cloud-gov · jameshochadel · Sep 16, 2024 · Sep 10, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -126,7 +126,7 @@ jobs:
             trigger: true
       - task: terraform-plan-external-development
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &external-development-params
           TERRAFORM_ACTION: plan
           STACK_NAME: external-development
@@ -163,7 +163,7 @@ jobs:
             passed: [plan-external-development]
       - task: terraform-apply-external-development
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *external-development-params
           TERRAFORM_ACTION: apply
@@ -185,7 +185,7 @@ jobs:
             trigger: true
       - task: terraform-plan-external-staging
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &external-staging-params
           TERRAFORM_ACTION: plan
           STACK_NAME: external-staging
@@ -222,7 +222,7 @@ jobs:
             passed: [plan-external-staging]
       - task: terraform-apply-external-staging
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *external-staging-params
           TERRAFORM_ACTION: apply
@@ -244,7 +244,7 @@ jobs:
             trigger: true
       - task: terraform-plan-external-production
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &external-production-params
           TERRAFORM_ACTION: plan
           STACK_NAME: external-production
@@ -272,7 +272,7 @@ jobs:
             passed: [plan-external-production]
       - task: terraform-apply-external-production
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *external-production-params
           TERRAFORM_ACTION: apply
@@ -294,7 +294,7 @@ jobs:
             trigger: true
       - task: plan-dns
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &dns-params
           TERRAFORM_ACTION: plan
           STACK_NAME: dns
@@ -319,7 +319,7 @@ jobs:
             passed: [plan-dns]
       - task: terraform-apply-dns
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *dns-params
           TERRAFORM_ACTION: apply
@@ -335,7 +335,7 @@ jobs:
       - task: terraform-plan-tooling
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &tooling-params
           TERRAFORM_ACTION: plan
           STACK_NAME: tooling
@@ -412,7 +412,7 @@ jobs:
       - task: terraform-apply-tooling
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *tooling-params
           TERRAFORM_ACTION: apply
@@ -470,7 +470,7 @@ jobs:
       - task: terraform-plan-development
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &development-params
           TERRAFORM_ACTION: plan
           STACK_NAME: development
@@ -537,7 +537,7 @@ jobs:
           TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
           TF_VAR_cidr_blocks: ((cidr_blocks))
           TF_VAR_domains_lbgroup_count: 2
-          TF_VAR_waf_regex_rules: '((development_waf_regex_rules))'
+          TF_VAR_waf_regex_rules: "((development_waf_regex_rules))"
           TF_VAR_aws_lb_listener_ssl_policy: "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04"
       - *notify-slack
 
@@ -552,7 +552,7 @@ jobs:
       - task: terraform-apply-development
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *development-params
           TERRAFORM_ACTION: apply
@@ -646,7 +646,7 @@ jobs:
       - task: terraform-plan-staging
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &staging-params
           TERRAFORM_ACTION: plan
           STACK_NAME: staging
@@ -711,7 +711,7 @@ jobs:
           TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
           TF_VAR_cidr_blocks: ((cidr_blocks))
           TF_VAR_domains_lbgroup_count: 3
-          TF_VAR_waf_regex_rules: '((staging_waf_regex_rules))'
+          TF_VAR_waf_regex_rules: "((staging_waf_regex_rules))"
           TF_VAR_aws_lb_listener_ssl_policy: "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04"
       - *notify-slack
 
@@ -725,7 +725,7 @@ jobs:
       - task: terraform-apply-staging
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *staging-params
           TERRAFORM_ACTION: apply
@@ -818,7 +818,7 @@ jobs:
       - task: terraform-plan-production
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &production-params
           TERRAFORM_ACTION: plan
           STACK_NAME: production
@@ -883,7 +883,7 @@ jobs:
           TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
           TF_VAR_cidr_blocks: ((cidr_blocks))
           TF_VAR_domains_lbgroup_count: 4
-          TF_VAR_waf_regex_rules: '((production_waf_regex_rules))'
+          TF_VAR_waf_regex_rules: "((production_waf_regex_rules))"
       - *notify-slack
 
   - name: apply-production
@@ -896,7 +896,7 @@ jobs:
       - task: terraform-apply-production
         tags: [iaas]
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *production-params
           TERRAFORM_ACTION: apply
@@ -986,7 +986,7 @@ jobs:
             trigger: true
       - task: terraform-plan-ecr
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &tf-ecr
           TERRAFORM_ACTION: plan
           TEMPLATE_SUBDIR: terraform/stacks/ecr
@@ -1005,7 +1005,7 @@ jobs:
             passed: [plan-ecr]
       - task: terraform-apply-ecr
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *tf-ecr
           TERRAFORM_ACTION: apply
@@ -1020,7 +1020,7 @@ jobs:
             trigger: true
       - task: terraform-plan-concourse-staging
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &tf-concourse-staging
           TERRAFORM_ACTION: plan
           TEMPLATE_SUBDIR: terraform/stacks/concourse
@@ -1043,7 +1043,7 @@ jobs:
             passed: [plan-concourse-staging]
       - task: terraform-apply-concourse-staging
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *tf-concourse-staging
           TERRAFORM_ACTION: apply
@@ -1058,7 +1058,7 @@ jobs:
             trigger: true
       - task: terraform-plan-concourse-production
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params: &tf-concourse-production
           TERRAFORM_ACTION: plan
           TEMPLATE_SUBDIR: terraform/stacks/concourse
@@ -1081,7 +1081,7 @@ jobs:
             passed: [plan-concourse-production]
       - task: terraform-apply-concourse-production
         file: pipeline-tasks/terraform-apply.yml
-        input_mapping: {terraform-templates: cg-provision-repo}
+        input_mapping: { terraform-templates: cg-provision-repo }
         params:
           <<: *tf-concourse-production
           TERRAFORM_ACTION: apply
@@ -1831,4 +1831,4 @@ resource_types:
       aws_secret_access_key: ((ecr_aws_secret))
       repository: concourse-http-jq-resource
       aws_region: us-gov-west-1
-      tag: latest
+      tag: latest
@@ -3,3 +3,11 @@
 Resources related to the Cloud Service Broker.
 
