diff --git a/.eslintrc.json b/.eslintrc.json index e0803fa3b..807004da1 100644 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -1,9 +1,4 @@ { - "settings": { - "import/resolver": { - "typescript": {} // this loads /tsconfig.json to eslint - } - }, "extends": [ "eslint:recommended", "plugin:@typescript-eslint/recommended", @@ -14,6 +9,30 @@ "plugin:sonarjs/recommended-legacy", "plugin:unicorn/recommended" ], + "overrides": [ + { + "files": [ + "*.js" + ], + "rules": { + "@typescript-eslint/no-require-imports": "off", + "@typescript-eslint/no-var-requires": "off", + "global-require": "off", + "unicorn/prefer-module": "off" + } + }, + { + "files": [ + "*.{test,spec}.{ts,tsx}" + ], + "rules": { + "max-classes-per-file": "off", + "sonarjs/no-nested-functions": "off", + "unicorn/consistent-function-scoping": "off", + "unicorn/no-useless-undefined": "off" + } + } + ], "plugins": [ "@typescript-eslint", "html", @@ -26,42 +45,18 @@ "unicorn" ], "rules": { - "no-restricted-syntax": "off", - "consistent-return": "off", - "prettier/prettier": "error", - "unicorn/prevent-abbreviations": "off", - "unicorn/filename-case": [ - "error", - { - "case": "kebabCase", - "ignore": [ - ".tsx" - ] - } - ], - "import/prefer-default-export": "off", - "import/extensions": "off", - "no-shadow": "off", "@typescript-eslint/no-shadow": "error", "@typescript-eslint/no-unused-vars": [ "error", { - "ignoreRestSiblings": true, "argsIgnorePattern": "^_", + "ignoreRestSiblings": true, "varsIgnorePattern": "^_" } ], - "security/detect-object-injection": "off", - "sonarjs/no-duplicate-string": "off", - "sonarjs/todo-tag": "off", - "no-param-reassign": "off", - "no-useless-constructor": "off", - "sonarjs/no-small-switch": "off", - "sonarjs/no-unused-vars": "off", - "unicorn/no-null": "off", - "prefer-regex-literals": "off", "class-methods-use-this": "off", - "no-underscore-dangle": "off", + "consistent-return": "off", + "import/extensions": "off", "import/no-extraneous-dependencies": [ "error", { @@ -73,32 +68,36 @@ ] } ], + "import/prefer-default-export": "off", "no-empty-function": "off", + "no-param-reassign": "off", + "no-restricted-syntax": "off", + "no-shadow": "off", + "no-underscore-dangle": "off", + "no-useless-constructor": "off", + "prefer-regex-literals": "off", + "prettier/prettier": "error", + "security/detect-object-injection": "off", + "sonarjs/no-duplicate-string": "off", + "sonarjs/no-small-switch": "off", + "sonarjs/no-unused-vars": "off", + "sonarjs/todo-tag": "off", + "unicorn/filename-case": [ + "error", + { + "case": "kebabCase", + "ignore": [ + ".tsx" + ] + } + ], + "unicorn/no-null": "off", "unicorn/prefer-module": "off", - "sonarjs/todo-tag": "off" + "unicorn/prevent-abbreviations": "off" }, - "overrides": [ - { - "files": [ - "*.js" - ], - "rules": { - "@typescript-eslint/no-var-requires": "off", - "@typescript-eslint/no-require-imports": "off", - "unicorn/prefer-module": "off", - "global-require": "off" - } - }, - { - "files": [ - "*.{test,spec}.{ts,tsx}" - ], - "rules": { - "unicorn/no-useless-undefined": "off", - "unicorn/consistent-function-scoping": "off", - "max-classes-per-file": "off", - "sonarjs/no-nested-functions": "off" - } + "settings": { + "import/resolver": { + "typescript": {} } - ] + } } diff --git a/.github/workflows/pr_closed.yaml b/.github/workflows/pr_closed.yaml index ac90f8c3f..2f7a6f73f 100644 --- a/.github/workflows/pr_closed.yaml +++ b/.github/workflows/pr_closed.yaml @@ -60,7 +60,9 @@ jobs: --targetEnvironment "main" \ --targetAccountGroup "nhs-notify-template-management-dev" \ --targetComponent "${{ matrix.component }}" \ - --terraformAction "apply" + --terraformAction "apply" \ + --overrideProjectName "nhs" \ + --overrideRoleName "nhs-main-acct-template-mgmt-github-deploy" check-event-schemas-version-change: name: Check for event schemas package version change diff --git a/.github/workflows/pr_create_dynamic_env.yaml b/.github/workflows/pr_create_dynamic_env.yaml index 5457b7977..33acad812 100644 --- a/.github/workflows/pr_create_dynamic_env.yaml +++ b/.github/workflows/pr_create_dynamic_env.yaml @@ -31,4 +31,6 @@ jobs: --targetComponent "branch" \ --targetAccountGroup "nhs-notify-template-management-dev" \ --terraformAction "apply" \ - --overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" + --overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \ + --overrideProjectName "nhs" \ + --overrideRoleName "nhs-main-acct-template-mgmt-github-deploy" diff --git a/.github/workflows/pr_destroy_dynamic_env.yaml b/.github/workflows/pr_destroy_dynamic_env.yaml index 9aecf4e00..4d42fd3e8 100644 --- a/.github/workflows/pr_destroy_dynamic_env.yaml +++ b/.github/workflows/pr_destroy_dynamic_env.yaml @@ -31,7 +31,9 @@ jobs: --targetEnvironment "pr${{ github.event.number }}" \ --targetComponent "branch" \ --targetAccountGroup "nhs-notify-template-management-dev" \ - --terraformAction "destroy" + --terraformAction "destroy" \ + --overrideProjectName "nhs" \ + --overrideRoleName "nhs-main-acct-template-mgmt-github-deploy" sandbox-tear-down: name: Destroy Sandbox Environment diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index 903658572..a4cd0238c 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -31,7 +31,9 @@ jobs: --targetEnvironment "pr${{ inputs.pr_number }}" \ --targetAccountGroup "nhs-notify-template-management-dev" \ --targetComponent "sandbox" \ - --terraformAction "apply" + --terraformAction "apply" \ + --overrideProjectName "nhs" \ + --overrideRoleName "nhs-main-acct-template-mgmt-github-deploy" - name: Trigger Acceptance Tests shell: bash diff --git a/.gitleaksignore b/.gitleaksignore index c19df47e3..76fe6a1c9 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -7,3 +7,4 @@ b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25 bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:15 bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:25 +306d9ec55d3498b86d5506da9a90ac486fc66563:frontend/src/components/molecules/MessagePlanFallbackConditions/MessagePlanFallbackConditions.tsx:ipv4:92 diff --git a/.prettierrc.json b/.prettierrc.json index 2b0ce4c01..05791348c 100644 --- a/.prettierrc.json +++ b/.prettierrc.json @@ -1,12 +1,12 @@ { - "trailingComma": "es5", - "semi": true, - "tabWidth": 2, - "singleQuote": true, - "jsxSingleQuote": true, - "quoteProps": "as-needed", "arrowParens": "always", "bracketSpacing": true, "endOfLine": "lf", - "printWidth": 80 + "jsxSingleQuote": true, + "printWidth": 80, + "quoteProps": "as-needed", + "semi": true, + "singleQuote": true, + "tabWidth": 2, + "trailingComma": "es5" } diff --git a/frontend/.eslintrc.json b/frontend/.eslintrc.json index 2e58b8093..e7036f117 100644 --- a/frontend/.eslintrc.json +++ b/frontend/.eslintrc.json @@ -6,18 +6,18 @@ ], "rules": { "react/display-name": "off", - "react/react-in-jsx-scope": "off", - "react/jsx-filename-extension": "off", - "react/jsx-props-no-spreading": "off", "react/function-component-definition": "off", + "react/jsx-filename-extension": "off", + "react/jsx-no-bind": "off", "react/jsx-no-useless-fragment": [ "error", { "allowExpressions": true } ], + "react/jsx-props-no-spreading": "off", "react/no-danger": "off", - "react/require-default-props": "off", - "react/jsx-no-bind": "off" + "react/react-in-jsx-scope": "off", + "react/require-default-props": "off" } } diff --git a/frontend/public/lib/assets/icons/icon-arrow-left.svg b/frontend/public/lib/assets/icons/icon-arrow-left.svg index fc9ec1642..d370ebe25 100644 --- a/frontend/public/lib/assets/icons/icon-arrow-left.svg +++ b/frontend/public/lib/assets/icons/icon-arrow-left.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-arrow-right-circle.svg b/frontend/public/lib/assets/icons/icon-arrow-right-circle.svg index 70331a8ff..8bc786eed 100644 --- a/frontend/public/lib/assets/icons/icon-arrow-right-circle.svg +++ b/frontend/public/lib/assets/icons/icon-arrow-right-circle.svg @@ -4,4 +4,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-arrow-right.svg b/frontend/public/lib/assets/icons/icon-arrow-right.svg index 44357e4b3..ee4cd5a6c 100644 --- a/frontend/public/lib/assets/icons/icon-arrow-right.svg +++ b/frontend/public/lib/assets/icons/icon-arrow-right.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-chevron-left.svg b/frontend/public/lib/assets/icons/icon-chevron-left.svg index 133ed7823..4d2f2ffcc 100644 --- a/frontend/public/lib/assets/icons/icon-chevron-left.svg +++ b/frontend/public/lib/assets/icons/icon-chevron-left.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-chevron-right.svg b/frontend/public/lib/assets/icons/icon-chevron-right.svg index 9ee356e4e..b3a3a170b 100644 --- a/frontend/public/lib/assets/icons/icon-chevron-right.svg +++ b/frontend/public/lib/assets/icons/icon-chevron-right.