Improves Customer Portal

base/customer_portal/ecr.tf

@@ -13,30 +13,6 @@ data "aws_vpc_endpoint_service" "ecr_dkr_endpoint" {
   service = "ecr.dkr"
 }
 
-# resource "aws_vpc_endpoint" "ecr_api_endpoint" {
-#   vpc_id            = var.vpc_id
-#   service_name      = data.aws_vpc_endpoint_service.ecr_api_endpoint.service_name
-#   vpc_endpoint_type = "Interface"
-
-#   subnet_ids = [ var.subnets ]
-#   security_group_ids = [ 
-#     "${aws_security_group.customer_portal_ecr.id}"
-#   ]
-#   private_dns_enabled = true 
-# }
-
-# resource "aws_vpc_endpoint" "ecr_dkr_endpoint" {
-#   vpc_id            = "${module.vpc.vpc_id}"
-#   service_name      = "${data.aws_vpc_endpoint_service.ecr_dkr_endpoint.service_name}"
-#   vpc_endpoint_type = "Interface"
-
-#   subnet_ids = [ "${module.vpc.public_subnets}" ]
-#   security_group_ids = [ 
-#     "${aws_security_group.customer_portal_ecr.id}"
-#   ]
-#   private_dns_enabled = true 
-# }
-
 resource "aws_iam_instance_profile" "portal_server_instance_profile" {
   name     = "portal_server-instance-profile"
   role     = aws_iam_role.portal_server.name
@@ -93,8 +69,8 @@ data "aws_iam_policy_document" "portal_server_ecr_policy" {
     ]
 
     resources = [
-      "arn:aws-us-gov:ecr:us-gov-east-1:701290387780:repository/portal_server",
-      "arn:aws-us-gov:ecr:us-gov-east-1:701290387780:repository/django_nginx"
+      "arn:${var.aws_partition}:ecr:${var.aws_region}:${var.common_services_account}:repository/portal_server",
+      "arn:${var.aws_partition}:ecr:${var.aws_region}:${var.common_services_account}:repository/django_nginx"
     ]
   }
 

base/customer_portal/elb.tf

@@ -1,20 +1,3 @@
-locals {
-    #allow some users to view test portal
-    portal_test_whitelist = [
-    "12.245.107.250/32",   # DPS Office Legato
-    "12.204.167.162/32",   # DPS Office San Antonio
-    "54.86.98.62/32",      # DPS AWS User VPN
-    "75.138.227.80/32",    # Duane Waddle
-    "24.11.231.98/32",     # George Starcher
-    "99.151.37.185/32",    # Wesley Leonard
-    "70.106.200.157/32",   # John Reuther
-    "73.10.53.113/32",     # Rick Page Home
-    "50.21.207.50/32",     # Brad Poulton
-    "70.160.60.248/32",    # Brandon Naughton 
-    "99.56.213.129/32",    # Frederick Damstra
-  ]
-
-}
 
 # ---------------------------------------------------------------------------------------------------------------------
 # LOAD BALANCER FOR PORTAL
@@ -43,7 +26,7 @@ resource "aws_alb_target_group" "portal" {
 
   health_check {
     protocol = "HTTPS"
-    path    = "/"
+    path    = "/api/health/"
     matcher = "200-400"
   }
 
@@ -110,29 +93,35 @@ resource "aws_security_group" "customer_portal_alb" {
   name        = "customer_portal_alb_inbound_sg"
   description = "Allow Customer Portal ALB HTTP Traffic Inbound"
   vpc_id      = var.vpc_id
+}
 
-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0",  ]
-  }
+resource "aws_security_group_rule" "customer_portal_alb_https" {
+  protocol          = "tcp"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  security_group_id = aws_security_group.customer_portal_alb.id
+  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0",  ]
+}
 
-  #Allow viewing of test portal from home. We don't want world to view test portal. 
-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = flatten(local.portal_test_whitelist)
-  }
+#Allow viewing of test portal from home. We don't want world to view test portal.
+resource "aws_security_group_rule" "customer_portal_alb_https_test" {
+  protocol          = "tcp"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  security_group_id = aws_security_group.customer_portal_alb.id
+  cidr_blocks       = flatten(var.portal_test_whitelist)
+}
 