 See also https://github.com/cloud-gov/csb.
+
+## Why two modules?
+
+The `iam` module contains the IAM policy that the broker uses to deploy resources on behalf of customers. This is distinct from the IAM policy in the `broker` module used by Cloud Foundry to pull the CSB image. Some brokerpaks must create resources in AWS Commercial, so both a Commercial and a GovCloud IAM user must be created. They are managed in a separate module for the following reasons:
+
+- To support deploying them to two separate partitions using two providers, without forcing the rest of the broker resources to specify `provider=`, since they will only ever be deployed to GovCloud.
+- To keep the policies together in the codebase, since they are related. (We could have split up the CSB resources by GovCloud vs Commercial, but the brokerpak-related policies would no longer all be in one place.)
+- To maintain a dedicated space for the policies, which are expected to grow as we add more brokerpaks.
@@ -17,3 +17,24 @@ module "db" {
   rds_allow_major_version_upgrade = var.rds_allow_major_version_upgrade
   rds_apply_immediately           = var.rds_apply_immediately
 }
+
+data "terraform_remote_state" "ecr" {
+  backend = "s3"
+
+  config = {
+    bucket = var.remote_state_bucket
+    region = var.remote_state_region
+    key    = "${var.ecr_stack_name}/terraform.tfstate"
+  }
+}
+
+locals {
+  csb_ecr_repository_arn = data.terraform_remote_state.ecr.outputs.repository_arns["csb"]
+}
+
+// A user with ECR pull permissions so Cloud Foundry can pull the CSB image.
+module "ecr_user" {
+  source         = "../../iam_user/ecr_pull_user"
+  username       = "csb-ecr-${var.stack_description}"
+  repository_arn = local.csb_ecr_repository_arn
+}
@@ -0,0 +1,46 @@
+output "ecr_user_username" {
+  value = module.ecr_user.username
+}
+
+output "ecr_user_access_key_id_curr" {
+  value = module.ecr_user.access_key_id_curr
+}
+
+output "ecr_user_secret_access_key_curr" {
+  value     = module.ecr_user.secret_access_key_curr
+  sensitive = true
+}
+
+output "ecr_user_access_key_id_prev" {
+  value = module.ecr_user.access_key_id_prev
+}
+
+output "ecr_user_secret_access_key_prev" {
+  value     = module.ecr_user.secret_access_key_prev
+  sensitive = true
+}
+
+output "rds_host" {
+  value = module.db.rds_host
+}
+
+output "rds_port" {
+  value = module.db.rds_port
+}
+
+output "rds_url" {
+  value = module.db.rds_url
+}
+
+output "rds_name" {
+  value = module.db.rds_name
+}
+
+output "rds_username" {
+  value = module.db.rds_username
+}
+
+output "rds_password" {
+  value     = module.db.rds_password
+  sensitive = true
+}
@@ -3,6 +3,19 @@ variable "stack_description" {
   description = "Like development, staging, or production."
 }
 
+variable "remote_state_bucket" {
+  type = string
+}
+
+variable "remote_state_region" {
+  type = string
+}
+
+variable "ecr_stack_name" {
+  type        = string
+  description = "The name of the stack that configures ECR."
+}
+
 # RDS variables
 
 variable "rds_instance_type" {

@@ -5,5 +5,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "< 6.0.0"
     }
+    cloudfoundry = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "< 1.0"
+    }
   }
 }
@@ -7,7 +7,8 @@ output "access_key_id_prev" {
 }
 
 output "secret_access_key_prev" {
-  value = ""
+  value     = ""
+  sensitive = true
 }
 
 output "access_key_id_curr" {

@@ -0,0 +1,21 @@
+output "username" {
+  value = var.username
+}
+
+output "access_key_id_prev" {
+  value = ""
+}
+
+output "secret_access_key_prev" {
+  value     = ""
+  sensitive = true
+}
+
+output "access_key_id_curr" {
+  value = aws_iam_access_key.iam_access_key_v3.id
+}
+
+output "secret_access_key_curr" {
+  value     = aws_iam_access_key.iam_access_key_v3.secret
+  sensitive = true
+}
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "${repository_arn}"
+    }
+  ]
+}