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-close.svg b/frontend/public/lib/assets/icons/icon-close.svg index caa5154f4..6bf2ea65f 100644 --- a/frontend/public/lib/assets/icons/icon-close.svg +++ b/frontend/public/lib/assets/icons/icon-close.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-cross.svg b/frontend/public/lib/assets/icons/icon-cross.svg index 3b1d4b071..17d1e6883 100644 --- a/frontend/public/lib/assets/icons/icon-cross.svg +++ b/frontend/public/lib/assets/icons/icon-cross.svg @@ -6,4 +6,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-emdash-small.svg b/frontend/public/lib/assets/icons/icon-emdash-small.svg index 7e959e9a8..36b20550f 100644 --- a/frontend/public/lib/assets/icons/icon-emdash-small.svg +++ b/frontend/public/lib/assets/icons/icon-emdash-small.svg @@ -1,3 +1,3 @@ \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-emdash.svg b/frontend/public/lib/assets/icons/icon-emdash.svg index c8593cd28..60adf9572 100644 --- a/frontend/public/lib/assets/icons/icon-emdash.svg +++ b/frontend/public/lib/assets/icons/icon-emdash.svg @@ -1,3 +1,3 @@ \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-minus.svg b/frontend/public/lib/assets/icons/icon-minus.svg index 852ceb9f2..62d03a3bd 100644 --- a/frontend/public/lib/assets/icons/icon-minus.svg +++ b/frontend/public/lib/assets/icons/icon-minus.svg @@ -2,4 +2,4 @@ height="34" width="34"> - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-plus.svg b/frontend/public/lib/assets/icons/icon-plus.svg index 0df723a6f..fa3814e81 100644 --- a/frontend/public/lib/assets/icons/icon-plus.svg +++ b/frontend/public/lib/assets/icons/icon-plus.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-search.svg b/frontend/public/lib/assets/icons/icon-search.svg index 96f5993eb..44b68a388 100644 --- a/frontend/public/lib/assets/icons/icon-search.svg +++ b/frontend/public/lib/assets/icons/icon-search.svg @@ -3,4 +3,4 @@ - \ No newline at end of file + diff --git a/frontend/public/lib/assets/icons/icon-tick.svg b/frontend/public/lib/assets/icons/icon-tick.svg index 3ce7e0275..8fd5e6c0b 100644 --- a/frontend/public/lib/assets/icons/icon-tick.svg +++ b/frontend/public/lib/assets/icons/icon-tick.svg @@ -1,4 +1,4 @@ \ No newline at end of file + diff --git a/infrastructure/terraform/components/acct/.tool-versions b/infrastructure/terraform/components/acct/.tool-versions deleted file mode 100644 index 3dd74c722..000000000 --- a/infrastructure/terraform/components/acct/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -terraform 1.10.1 diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md deleted file mode 100644 index 1bbb943b7..000000000 --- a/infrastructure/terraform/components/acct/README.md +++ /dev/null @@ -1,62 +0,0 @@ - - - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.10.1 | -| [aws](#requirement\_aws) | ~> 5.50 | -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | -| [budget\_amount](#input\_budget\_amount) | The budget amount in USD for the account | `number` | `500` | no | -| [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"acct"` | no | -| [cost\_alarm\_recipients](#input\_cost\_alarm\_recipients) | A list of email addresses to receive alarm notifications | `list(string)` | `[]` | no | -| [cost\_anomaly\_threshold](#input\_cost\_anomaly\_threshold) | The threshold percentage for cost anomaly detection | `number` | `10` | no | -| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | -| [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | -| [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes | -| [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no | -| [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no | -| [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the account (across all environments) | 
map(object({
    enable_polling   = bool
    default_supplier = optional(bool)
  }))
| `{}` | no | -| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | -| [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no | -| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | -| [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | -| [region](#input\_region) | The AWS Region | `string` | n/a | yes | -| [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no | -| [support\_sandbox\_environments](#input\_support\_sandbox\_environments) | Does this account support dev sandbox environments? | `bool` | `false` | no | -| [vpc\_cidr](#input\_vpc\_cidr) | n/a | `string` | `"10.0.0.0/16"` | no | -| [vpc\_subnet\_cidr\_bits](#input\_vpc\_subnet\_cidr\_bits) | Number of additional bits to use for subnetting the VPC CIDR block. The bits are evently distributed | 
object({
    public  = number
    private = number
  })
| 
{
  "private": 3,
  "public": 12
}
| no | -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [kms\_sandbox](#module\_kms\_sandbox) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | -| [obs\_datasource](#module\_obs\_datasource) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-obs-datasource.zip | n/a | -| [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -| [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -| [s3bucket\_artefacts\_us\_east\_1](#module\_s3bucket\_artefacts\_us\_east\_1) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -| [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -| [s3bucket\_data\_migration\_backups](#module\_s3bucket\_data\_migration\_backups) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -| [sandbox\_ses](#module\_sandbox\_ses) | ../../modules/ses | n/a | -| [ses\_testing](#module\_ses\_testing) | ../../modules/acct-ses-testing | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 | -## Outputs - -| Name | Description | -|------|-------------| -| [dns\_zone](#output\_dns\_zone) | n/a | -| [github\_pat\_ssm\_param\_name](#output\_github\_pat\_ssm\_param\_name) | n/a | -| [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | n/a | -| [s3\_buckets](#output\_s3\_buckets) | n/a | -| [ses\_testing\_config](#output\_ses\_testing\_config) | n/a | -| [vpc\_nat\_ips](#output\_vpc\_nat\_ips) | n/a | -| [vpc\_subnets](#output\_vpc\_subnets) | n/a | - - - diff --git a/infrastructure/terraform/components/acct/api_gateway_account_global.tf b/infrastructure/terraform/components/acct/api_gateway_account_global.tf deleted file mode 100644 index 5cf36d5cf..000000000 --- a/infrastructure/terraform/components/acct/api_gateway_account_global.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_api_gateway_account" "global" { - cloudwatch_role_arn = aws_iam_role.apigateway_logging.arn -} diff --git a/infrastructure/terraform/components/acct/budgets_budget.tf b/infrastructure/terraform/components/acct/budgets_budget.tf deleted file mode 100644 index 6a253fa5c..000000000 --- a/infrastructure/terraform/components/acct/budgets_budget.tf +++ /dev/null @@ -1,31 +0,0 @@ -resource "aws_budgets_budget" "main" { - name = "${local.csi}-monthly-budget" - budget_type = "COST" - limit_amount = var.budget_amount - limit_unit = "USD" - time_unit = "MONTHLY" - - notification { - comparison_operator = "GREATER_THAN" - notification_type = "FORECASTED" - threshold = 100 - threshold_type = "PERCENTAGE" - subscriber_sns_topic_arns = [aws_sns_topic.costs.arn] - } - - notification { - comparison_operator = "GREATER_THAN" - notification_type = "ACTUAL" - threshold = 100 - threshold_type = "PERCENTAGE" - subscriber_sns_topic_arns = [aws_sns_topic.costs.arn] - } - - notification { - comparison_operator = "GREATER_THAN" - notification_type = "ACTUAL" - threshold = 85 - threshold_type = "PERCENTAGE" - subscriber_sns_topic_arns = [aws_sns_topic.costs.arn] - } -} diff --git a/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf b/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf deleted file mode 100644 index 7c56a72ee..000000000 --- a/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf +++ /dev/null @@ -1,51 +0,0 @@ -resource "aws_cloudwatch_event_rule" "aws_backup_errors" { - name = "${local.csi}-aws-backup-errors" - description = "Forwards AWS Backup state changes to Custom Event Bus in Observability Account" - - event_pattern = jsonencode({ - source = ["aws.backup"], - "detail-type" = ["Backup Job State Change", "Restore Job State Change", "Copy Job State Change"], - detail = { - state = ["FAILED", "ABORTED"] - } - }) -} - -resource "aws_cloudwatch_event_target" "aws_backup_errors" { - rule = aws_cloudwatch_event_rule.aws_backup_errors.name - arn = local.event_bus_arn - role_arn = aws_iam_role.aws_backup_errors.arn -} - -resource "aws_iam_role" "aws_backup_errors" { - name = "${local.csi}-aws-backup-errors" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Effect = "Allow", - Principal = { - Service = "events.amazonaws.com" - }, - Action = "sts:AssumeRole" - }] - }) -} - -resource "aws_iam_policy" "aws_backup_errors" { - name = "${local.csi}-aws-backup-errors" - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Effect = "Allow", - Action = "events:PutEvents", - Resource = local.event_bus_arn - }] - }) -} - -resource "aws_iam_role_policy_attachment" "aws_backup_errors" { - role = aws_iam_role.aws_backup_errors.name - policy_arn = aws_iam_policy.aws_backup_errors.arn -} diff --git a/infrastructure/terraform/components/acct/cloudwatch_event_rule_cloudwatch_alarms.tf b/infrastructure/terraform/components/acct/cloudwatch_event_rule_cloudwatch_alarms.tf deleted file mode 100644 index c453eac59..000000000 --- a/infrastructure/terraform/components/acct/cloudwatch_event_rule_cloudwatch_alarms.tf +++ /dev/null @@ -1,48 +0,0 @@ -resource "aws_cloudwatch_event_rule" "cloudwatch_alarms" { - name = "${local.csi}-cloudwatch-alarm-fowarding" - description = "Forwards CloudWatch Alarm state changes to Custom Event Bus in Observability Account" - - event_pattern = jsonencode({ - "source" = ["aws.cloudwatch"], - "detail-type" = ["CloudWatch Alarm State Change"] - }) -} - -resource "aws_cloudwatch_event_target" "cloudwatch_alarms" { - rule = aws_cloudwatch_event_rule.cloudwatch_alarms.name - arn = local.event_bus_arn - role_arn = aws_iam_role.cloudwatch_alarms.arn -} - -resource "aws_iam_role" "cloudwatch_alarms" { - name = "${local.csi}-cloudwatch-alarms" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Effect = "Allow", - Principal = { - Service = "events.amazonaws.com" - }, - Action = "sts:AssumeRole" - }] - }) -} - -resource "aws_iam_policy" "cloudwatch_alarms" { - name = "${local.csi}-cloudwatch-alarms" - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [{ - Effect = "Allow", - Action = "events:PutEvents", - Resource = local.event_bus_arn - }] - }) -} - -resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" { - role = aws_iam_role.cloudwatch_alarms.name - policy_arn = aws_iam_policy.cloudwatch_alarms.arn -} diff --git a/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf b/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf deleted file mode 100644 index e30e2087f..000000000 --- a/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf +++ /dev/null @@ -1,37 +0,0 @@ -resource "aws_cloudwatch_log_group" "aws_route53_query_log" { - provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log - - name = "/aws/route53/${local.csi}" - retention_in_days = var.log_retention_in_days -} - -resource "aws_cloudwatch_log_resource_policy" "route53_query_logging_policy" { - provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log - - policy_document = data.aws_iam_policy_document.route53_logs.json - policy_name = "${local.csi}-route53-query-logging-policy" -} - -data "aws_iam_policy_document" "route53_logs" { - statement { - effect = "Allow" - - principals { - type = "Service" - - identifiers = [ - "route53.amazonaws.com" - ] - } - - actions = [ - "logs:CreateLogStream", - "logs:PutLogEvents", - ] - - resources = [ - aws_cloudwatch_log_group.aws_route53_query_log.arn, - "${aws_cloudwatch_log_group.aws_route53_query_log.arn}:*" - ] - } -} diff --git a/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf b/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf deleted file mode 100644 index 986336a91..000000000 --- a/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "aws_ce_anomaly_monitor" "anomaly_monitor" { - name = "${local.csi}-anomaly-monitor" - monitor_type = "DIMENSIONAL" - monitor_dimension = "SERVICE" -} - -resource "aws_ce_anomaly_subscription" "realtime_subscription" { - name = "${local.csi}-realtime-subscription" - frequency = "IMMEDIATE" - threshold_expression { - dimension { - key = "ANOMALY_TOTAL_IMPACT_PERCENTAGE" - values = [var.cost_anomaly_threshold] - match_options = ["GREATER_THAN_OR_EQUAL"] - } - } - monitor_arn_list = [ - aws_ce_anomaly_monitor.anomaly_monitor.arn, - ] - - subscriber { - type = "SNS" - address = aws_sns_topic.costs.arn - } - depends_on = [ - aws_sns_topic_policy.costs, - ] -} diff --git a/infrastructure/terraform/components/acct/data_availability_zones_available.tf b/infrastructure/terraform/components/acct/data_availability_zones_available.tf deleted file mode 100644 index 87d8f4820..000000000 --- a/infrastructure/terraform/components/acct/data_availability_zones_available.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf deleted file mode 100644 index 9e6f097d8..000000000 --- a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf +++ /dev/null @@ -1,58 +0,0 @@ -resource "aws_iam_policy" "github_deploy_overload" { - name = "${local.csi}-github-deploy-overload" - description = "Overloads the github permission to perform build actions for services in this account" - policy = data.aws_iam_policy_document.github_deploy.json -} - -resource "aws_iam_role_policy_attachment" "github_deploy_overload" { - role = local.bootstrap.iam_github_deploy_role["name"] - policy_arn = aws_iam_policy.github_deploy_overload.arn -} - -#trivy:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role -data "aws_iam_policy_document" "github_deploy" { - statement { - effect = "Allow" - - actions = [ - "amplify:*", - "apigateway:*", - "appsync:*", - "backup:*", - "backup-storage:*", - "cloudformation:*", - "cloudfront:*", - "cognito-idp:*", - "firehose:*", - "logs:*", - "oam:*", - "pipes:*", - "ses:*", - "sns:*", - "sqs:*", - ] - resources = ["*"] - } - - statement { - effect = "Allow" - - actions = [ - "ec2:AllocateAddress", - "ec2:Associate*", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroup*", - "ec2:Create*", - "ec2:Delete*", - "ec2:Describe*", - "ec2:DetachInternetGateway", - "ec2:Disassociate*", - "ec2:ModifySubnet*", - "ec2:ModifyVpc*", - "ec2:ReleaseAddress", - "ec2:Replace*", - "ec2:Revoke*", - ] - resources = ["*"] - } -} diff --git a/infrastructure/terraform/components/acct/iam_role_apigateway_logging.tf b/infrastructure/terraform/components/acct/iam_role_apigateway_logging.tf deleted file mode 100644 index ad47a59fa..000000000 --- a/infrastructure/terraform/components/acct/iam_role_apigateway_logging.tf +++ /dev/null @@ -1,29 +0,0 @@ -resource "aws_iam_role" "apigateway_logging" { - name = "${local.csi}-logging" - description = "Role used by API Gateway to write logs" - assume_role_policy = data.aws_iam_policy_document.apigateway_assumerole.json -} - -data "aws_iam_policy_document" "apigateway_assumerole" { - statement { - sid = "ApigAssumeRole" - effect = "Allow" - - actions = [ - "sts:AssumeRole", - ] - - principals { - type = "Service" - - identifiers = [ - "apigateway.amazonaws.com" - ] - } - } -} - -resource "aws_iam_role_policy_attachment" "apigateway_logging" { - role = aws_iam_role.apigateway_logging.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" -} diff --git a/infrastructure/terraform/components/acct/locals.tf b/infrastructure/terraform/components/acct/locals.tf deleted file mode 100644 index 2e97f3ab7..000000000 --- a/infrastructure/terraform/components/acct/locals.tf +++ /dev/null @@ -1,20 +0,0 @@ -locals { - event_bus_arn = "arn:aws:events:eu-west-2:${var.observability_account_id}:event-bus/nhs-main-acct-alerts-bus" - - # VPC Subnet Maths (Equally devise a number of subnets across the availble AZs from a provided supernet) - required_bits_public = ceil(log(length(data.aws_availability_zones.available.names), 2)) - required_bits_private = ceil(log(length(data.aws_availability_zones.available.names), 2)) - - public_subnet_cidrs = [ - for az_index, az in data.aws_availability_zones.available.names : - cidrsubnet(var.vpc_cidr, max(var.vpc_subnet_cidr_bits.public, local.required_bits_public), az_index) - ] - - private_subnet_cidrs = [ - for az_index, az in data.aws_availability_zones.available.names : - cidrsubnet(var.vpc_cidr, max(var.vpc_subnet_cidr_bits.private, local.required_bits_private), az_index + length(data.aws_availability_zones.available.names)) - ] - - mock_letter_supplier_name = "WTMMOCK" - use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null -} diff --git a/infrastructure/terraform/components/acct/locals_remote_state.tf b/infrastructure/terraform/components/acct/locals_remote_state.tf deleted file mode 100644 index cd59a7c1c..000000000 --- a/infrastructure/terraform/components/acct/locals_remote_state.tf +++ /dev/null @@ -1,21 +0,0 @@ -locals { - bootstrap = data.terraform_remote_state.bootstrap.outputs -} - -data "terraform_remote_state" "bootstrap" { - backend = "s3" - - config = { - bucket = local.terraform_state_bucket - - key = format( - "%s/%s/%s/%s/bootstrap.tfstate", - var.project, - var.aws_account_id, - "eu-west-2", - "bootstrap" - ) - - region = "eu-west-2" - } -} diff --git a/infrastructure/terraform/components/acct/locals_tfscaffold.tf b/infrastructure/terraform/components/acct/locals_tfscaffold.tf deleted file mode 100644 index b7cf32178..000000000 --- a/infrastructure/terraform/components/acct/locals_tfscaffold.tf +++ /dev/null @@ -1,44 +0,0 @@ -locals { - terraform_state_bucket = format( - "%s-tfscaffold-%s-%s", - var.project, - var.aws_account_id, - var.region, - ) - - csi = replace( - format( - "%s-%s-%s", - var.project, - var.environment, - var.component, - ), - "_", - "", - ) - - # CSI for use in resources with a global namespace, i.e. S3 Buckets - csi_global = replace( - format( - "%s-%s-%s-%s-%s", - var.project, - var.aws_account_id, - var.region, - var.environment, - var.component, - ), - "_", - "", - ) - - default_tags = merge( - var.default_tags, - { - Project = var.project - Environment = var.environment - Component = var.component - Group = var.group - Name = local.csi - }, - ) -} diff --git a/infrastructure/terraform/components/acct/module_obs_datasource.tf b/infrastructure/terraform/components/acct/module_obs_datasource.tf deleted file mode 100644 index 1ea6a31ea..000000000 --- a/infrastructure/terraform/components/acct/module_obs_datasource.tf +++ /dev/null @@ -1,14 +0,0 @@ -module "obs_datasource" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-obs-datasource.zip" - - name = "obs-datasource" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - oam_sink_id = var.oam_sink_id - observability_account_id = var.observability_account_id -} diff --git a/infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf b/infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf deleted file mode 100644 index 7916d8465..000000000 --- a/infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf +++ /dev/null @@ -1,146 +0,0 @@ -module "s3bucket_access_logs" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - name = "access-logs" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - acl = "private" - force_destroy = false - versioning = true - - lifecycle_rules = [ - { - enabled = true - - noncurrent_version_transition = [ - { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - ] - - noncurrent_version_expiration = { - noncurrent_days = "90" - } - - abort_incomplete_multipart_upload = { - days = "1" - } - } - ] - - policy_documents = [ - data.aws_iam_policy_document.s3bucket_access_logs.json - ] - - public_access = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - - - default_tags = { - Name = "S3 bucket access logs" - } -} - -data "aws_iam_policy_document" "s3bucket_access_logs" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - module.s3bucket_access_logs.arn, - "${module.s3bucket_access_logs.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - module.s3bucket_access_logs.arn, - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${module.s3bucket_access_logs.arn}/*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - sid = "AllowS3AccessLogging" - effect = "Allow" - - actions = [ - "s3:PutObject", - ] - - resources = [ - "${module.s3bucket_access_logs.arn}/*", - ] - - principals { - type = "Service" - - identifiers = [ - "logging.s3.amazonaws.com", - ] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf b/infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf deleted file mode 100644 index c3ecc54eb..000000000 --- a/infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf +++ /dev/null @@ -1,130 +0,0 @@ -module "s3bucket_artefacts" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - name = "artefacts" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - acl = "private" - force_destroy = false - versioning = true - - lifecycle_rules = [ - { - prefix = "" - enabled = true - - noncurrent_version_transition = [ - { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - ] - - noncurrent_version_expiration = { - noncurrent_days = "90" - } - - abort_incomplete_multipart_upload = { - days = "1" - } - } - ] - - policy_documents = [ - data.aws_iam_policy_document.s3bucket_artefacts.json - ] - - bucket_logging_target = { - bucket = module.s3bucket_access_logs.id - } - - public_access = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - - - default_tags = { - Name = "Artefact bucket" - } -} - -data "aws_iam_policy_document" "s3bucket_artefacts" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - module.s3bucket_artefacts.arn, - "${module.s3bucket_artefacts.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - module.s3bucket_artefacts.arn, - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${module.s3bucket_artefacts.arn}/*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_s3bucket_artefacts_us_east_1.tf b/infrastructure/terraform/components/acct/module_s3bucket_artefacts_us_east_1.tf deleted file mode 100644 index 9f6d3078d..000000000 --- a/infrastructure/terraform/components/acct/module_s3bucket_artefacts_us_east_1.tf +++ /dev/null @@ -1,130 +0,0 @@ -module "s3bucket_artefacts_us_east_1" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - providers = { - aws = aws.us-east-1 - } - - name = "artefacts" - - aws_account_id = var.aws_account_id - region = "us-east-1" - project = var.project - environment = var.environment - component = var.component - - acl = "private" - force_destroy = false - versioning = true - - lifecycle_rules = [ - { - prefix = "" - enabled = true - - noncurrent_version_transition = [ - { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - ] - - noncurrent_version_expiration = { - noncurrent_days = "90" - } - - abort_incomplete_multipart_upload = { - days = "1" - } - } - ] - - policy_documents = [ - data.aws_iam_policy_document.s3bucket_artefacts_us_east_1.json - ] - - public_access = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - - - default_tags = { - Name = "Artefact bucket" - } -} - -data "aws_iam_policy_document" "s3bucket_artefacts_us_east_1" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - module.s3bucket_artefacts_us_east_1.arn, - "${module.s3bucket_artefacts_us_east_1.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - module.s3bucket_artefacts_us_east_1.arn, - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${module.s3bucket_artefacts_us_east_1.arn}/*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_s3bucket_backup_reports.tf b/infrastructure/terraform/components/acct/module_s3bucket_backup_reports.tf deleted file mode 100644 index 92a9933fe..000000000 --- a/infrastructure/terraform/components/acct/module_s3bucket_backup_reports.tf +++ /dev/null @@ -1,149 +0,0 @@ -module "s3bucket_backup_reports" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - name = "backup-reports" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - acl = "private" - force_destroy = false - versioning = true - - lifecycle_rules = [ - { - enabled = true - - noncurrent_version_transition = [ - { - noncurrent_days = "30" - storage_class = "STANDARD_IA" - } - ] - - noncurrent_version_expiration = { - noncurrent_days = "90" - } - - abort_incomplete_multipart_upload = { - days = "1" - } - } - ] - - policy_documents = [ - data.aws_iam_policy_document.s3bucket_backup_reports.json - ] - - bucket_logging_target = { - bucket = module.s3bucket_access_logs.id - } - - public_access = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - - - default_tags = { - Name = "AWS Backup Reports for enabled environments" - } -} - -data "aws_iam_policy_document" "s3bucket_backup_reports" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - module.s3bucket_backup_reports.arn, - "${module.s3bucket_backup_reports.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountsToList" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [ - module.s3bucket_backup_reports.arn, - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - sid = "AllowManagedAccountsToGet" - effect = "Allow" - - actions = [ - "s3:GetObject", - ] - - resources = [ - "${module.s3bucket_backup_reports.arn}/*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } - - statement { - effect = "Allow" - actions = ["s3:PutObject"] - resources = [ - "${module.s3bucket_backup_reports.arn}/*", - ] - - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.aws_account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"] - } - condition { - test = "StringEquals" - variable = "s3:x-amz-acl" - values = [ - "bucket-owner-full-control" - ] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_s3bucket_data_migration_backups.tf b/infrastructure/terraform/components/acct/module_s3bucket_data_migration_backups.tf deleted file mode 100644 index da7fc22a0..000000000 --- a/infrastructure/terraform/components/acct/module_s3bucket_data_migration_backups.tf +++ /dev/null @@ -1,105 +0,0 @@ -module "s3bucket_data_migration_backups" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - name = "migration-backup" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - acl = "private" - force_destroy = false - versioning = true - - lifecycle_rules = [ - { - enabled = true - - expiration = { - days = 90 - } - - noncurrent_version_expiration = { - noncurrent_days = 14 - } - } - ] - - policy_documents = [ - data.aws_iam_policy_document.s3bucket_data_migration_backups.json - ] - - bucket_logging_target = { - bucket = module.s3bucket_access_logs.id - } - - public_access = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - - - default_tags = { - Name = "Data migration backups" - } -} - -data "aws_iam_policy_document" "s3bucket_data_migration_backups" { - statement { - sid = "DontAllowNonSecureConnection" - effect = "Deny" - - actions = [ - "s3:*", - ] - - resources = [ - module.s3bucket_data_migration_backups.arn, - "${module.s3bucket_data_migration_backups.arn}/*", - ] - - principals { - type = "AWS" - - identifiers = [ - "*", - ] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = [ - "false", - ] - } - } - - statement { - sid = "AllowManagedAccountFullAccess" - effect = "Allow" - - actions = [ - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject" - ] - - resources = [ - "${module.s3bucket_data_migration_backups.arn}", - "${module.s3bucket_data_migration_backups.arn}/*", - ] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.aws_account_id}:root" - ] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_sandbox_kms.tf b/infrastructure/terraform/components/acct/module_sandbox_kms.tf deleted file mode 100644 index a0536a247..000000000 --- a/infrastructure/terraform/components/acct/module_sandbox_kms.tf +++ /dev/null @@ -1,172 +0,0 @@ -module "kms_sandbox" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip" - - providers = { - aws = aws - aws.us-east-1 = aws.us-east-1 - } - - count = var.support_sandbox_environments ? 1 : 0 - - aws_account_id = var.aws_account_id - component = var.component - environment = var.environment - project = var.project - region = var.region - - name = "sandbox" - deletion_window = var.kms_deletion_window - alias = "alias/${local.csi}-sandbox" - iam_delegation = true - - key_policy_documents = [data.aws_iam_policy_document.kms.json] -} - -data "aws_iam_policy_document" "kms" { - # '*' resource scope is permitted in access policies as as the resource is itself - # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html - - statement { - sid = "AllowCloudWatchEncrypt" - effect = "Allow" - - principals { - type = "Service" - - identifiers = [ - "logs.${var.region}.amazonaws.com", - ] - } - - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - - resources = [ - "*", - ] - - condition { - test = "ArnLike" - variable = "kms:EncryptionContext:aws:logs:arn" - - values = [ - "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*", - ] - } - } - - statement { - sid = "AllowS3" - effect = "Allow" - - principals { - type = "Service" - - identifiers = [ - "s3.amazonaws.com", - ] - } - - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - - resources = [ - "*", - ] - } - - statement { - sid = "AllowSES" - effect = "Allow" - - principals { - type = "Service" - - identifiers = [ - "ses.amazonaws.com", - ] - } - - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - - resources = [ - "*", - ] - } - - statement { - sid = "AllowLogDeliveryEncrypt" - effect = "Allow" - - principals { - type = "Service" - - identifiers = [ - "delivery.logs.amazonaws.com" - ] - } - - actions = [ - "kms:Decrypt", - "kms:GenerateDataKey*", - ] - - resources = [ - "*", - ] - - condition { - test = "StringLike" - variable = "kms:EncryptionContext:SourceArn" - - values = [ - "arn:aws:logs:${var.region}:${var.aws_account_id}:*", - ] - } - } - - statement { - sid = "AllowEventBridgeAccessToLetterValidationQueue" - effect = "Allow" - - principals { - type = "Service" - identifiers = ["events.amazonaws.com"] - } - - actions = [ - "kms:GenerateDataKey*", - "kms:Decrypt", - ] - - resources = ["*"] - - condition { - test = "ArnLike" - variable = "kms:EncryptionContext:aws:sqs:arn" - values = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"] - } - - condition { - test = "ArnLike" - variable = "aws:SourceArn" - values = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"] - } - } -} diff --git a/infrastructure/terraform/components/acct/module_sandbox_ses.tf b/infrastructure/terraform/components/acct/module_sandbox_ses.tf deleted file mode 100644 index bf7c1331f..000000000 --- a/infrastructure/terraform/components/acct/module_sandbox_ses.tf +++ /dev/null @@ -1,15 +0,0 @@ -module "sandbox_ses" { - source = "../../modules/ses" - - count = var.support_sandbox_environments ? 1 : 0 - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - root_domain_name = "sandbox.${aws_route53_zone.main.name}" - - zone_id = aws_route53_zone.main.id -} diff --git a/infrastructure/terraform/components/acct/module_ses_testing.tf b/infrastructure/terraform/components/acct/module_ses_testing.tf deleted file mode 100644 index fdb297f92..000000000 --- a/infrastructure/terraform/components/acct/module_ses_testing.tf +++ /dev/null @@ -1,17 +0,0 @@ -module "ses_testing" { - count = local.use_sftp_letter_supplier_mock && var.support_sandbox_environments ? 1 : 0 - - source = "../../modules/acct-ses-testing" - - project = var.project - component = var.component - aws_account_id = var.aws_account_id - environment = var.environment - group = var.group - region = var.region - - zone_id = aws_route53_zone.main.id - root_domain_name = "sandbox.${aws_route53_zone.main.name}" - - kms_key_arn = module.kms_sandbox.0.key_arn -} diff --git a/infrastructure/terraform/components/acct/module_vpc.tf b/infrastructure/terraform/components/acct/module_vpc.tf deleted file mode 100644 index 81f50d809..000000000 --- a/infrastructure/terraform/components/acct/module_vpc.tf +++ /dev/null @@ -1,27 +0,0 @@ -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.19.0" - - name = local.csi - cidr = var.vpc_cidr - - azs = data.aws_availability_zones.available.names - public_subnets = local.public_subnet_cidrs - private_subnets = local.private_subnet_cidrs - - enable_nat_gateway = true - single_nat_gateway = true - - create_database_subnet_group = false - create_elasticache_subnet_group = false - create_redshift_subnet_group = false - - manage_default_vpc = false - manage_default_network_acl = false - manage_default_route_table = false - manage_default_security_group = false - - private_subnet_tags = { - Subnet = "Private" - } -} diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf deleted file mode 100644 index 17b97e9d0..000000000 --- a/infrastructure/terraform/components/acct/outputs.tf +++ /dev/null @@ -1,59 +0,0 @@ -output "dns_zone" { - value = { - id = aws_route53_zone.main.id - name = aws_route53_zone.main.name - nameservers = aws_route53_zone.main.name_servers - } -} - -output "github_pat_ssm_param_name" { - value = aws_ssm_parameter.github_pat.name -} - -output "s3_buckets" { - value = { - access_logs = { - arn = module.s3bucket_access_logs.arn - bucket = module.s3bucket_access_logs.bucket - id = module.s3bucket_access_logs.id - } - artefacts = { - arn = module.s3bucket_artefacts.arn - bucket = module.s3bucket_artefacts.bucket - id = module.s3bucket_artefacts.id - } - artefacts_us_east_1 = { - arn = module.s3bucket_artefacts_us_east_1.arn - bucket = module.s3bucket_artefacts_us_east_1.bucket - id = module.s3bucket_artefacts_us_east_1.id - } - backup_reports = { - arn = module.s3bucket_backup_reports.arn - bucket = module.s3bucket_backup_reports.bucket - id = module.s3bucket_backup_reports.id - } - } -} - -output "vpc_subnets" { - value = { - public = module.vpc.public_subnets - private = module.vpc.private_subnets - } -} - -output "vpc_nat_ips" { - value = module.vpc.nat_public_ips -} - -output "log_subscription_role_arn" { - value = module.obs_datasource.log_subscription_role_arn -} - -output "ses_testing_config" { - value = try({ - bucket_name = module.ses_testing.0.bucket_name - iam_role_arn = module.ses_testing.0.iam_role_arn - rule_set_name = module.ses_testing.0.rule_set_name - }, null) -} diff --git a/infrastructure/terraform/components/acct/provider_aws.tf b/infrastructure/terraform/components/acct/provider_aws.tf deleted file mode 100644 index d694811e5..000000000 --- a/infrastructure/terraform/components/acct/provider_aws.tf +++ /dev/null @@ -1,24 +0,0 @@ -provider "aws" { - region = var.region - - allowed_account_ids = [ - var.aws_account_id, - ] - - default_tags { - tags = local.default_tags - } -} - -provider "aws" { - alias = "us-east-1" - region = "us-east-1" - - default_tags { - tags = local.default_tags - } - - allowed_account_ids = [ - var.aws_account_id, - ] -} diff --git a/infrastructure/terraform/components/acct/route53_delegation_set.tf b/infrastructure/terraform/components/acct/route53_delegation_set.tf deleted file mode 100644 index 9e4aeecfa..000000000 --- a/infrastructure/terraform/components/acct/route53_delegation_set.