-  ## Needed for HTTPs redirect
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
-  }
+## Needed for HTTPs redirect
+resource "aws_security_group_rule" "customer_portal_alb_http" {
+  protocol          = "tcp"
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  security_group_id = aws_security_group.customer_portal_alb.id
+  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
 }
 
 resource "aws_security_group_rule" "customer_portal_alb" {

base/customer_portal/flowlogs.tf

@@ -1,9 +0,0 @@
-
-# resource "aws_flow_log" "flowlogs" {
-#   iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
-#   log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
-
-#   traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
-#   vpc_id          = var.vpc_id
-#   tags            = merge(var.standard_tags, var.tags)
-# }

base/customer_portal/main.tf

@@ -168,14 +168,14 @@ data "template_cloudinit_config" "cloud-init" {
 
 
 #------------------------------------
-# S3 Bucket  What is this used for?
+# S3 Bucket  What is this used for? Uncomment if needed. 
 #------------------------------------
-resource "aws_s3_bucket" "customer-portal" {
-  bucket = "dps-customer-portal-${terraform.workspace}"
-  acl    = "private"
+# resource "aws_s3_bucket" "customer-portal" {
+#   bucket = "dps-customer-portal-${terraform.workspace}"
+#   acl    = "private"
 
-  tags = merge(var.standard_tags, var.tags, )
-}
+#   tags = merge(var.standard_tags, var.tags, )
+# }
 
 #------------------------------------
 # Security Groups
@@ -196,149 +196,33 @@ resource "aws_security_group_rule" "customer_portal" {
   source_security_group_id = aws_security_group.customer_portal_alb.id
 }
 
-resource "aws_security_group" "customer_portal_ecr" {
-  name        = "ecr_customer_portal"
-  description = "Allow HTTPS outbound from portal to ECR"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_security_group_rule" "customer_portal_ecr_inbound" {
-  security_group_id = aws_security_group.customer_portal_ecr.id
-
-  type                     = "ingress"
-  from_port                = 443
-  to_port                  = 443
-  protocol                 = "tcp"
-  source_security_group_id = aws_security_group.customer_portal.id
-}
-
 resource "aws_security_group_rule" "customer_portal_postgres_outbound" {
-  security_group_id = aws_security_group.customer_portal.id
-
   type                     = "egress"
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
+  security_group_id = aws_security_group.customer_portal.id
   source_security_group_id = aws_security_group.postgres.id
 }
 
-#resource "aws_security_group_rule" "customer_portal_salt_outbound" {
-#  security_group_id = aws_security_group.customer_portal.id
-#
-#  type              = "egress"
-#  from_port         = 4505
-#  to_port           = 4506
-#  protocol          = "tcp"
-#  cidr_blocks              = var.salt_master_ip
-#}
-
-#resource "aws_security_group_rule" "customer_portal_gc_salt_outbound" {
-#  security_group_id = aws_security_group.customer_portal.id
-#
-#  type                     = "egress"
-#  from_port                = 4505
-#  to_port                  = 4506
-#  protocol                 = "tcp"
-#  cidr_blocks              = var.salt_master_ip
-#}
-
-#resource "aws_security_group_rule" "customer_portal_sensu_outbound" {
-#  security_group_id = aws_security_group.customer_portal.id
-#
-#  type                     = "egress"
-#  from_port                = 8081
-#  to_port                  = 8081
-#  protocol                 = "tcp"
-#  source_security_group_id = "${data.terraform_remote_state.infra.sensu_servers_sg}"
-#}
-
 resource "aws_security_group_rule" "customer_portal_http_outbound" {
-  security_group_id = aws_security_group.customer_portal.id
-
   type        = "egress"
   from_port   = 80
   to_port     = 80
   protocol    = "tcp"
   cidr_blocks = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.customer_portal.id
 }
 
 resource "aws_security_group_rule" "customer_portal_https_outbound" {
-  security_group_id = aws_security_group.customer_portal.id
-
   type        = "egress"
   from_port   = 443
   to_port     = 443
   protocol    = "tcp"
   cidr_blocks = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.customer_portal.id
 }
 
