider in the respective partition is always available
provider "aws" {
  region = "${local.aws_region}"
  allowed_account_ids = [ "471284459109", "701290387780" ]
  profile = "${local.common_profile}"
  alias   = "common"

  assume_role {
    role_arn = "arn:${local.aws_partition}:iam::${local.common_services_account}:role/user/mdr_terraformer"
    session_name = "terraform-common"
  }
}

# The "mdr-common-services-commercial" provider is used for public DNS entries
provider "aws" {
  region = "us-east-1"
  allowed_account_ids = [ "471284459109" ]
  profile = "commercial"
  alias   = "mdr-common-services-commercial"

  assume_role {
    role_arn = "arn:aws:iam::471284459109:role/user/mdr_terraformer"
    session_name = "terraform-mdr-common-services-commercial"
  }
}

# The "C2" provider, used for private DNS
provider "aws" {
  region = "us-gov-east-1"
  allowed_account_ids = [ "721817724804", "738800754746" ]
  profile = "govcloud"
  alias   = "c2"
  use_fips_endpoint = true

  assume_role {
    role_arn = "arn:aws-us-gov:iam::${local.environment_vars.locals.c2_accounts["aws-us-gov"]}:role/user/mdr_terraformer"
    session_name = "terraform-c2"
  }
}
EOF
}

# Configure Terragrunt to automatically store tfstate files in an S3 bucket
remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket = local.global_vars.locals.remote_state_bucket
    # This key includes the terraform-0.12 directory name, which i don't like
    #key            = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
    key            = "aws/${path_relative_to_include()}/terraform.tfstate"
    region         = "${local.tfstate_region}"
    encrypt        = true
    dynamodb_table = "afsxdr-terraform-state"
    profile        = "${local.common_profile}"
    role_arn       = "arn:${local.aws_partition}:iam::${local.common_services_account}:role/user/mdr_terraformer"
  }
}


# ---------------------------------------------------------------------------------------------------------------------
# GLOBAL PARAMETERS
# These variables apply to all configurations in this subfolder. These are automatically merged into the child
# `terragrunt.hcl` config via the include block.
# ---------------------------------------------------------------------------------------------------------------------

# Configure root level variables that all resources can inherit. This is especially helpful with multi-account configs
# where terraform_remote_state data sources are placed directly into the modules.
inputs = merge(
  local.global_vars.locals,
  local.environment_vars.locals,
  local.partition_vars.locals,
  local.region_vars.locals,
  local.account_vars.locals,
)