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_route53_delegation_set" "main" { - reference_name = "templates.${var.root_domain_name}" -} diff --git a/infrastructure/terraform/components/acct/route53_query_log.tf b/infrastructure/terraform/components/acct/route53_query_log.tf deleted file mode 100644 index 305ebb444..000000000 --- a/infrastructure/terraform/components/acct/route53_query_log.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "aws_route53_query_log" "main" { - zone_id = aws_route53_zone.main.zone_id - - cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_query_log.arn - - depends_on = [ - aws_cloudwatch_log_resource_policy.route53_query_logging_policy - ] -} diff --git a/infrastructure/terraform/components/acct/route53_zone.tf b/infrastructure/terraform/components/acct/route53_zone.tf deleted file mode 100644 index 03039ee51..000000000 --- a/infrastructure/terraform/components/acct/route53_zone.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_route53_zone" "main" { - name = "templates.${var.root_domain_name}" - - delegation_set_id = aws_route53_delegation_set.main.id -} diff --git a/infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf b/infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf deleted file mode 100644 index f8f83397a..000000000 --- a/infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf +++ /dev/null @@ -1,31 +0,0 @@ -resource "aws_security_group" "allow_sftp_egress" { - name = "${local.csi}-sftp-egress" - vpc_id = module.vpc.vpc_id - description = "Security group for allowing outbound traffic to SFTP" - - tags = { - Name = "${local.csi}-sftp-egress" - } -} - -#trivy:ignore:aws-ec2-no-public-egress-sgr -resource "aws_security_group_rule" "allow_sftp_egress_ssh" { - description = "Allow SFTP egress within VPC on port 22" - type = "egress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = aws_security_group.allow_sftp_egress.id -} - -#trivy:ignore:aws-ec2-no-public-egress-sgr -resource "aws_security_group_rule" "allow_sftp_egress_https" { - description = "Allow SFTP egress within VPC on port 443" - type = "egress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = aws_security_group.allow_sftp_egress.id -} diff --git a/infrastructure/terraform/components/acct/sns_topic_costs.tf b/infrastructure/terraform/components/acct/sns_topic_costs.tf deleted file mode 100644 index e3ffa9010..000000000 --- a/infrastructure/terraform/components/acct/sns_topic_costs.tf +++ /dev/null @@ -1,36 +0,0 @@ -resource "aws_sns_topic" "costs" { - name = "${local.csi}-costs" -} - -resource "aws_sns_topic_policy" "costs" { - arn = aws_sns_topic.costs.arn - - policy = data.aws_iam_policy_document.sns_costs.json -} - -data "aws_iam_policy_document" "sns_costs" { - statement { - sid = "AllowSNSCosts" - effect = "Allow" - - actions = [ - "SNS:Publish", - ] - - resources = [ - aws_sns_topic.costs.arn, - ] - - principals { - type = "Service" - identifiers = ["budgets.amazonaws.com", "costalerts.amazonaws.com"] - } - } -} - -resource "aws_sns_topic_subscription" "costs" { - for_each = toset(var.cost_alarm_recipients) - topic_arn = aws_sns_topic.costs.arn - protocol = "email" - endpoint = each.value -} diff --git a/infrastructure/terraform/components/acct/ssm_parameter_github_pat.tf b/infrastructure/terraform/components/acct/ssm_parameter_github_pat.tf deleted file mode 100644 index 059ab78fd..000000000 --- a/infrastructure/terraform/components/acct/ssm_parameter_github_pat.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "aws_ssm_parameter" "github_pat" { - name = "/${local.csi}/github_pat" - description = "A GitHub PAT token for settings up AWS Amplify. This is only used at initial setup of the service" - type = "SecureString" - value = try(var.initial_cli_secrets_provision_override.github_pat, "UNSET") - - lifecycle { - ignore_changes = [value] - } -} - -# This can be set at provision time like: -# PARAM_OBJECT=$(jq -n \ -# --arg github_pat "github_pat_123abc" \ -# '{github_pat:$github_pat}' | jq -R) -# .bin/terraform .. -a apply -- -var="initial_cli_secrets_provision_override=${PARAM_OBJECT}" diff --git a/infrastructure/terraform/components/acct/ssm_parameter_sftp_mock_config.tf b/infrastructure/terraform/components/acct/ssm_parameter_sftp_mock_config.tf deleted file mode 100644 index e2b85b07d..000000000 --- a/infrastructure/terraform/components/acct/ssm_parameter_sftp_mock_config.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_ssm_parameter" "sftp_mock_config" { - count = local.use_sftp_letter_supplier_mock ? 1 : 0 - - name = format( - "/%s/sftp-mock-config", - local.csi, - ) - description = "Configuration values for accessing an SFTP mock server" - type = "SecureString" - - /* - JSON object matching: - { - "host": string - "username": string, - "privateKey": string, - "baseUploadDir": "WTMMOCK/Incoming, - "baseDownloadDir": "WTMMOCK/Outgoing" - } - */ - value = "placeholder" - - lifecycle { - ignore_changes = [value] - } -} diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf deleted file mode 100644 index 1a9f5be07..000000000 --- a/infrastructure/terraform/components/acct/variables.tf +++ /dev/null @@ -1,140 +0,0 @@ -## -# Basic Required Variables for tfscaffold Components -## - -variable "project" { - type = string - description = "The name of the tfscaffold project" -} - -variable "environment" { - type = string - description = "The name of the tfscaffold environment" -} - -variable "aws_account_id" { - type = string - description = "The AWS Account ID (numeric)" -} - -variable "region" { - type = string - description = "The AWS Region" -} - -variable "group" { - type = string - description = "The group variables are being inherited from (often synonmous with account short-name)" -} - -## -# tfscaffold variables specific to this component -## - -# This is the only primary variable to have its value defined as -# a default within its declaration in this file, because the variables -# purpose is as an identifier unique to this component, rather -# then to the environment from where all other variables come. -variable "component" { - type = string - description = "The variable encapsulating the name of this component" - default = "acct" -} - -variable "default_tags" { - type = map(string) - description = "A map of default tags to apply to all taggable resources within the component" - default = {} -} - -## -# Variables specific to the "dnsroot"component -## - -variable "log_retention_in_days" { - type = number - description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite" - default = 0 -} - -variable "root_domain_name" { - type = string - description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk" - default = "nonprod.nhsnotify.national.nhs.uk" -} - -variable "initial_cli_secrets_provision_override" { - type = map(string) - description = "A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules." - default = {} - # Usage like: - # ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"} -} - -variable "observability_account_id" { - type = string - description = "The Observability Account ID that needs access" -} - -variable "kms_deletion_window" { - type = string - description = "When a kms key is deleted, how long should it wait in the pending deletion state?" - default = "30" -} - -variable "support_sandbox_environments" { - type = bool - description = "Does this account support dev sandbox environments?" - default = false -} - -variable "vpc_cidr" { - type = string - default = "10.0.0.0/16" -} - -variable "vpc_subnet_cidr_bits" { - type = object({ - public = number - private = number - }) - description = "Number of additional bits to use for subnetting the VPC CIDR block. The bits are evently distributed " - default = { - public = 12 # Smaller subnets for public resources. 