-# resource "aws_security_group_rule" "customer_portal_hec_outbound" {
-#   security_group_id = aws_security_group.customer_portal.id
-
-#   type        = "egress"
-#   from_port   = 8088
-#   to_port     = 8088
-#   protocol    = "tcp"
-#   cidr_blocks = ["${lookup(local.workspace-default-moose-idx-cidrs,terraform.workspace,"")}"]
-  
-#   description = "Outbound to Splunk Http Event Collector"
-# }
-
-# resource "aws_security_group_rule" "customer_portal_idxc_outbound" {
-#   security_group_id = aws_security_group.customer_portal.id
-
-#   type        = "egress"
-#   from_port   = 8089
-#   to_port     = 8089
-#   protocol    = "tcp"
-#   cidr_blocks = ["10.0.0.0/8"]
-#   description = "Outbound IDXC Discovery to MOOSE"
-# }
-
-#resource "aws_security_group_rule" "customer_portal_ssh_inbound" {
-#  security_group_id = "${aws_security_group.customer_portal.id}"
-#
-#  type                     = "ingress"
-#  from_port                = 22
-#  to_port                  = 22
-#  protocol                 = "tcp"
-#  cidr_blocks              = "${ local.access-server-cidrs[terraform.workspace] }"
-#}
-
-#resource "aws_security_group_rule" "customer_portal_ssh_inbound_openvpn" {
-#  security_group_id = "${aws_security_group.customer_portal.id}"
-#
-#  type                     = "ingress"
-#  from_port                = 22
-#  to_port                  = 22
-#  protocol                 = "tcp"
-#  source_security_group_id = "${data.terraform_remote_state.infra.openvpn_servers_sg}"
-#}
-
-#resource "aws_security_group_rule" "customer_portal_outbound_tcp_dns"
-#{
-#  type = "egress"
-#  from_port = 53
-#  to_port = 53
-#  protocol = "tcp"
-#  cidr_blocks = "${local.dns-server-cidrs[terraform.workspace]}"
-#  security_group_id = "${aws_security_group.customer_portal.id}"
-#  description = "Connect to unbound servers for dns"
-#}
-
-#resource "aws_security_group_rule" "customer_portal_outbound_udp_dns"
-#{
-#  type = "egress"
-#  from_port = 53
-#  to_port = 53
-#  protocol = "udp"
-#  cidr_blocks = "${local.dns-server-cidrs[terraform.workspace]}"
-#  security_group_id = "${aws_security_group.customer_portal.id}"
-#  description = "Connect to unbound servers for dns"
-#}
-
-
-
 ### Output environment ID for purposes
 #output portal_env_id {
 #  value = "${aws_elastic_beanstalk_environment.mdr-customer-portal-env.id}"

base/customer_portal/vars.tf

@@ -12,6 +12,7 @@ variable "aws_account_id" { type = string }
 variable "common_services_account" { type = string }
 variable "proxy" { type = string }
 variable "salt_master" { type = string }
+variable "portal_test_whitelist" { type = list }
 
 variable "instance_name" {
   description = "Hostname, DNS entry, etc."

base/vault-configuration/main.tf

@@ -88,15 +88,15 @@ resource "vault_auth_backend" "aws" {
 #https://github.com/terraform-providers/terraform-provider-vault/issues/689
 resource "vault_aws_auth_backend_client" "aws" {
   backend      = vault_auth_backend.aws.path
-  sts_endpoint = "https://sts.us-gov-east-1.amazonaws.com"
-  sts_region   = "us-gov-east-1"
+  sts_endpoint = "https://sts.${var.aws_region}.amazonaws.com"
+  sts_region   = var.aws_region
 }
 
 resource "vault_aws_auth_backend_role" "portal" {
   backend                         = vault_auth_backend.aws.path
   role                            = "portal"
   auth_type                       = "iam"
-  bound_iam_principal_arns        = ["arn:aws-us-gov:iam::${var.aws_account_id}:role/portal-instance-role"]
+  bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role"]
   #inferred_aws_region             = "us-gov-east-1"
   token_ttl                       = 60
   token_max_ttl                   = 86400
@@ -108,7 +108,7 @@ resource "vault_aws_auth_backend_role" "portal" {
 #   backend                         = vault_auth_backend.aws.path
 #   role                            = "portal-data-sync-lambda-role"
 #   auth_type                       = "iam"
-#   bound_iam_principal_arns        = ["arn:aws-us-gov:iam::${var.aws_account_id}:role/portal-data-sync-lambda-role"]
+#   bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-data-sync-lambda-role"]
 #   #inferred_aws_region             = "us-gov-east-1"
 #   token_ttl                       = 60
 #   token_max_ttl                   = 86400
@@ -120,7 +120,7 @@ resource "vault_aws_auth_backend_role" "portal" {
 #   backend                         = vault_auth_backend.aws.path
 #   role                            = "clu"
 #   auth_type                       = "iam"
-#   bound_iam_principal_arns        = ["arn:aws-us-gov:iam::{$var.aws_account_id}:role/clu-instance-role"]
+#   bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::{$var.aws_account_id}:role/clu-instance-role"]
 #   token_ttl                       = 60
 #   token_max_ttl                   = 86400
 #   token_policies                  = ["clu"]