diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml index 3b1dbdba..c6d1b8c4 100644 --- a/.github/workflows/tofu-apply.yml +++ b/.github/workflows/tofu-apply.yml @@ -30,6 +30,10 @@ jobs: include: - app: cdap env: mgmt + - app: cdap + env: prod + - app: cdap + env: test steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml index 7431342d..3f779f85 100644 --- a/.github/workflows/tofu-plan.yml +++ b/.github/workflows/tofu-plan.yml @@ -26,6 +26,10 @@ jobs: include: - app: cdap env: mgmt + - app: cdap + env: prod + - app: cdap + env: test steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 diff --git a/terraform/backends/cdap-prod.s3.tfbackend b/terraform/backends/cdap-prod.s3.tfbackend new file mode 100644 index 00000000..56f0cc18 --- /dev/null +++ b/terraform/backends/cdap-prod.s3.tfbackend @@ -0,0 +1,2 @@ +bucket = "cdap-prod-tfstate-20251230175647601000000001" +use_lockfile = true diff --git a/terraform/backends/cdap-test.s3.tfbackend b/terraform/backends/cdap-test.s3.tfbackend new file mode 100644 index 00000000..d6a0917a --- /dev/null +++ b/terraform/backends/cdap-test.s3.tfbackend @@ -0,0 +1,2 @@ +bucket = "cdap-test-tfstate-20251230174431053500000001" +use_lockfile = true diff --git a/terraform/services/github-actions-role/data.tf b/terraform/services/github-actions-role/data.tf index 38d927fa..22e8f02d 100644 --- a/terraform/services/github-actions-role/data.tf +++ b/terraform/services/github-actions-role/data.tf @@ -24,8 +24,9 @@ locals { ] : [], ) - # TODO Replace with cdap-test and cdap-prod when those environments are set up - account_env = contains(["dev", "test"], var.env) ? "bcda-test" : "bcda-prod" + # TODO Drop account_env_old when we are fully migrated to cdap-test and cdap-prod + account_env_old = contains(["dev", "test"], var.env) ? "bcda-test" : "bcda-prod" + account_env = contains(["dev", "test"], var.env) ? "cdap-test" : "cdap-prod" } # KMS keys needed for IAM policy @@ -33,10 +34,19 @@ data "aws_kms_alias" "environment_key" { name = "alias/${var.app}-${var.env}" } +data "aws_kms_alias" "account_env_old" { + name = "alias/${local.account_env_old}" +} + data "aws_kms_alias" "account_env" { name = "alias/${local.account_env}" } +data "aws_kms_alias" "account_env_secondary" { + provider = aws.secondary + name = "alias/${local.account_env}" +} + data "aws_kms_alias" "ab2d_tfstate_bucket" { count = var.env == "ab2d" ? 1 : 0 name = "alias/ab2d-${var.env}-tfstate-bucket" diff --git a/terraform/services/github-actions-role/main.tf b/terraform/services/github-actions-role/main.tf index 2e0a73c9..8449b6c1 100644 --- a/terraform/services/github-actions-role/main.tf +++ b/terraform/services/github-actions-role/main.tf @@ -1,3 +1,11 @@ +module "standards" { + source = "github.com/CMSgov/cdap//terraform/modules/standards?ref=0bd3eeae6b03cc8883b7dbdee5f04deb33468260" + app = var.app + env = var.env + root_module = "https://github.com/CMSgov/cdap/tree/main/terraform/services/github-actions-role" + service = "github-actions-role" +} + locals { provider_domain = "token.actions.githubusercontent.com" repos = { @@ -274,24 +282,27 @@ data "aws_iam_policy_document" "github_actions_policy" { "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", - "kms:CreateGrant" + "kms:CreateGrant", + "kms:ListResourceTags" ] resources = concat( - [data.aws_kms_alias.environment_key.arn], - [data.aws_kms_alias.account_env.arn], + [data.aws_kms_alias.environment_key.target_key_arn], + [data.aws_kms_alias.account_env_old.target_key_arn], + [data.aws_kms_alias.account_env.target_key_arn], + [data.aws_kms_alias.account_env_secondary.target_key_arn], var.app == "ab2d" ? concat( - data.aws_kms_alias.ab2d_ecr[*].arn, - data.aws_kms_alias.ab2d_tfstate_bucket[*].arn, + data.aws_kms_alias.ab2d_ecr[*].target_key_arn, + data.aws_kms_alias.ab2d_tfstate_bucket[*].target_key_arn, ) : [], var.app == "bcda" ? concat( - data.aws_kms_alias.bcda_aco_creds[*].arn, - data.aws_kms_alias.bcda_app_config[*].arn, - data.aws_kms_alias.bcda_insights_data_sampler[*].arn, + data.aws_kms_alias.bcda_aco_creds[*].target_key_arn, + data.aws_kms_alias.bcda_app_config[*].target_key_arn, + data.aws_kms_alias.bcda_insights_data_sampler[*].target_key_arn, ) : [], var.app == "dpc" ? concat( - [for key in data.aws_kms_alias.dpc_cloudwatch_keys : key.arn], - data.aws_kms_alias.dpc_app_config[*].arn, - data.aws_kms_alias.dpc_ecr[*].arn + [for key in data.aws_kms_alias.dpc_cloudwatch_keys : key.target_key_arn], + data.aws_kms_alias.dpc_app_config[*].target_key_arn, + data.aws_kms_alias.dpc_ecr[*].target_key_arn ) : [] ) } @@ -409,6 +420,7 @@ data "aws_iam_policy_document" "github_actions_policy" { "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", @@ -420,7 +432,11 @@ data "aws_iam_policy_document" "github_actions_policy" { "s3:PutBucketPolicy", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration", - "s3:PutLifecycleConfiguration" + "s3:PutLifecycleConfiguration", + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" ] resources = ["*"] } diff --git a/terraform/services/github-actions-role/terraform.tf b/terraform/services/github-actions-role/terraform.tf index 5009a1bd..cd31a55e 100644 --- a/terraform/services/github-actions-role/terraform.tf +++ b/terraform/services/github-actions-role/terraform.tf @@ -1,11 +1,14 @@ provider "aws" { default_tags { - tags = { - business = "oeda" - code = "https://github.com/CMSgov/cdap/tree/main/terraform/services/github-actions-role" - component = "github-actions" - terraform = true - } + tags = module.standards.default_tags + } +} + +provider "aws" { + alias = "secondary" + region = "us-west-2" + default_tags { + tags = module.standards.default_tags } }