12 creates /28 subnets over 3x Az - private = 3 # Larger subnets for private resources, 3 creates /19 subnets over 3x Az - } -} - -variable "letter_suppliers" { - type = map(object({ - enable_polling = bool - default_supplier = optional(bool) - })) - description = "Letter suppliers enabled in the account (across all environments)" - - default = {} -} - -variable "oam_sink_id" { - description = "The ID of the Cloudwatch OAM sink in the appropriate observability account." - type = string - default = "" -} - -variable "cost_alarm_recipients" { - type = list(string) - description = "A list of email addresses to receive alarm notifications" - default = [] -} - -variable "budget_amount" { - type = number - description = "The budget amount in USD for the account" - default = 500 -} - -variable "cost_anomaly_threshold" { - type = number - description = "The threshold percentage for cost anomaly detection" - default = 10 -} diff --git a/infrastructure/terraform/components/acct/versions.tf b/infrastructure/terraform/components/acct/versions.tf deleted file mode 100644 index 224cb0a13..000000000 --- a/infrastructure/terraform/components/acct/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.50" - } - } - - required_version = ">= 1.10.1" -} diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index 61d94e966..8a98c7944 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -21,7 +21,6 @@ | [branch\_name](#input\_branch\_name) | The branch name to deploy | `string` | `"main"` | no | | [cognito\_user\_pool\_additional\_callback\_urls](#input\_cognito\_user\_pool\_additional\_callback\_urls) | A list of additional callback\_urls for the cognito user pool | `list(string)` | `[]` | no | | [commit\_id](#input\_commit\_id) | The commit to deploy. Must be in the tree for branch\_name | `string` | `"HEAD"` | no | -| [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"app"` | no | | [control\_plane\_bus\_arn](#input\_control\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes | | [data\_plane\_bus\_arn](#input\_data\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | @@ -54,7 +53,6 @@ | [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v2.0.19 | | [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | | [kms\_us\_east\_1](#module\_kms\_us\_east\_1) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | -| [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-aws-backup-source.zip | n/a | | [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | | [ses](#module\_ses) | ../../modules/ses | n/a | ## Outputs diff --git a/infrastructure/terraform/components/app/amplify_domain_association.tf b/infrastructure/terraform/components/app/amplify_domain_association.tf index dca6eb979..cc2aa384d 100644 --- a/infrastructure/terraform/components/app/amplify_domain_association.tf +++ b/infrastructure/terraform/components/app/amplify_domain_association.tf @@ -1,36 +1,15 @@ -# resource "aws_amplify_domain_association" "domain" { -# app_id = aws_amplify_app.main.id -# domain_name = local.root_domain_name -# enable_auto_sub_domain = true - -# sub_domain { -# branch_name = var.branch_name -# prefix = "" -# } - -# sub_domain { -# branch_name = var.branch_name -# prefix = var.url_prefix -# } -# } - -# TODO CCM-6078 Revert to above amplify_domain_association resource on closure of https://github.com/hashicorp/terraform-provider-aws/issues/37498 -# Provider does not correctly set autoSubDomainCreationPatterns when enable_auto_sub_domain is set -resource "null_resource" "amplify_domain_association" { - triggers = { - amplify_app_id = aws_amplify_app.main.id - amplify_branch_name = var.branch_name - amplify_url_prefix = var.url_prefix - amplify_domain_name = local.root_domain_name - } - - provisioner "local-exec" { - when = create - command = "aws amplify create-domain-association --app-id ${self.triggers.amplify_app_id} --domain-name ${self.triggers.amplify_domain_name} --sub-domain-settings prefix=\"\",branchName=\"${self.triggers.amplify_branch_name}\" prefix=\"${self.triggers.amplify_url_prefix}\",branchName=\"${self.triggers.amplify_branch_name}\" --enable-auto-sub-domain --auto-sub-domain-creation-patterns \"*,*/*,pr*\"" +resource "aws_amplify_domain_association" "domain" { + app_id = aws_amplify_app.main.id + domain_name = local.root_domain_name + enable_auto_sub_domain = true + + sub_domain { + branch_name = var.branch_name + prefix = "" } - provisioner "local-exec" { - when = destroy - command = "aws amplify delete-domain-association --app-id ${self.triggers.amplify_app_id} --domain-name ${self.triggers.amplify_domain_name}" + sub_domain { + branch_name = var.branch_name + prefix = var.url_prefix } } diff --git a/infrastructure/terraform/components/app/data_ssm_parameter_github_pat.tf b/infrastructure/terraform/components/app/data_ssm_parameter_github_pat.tf index cc52a394b..95a5abfa7 100644 --- a/infrastructure/terraform/components/app/data_ssm_parameter_github_pat.tf +++ b/infrastructure/terraform/components/app/data_ssm_parameter_github_pat.tf @@ -1,3 +1,3 @@ data "aws_ssm_parameter" "github_pat_ssm_param_name" { - name = local.acct.github_pat_ssm_param_name + name = local.acct.additional_ssm_parameters["client-config_github_pat"].name } diff --git a/infrastructure/terraform/components/app/iam_role_grafana_access.tf b/infrastructure/terraform/components/app/iam_role_grafana_access.tf index 33f09cf5e..52869305c 100644 --- a/infrastructure/terraform/components/app/iam_role_grafana_access.tf +++ b/infrastructure/terraform/components/app/iam_role_grafana_access.tf @@ -1,5 +1,5 @@ resource "aws_iam_role" "grafana_access" { - name = replace("${local.csi}-obs-cross-access-role", "-${var.component}", "") + name = replace("${local.csi}-obs-cross-access-role", "-${local.component}", "") assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json } diff --git a/infrastructure/terraform/components/app/locals.tf b/infrastructure/terraform/components/app/locals.tf index e078e5392..3b3f9c9eb 100644 --- a/infrastructure/terraform/components/app/locals.tf +++ b/infrastructure/terraform/components/app/locals.tf @@ -1,6 +1,10 @@ locals { cloudfront_files_domain_name = "files.${local.root_domain_name}" - root_domain_name = "${var.environment}.${local.acct.dns_zone["name"]}" + lambdas_source_code_dir = "../../../../lambdas" log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-main-obs-firehose-logs" + + root_domain_name = "${var.environment}.${local.acct.route53_zone_names["template-mgmt"]}" # e.g. [main|dev|abxy0].templates.[dev|nonprod|prod].nhsnotify.national.nhs.uk + root_domain_id = local.acct.route53_zone_ids["template-mgmt"] + root_domain_nameservers = local.acct.route53_zone_nameservers["template-mgmt"] } diff --git a/infrastructure/terraform/components/app/locals_remote_state.tf b/infrastructure/terraform/components/app/locals_remote_state.tf index 7f87c1fa5..3d88800c3 100644 --- a/infrastructure/terraform/components/app/locals_remote_state.tf +++ b/infrastructure/terraform/components/app/locals_remote_state.tf @@ -1,24 +1,5 @@ locals { - bootstrap = data.terraform_remote_state.bootstrap.outputs - acct = data.terraform_remote_state.acct.outputs -} - -data "terraform_remote_state" "bootstrap" { - backend = "s3" - - config = { - bucket = local.terraform_state_bucket - - key = format( - "%s/%s/%s/%s/bootstrap.tfstate", - var.project, - var.aws_account_id, - "eu-west-2", - "bootstrap" - ) - - region = "eu-west-2" - } + acct = data.terraform_remote_state.acct.outputs } data "terraform_remote_state" "acct" { diff --git a/infrastructure/terraform/components/app/locals_tfscaffold.tf b/infrastructure/terraform/components/app/locals_tfscaffold.tf index b7cf32178..f427541d8 100644 --- a/infrastructure/terraform/components/app/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/app/locals_tfscaffold.tf @@ -1,4 +1,6 @@ locals { + component = "tmapp" + terraform_state_bucket = format( "%s-tfscaffold-%s-%s", var.project, @@ -11,7 +13,7 @@ locals { "%s-%s-%s", var.project, var.environment, - var.component, + local.component, ), "_", "", @@ -25,7 +27,7 @@ locals { var.aws_account_id, var.region, var.environment, - var.component, + local.component, ), "_", "", @@ -36,7 +38,7 @@ locals { { Project = var.project Environment = var.environment - Component = var.component + Component = local.component Group = var.group Name = local.csi }, diff --git a/infrastructure/terraform/components/app/module_amplify_branch.tf b/infrastructure/terraform/components/app/module_amplify_branch.tf index ceb0e02f8..506df6062 100644 --- a/infrastructure/terraform/components/app/module_amplify_branch.tf +++ b/infrastructure/terraform/components/app/module_amplify_branch.tf @@ -4,7 +4,7 @@ module "amplify_branch" { name = "main" display_name = var.url_prefix aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region diff --git a/infrastructure/terraform/components/app/module_backend_api.tf b/infrastructure/terraform/components/app/module_backend_api.tf index 58f4e94bf..4c95008b2 100644 --- a/infrastructure/terraform/components/app/module_backend_api.tf +++ b/infrastructure/terraform/components/app/module_backend_api.tf @@ -5,15 +5,17 @@ module "backend_api" { project = var.project environment = var.environment - component = var.component + component = local.component aws_account_id = var.aws_account_id region = var.region group = var.group - csi = local.csi - log_retention_in_days = var.log_retention_in_days - kms_key_arn = module.kms.key_arn - parent_acct_environment = var.parent_acct_environment - function_s3_bucket = local.acct.s3_buckets["artefacts"]["id"] + + log_retention_in_days = var.log_retention_in_days + kms_key_arn = module.kms.key_arn + function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts"]["id"] + vpc_id = local.acct.vpc_ids["template-mgmt"] + log_destination_arn = local.log_destination_arn + log_subscription_role_arn = local.acct.log_subscription_role_arn cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn @@ -21,15 +23,13 @@ module "backend_api" { enable_backup = var.destination_vault_arn != null ? true : false - letter_suppliers = var.letter_suppliers - log_destination_arn = local.log_destination_arn - log_subscription_role_arn = local.acct.log_subscription_role_arn - + letter_suppliers = var.letter_suppliers send_to_firehose = true email_domain = module.ses.domain template_submitted_sender_email_address = "template-submitted@${module.ses.domain}" proof_requested_sender_email_address = "proof-requested@${module.ses.domain}" + ssm_parameter_sftp_mock_config_name = local.acct.additional_ssm_parameters["template-mgmt_sftp-mock-config"]["name"] sns_topic_arn = module.eventpub.sns_topic.arn } diff --git a/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf b/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf index d90047b89..70b79ab70 100644 --- a/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf +++ b/infrastructure/terraform/components/app/module_download_authorizer_lambda.tf @@ -9,7 +9,7 @@ module "download_authorizer_lambda" { description = "Download authorizer for s3 download bucket" aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = "us-east-1" @@ -22,7 +22,7 @@ module "download_authorizer_lambda" { body = data.aws_iam_policy_document.authorizer.json } - function_s3_bucket = local.acct.s3_buckets["artefacts_us_east_1"]["id"] + function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts_us"]["id"] function_code_base_path = local.lambdas_source_code_dir function_code_dir = "download-authorizer/dist" handler_function_name = "handler" diff --git a/infrastructure/terraform/components/app/module_eventpub.tf b/infrastructure/terraform/components/app/module_eventpub.tf index ebb9cea48..cc7979512 100644 --- a/infrastructure/terraform/components/app/module_eventpub.tf +++ b/infrastructure/terraform/components/app/module_eventpub.tf @@ -5,7 +5,7 @@ module "eventpub" { name = "eventpub" aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf index f9f8895f3..eb7eb878d 100644 --- a/infrastructure/terraform/components/app/module_kms.tf +++ b/infrastructure/terraform/components/app/module_kms.tf @@ -7,7 +7,7 @@ module "kms" { } aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region diff --git a/infrastructure/terraform/components/app/module_kms_us_east_1.tf b/infrastructure/terraform/components/app/module_kms_us_east_1.tf index 4998d288b..61f99ca2d 100644 --- a/infrastructure/terraform/components/app/module_kms_us_east_1.tf +++ b/infrastructure/terraform/components/app/module_kms_us_east_1.tf @@ -7,7 +7,7 @@ module "kms_us_east_1" { } aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = "us-east-1" diff --git a/infrastructure/terraform/components/app/module_nhse_backup_vault.tf b/infrastructure/terraform/components/app/module_nhse_backup_vault.tf deleted file mode 100644 index 08a73d68b..000000000 --- a/infrastructure/terraform/components/app/module_nhse_backup_vault.tf +++ /dev/null @@ -1,47 +0,0 @@ -module "nhse_backup_vault" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-aws-backup-source.zip" - count = var.destination_vault_arn != null ? 1 : 0 - - component = var.component - environment = var.environment - project = var.project - - backup_copy_vault_account_id = data.aws_arn.destination_vault_arn[0].account - backup_copy_vault_arn = data.aws_arn.destination_vault_arn[0].arn - - reports_bucket = local.acct.s3_buckets["backup_reports"]["bucket"] - notifications_target_email_address = var.backup_report_recipient - notification_kms_key = module.kms.key_id - - management_ci_role_arn = local.bootstrap.iam_github_deploy_role["arn"] - principal_org_id = var.aws_principal_org_id - - restore_testing_plan_scheduled_expression = "cron(0 4 ? * wed *)" - restore_testing_plan_start_window = 1 - - backup_plan_config_dynamodb = { - "compliance_resource_types" : [ - "DynamoDB" - ], - "rules" : [ - { - "name" : "${local.csi}-backup-rule", - "schedule" : var.backup_schedule_cron, - "copy_action" : { - "delete_after" : var.retention_period - }, - "lifecycle" : { - "delete_after" : var.retention_period - } - } - ], - "enable" : true, - "selection_tag" : "NHSE-Enable-Dynamo-Backup" - } -} - -data "aws_arn" "destination_vault_arn" { - count = var.destination_vault_arn != null ? 1 : 0 - - arn = var.destination_vault_arn -} diff --git a/infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf b/infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf index 9ba7208ee..2a6686343 100644 --- a/infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf +++ b/infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf @@ -10,7 +10,7 @@ module "s3bucket_cf_logs" { region = "us-east-1" project = var.project environment = var.environment - component = var.component + component = local.component acl = "private" force_destroy = false diff --git a/infrastructure/terraform/components/app/module_ses.tf b/infrastructure/terraform/components/app/module_ses.tf index 9b203e428..bcdb35bc3 100644 --- a/infrastructure/terraform/components/app/module_ses.tf +++ b/infrastructure/terraform/components/app/module_ses.tf @@ -5,10 +5,10 @@ module "ses" { region = var.region project = var.project environment = var.environment - component = var.component + component = local.component root_domain_name = local.root_domain_name + zone_id = local.root_domain_id external_email_domain = var.external_email_domain - zone_id = local.acct.dns_zone["id"] } diff --git a/infrastructure/terraform/components/app/outputs.tf b/infrastructure/terraform/components/app/outputs.tf index c3af0e6d4..2065bf2b8 100644 --- a/infrastructure/terraform/components/app/outputs.tf +++ b/infrastructure/terraform/components/app/outputs.tf @@ -14,7 +14,7 @@ output "deployment" { project = var.project environment = var.environment group = var.group - component = var.component + component = local.component commit_id = var.commit_id } } diff --git a/infrastructure/terraform/components/app/route53_record_acm_validation_files.tf b/infrastructure/terraform/components/app/route53_record_acm_validation_files.tf index 0b11d33bd..a488bb9e4 100644 --- a/infrastructure/terraform/components/app/route53_record_acm_validation_files.tf +++ b/infrastructure/terraform/components/app/route53_record_acm_validation_files.tf @@ -12,6 +12,6 @@ resource "aws_route53_record" "acm_validation_files" { name = each.value.name records = [each.value.record] type = each.value.type - zone_id = local.acct.dns_zone["id"] + zone_id = local.root_domain_id ttl = 60 } diff --git a/infrastructure/terraform/components/app/route53_record_cloudfront_files.tf b/infrastructure/terraform/components/app/route53_record_cloudfront_files.tf index e9eb61a90..fc320934f 100644 --- a/infrastructure/terraform/components/app/route53_record_cloudfront_files.tf +++ b/infrastructure/terraform/components/app/route53_record_cloudfront_files.tf @@ -4,8 +4,9 @@ resource "aws_route53_record" "cloudfront_files" { type = "A" alias { - name = aws_cloudfront_distribution.main.domain_name - zone_id = aws_cloudfront_distribution.main.hosted_zone_id + name = aws_cloudfront_distribution.main.domain_name + zone_id = aws_cloudfront_distribution.main.hosted_zone_id + evaluate_target_health = false } } diff --git a/infrastructure/terraform/components/app/route53_record_root.tf b/infrastructure/terraform/components/app/route53_record_root.tf index 83a147e70..3749c0266 100644 --- a/infrastructure/terraform/components/app/route53_record_root.tf +++ b/infrastructure/terraform/components/app/route53_record_root.tf @@ -1,7 +1,7 @@ # Record to support Cognito Hosted UIs per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html resource "aws_route53_record" "root" { name = local.root_domain_name - zone_id = local.acct.dns_zone["id"] + zone_id = local.root_domain_id type = "A" ttl = 300 records = ["127.0.0.1"] diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index 000905934..ce8345cc2 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -40,11 +40,6 @@ variable "group" { # a default within its declaration in this file, because the variables # purpose is as an identifier unique to this component, rather # then to the environment from where all other variables come. -variable "component" { - type = string - description = "The variable encapsulating the name of this component" - default = "app" -} variable "default_tags" { type = map(string) diff --git a/infrastructure/terraform/components/branch/README.md b/infrastructure/terraform/components/branch/README.md index 8a1aec8d9..f9f560ead 100644 --- a/infrastructure/terraform/components/branch/README.md +++ b/infrastructure/terraform/components/branch/README.md @@ -14,7 +14,6 @@ |------|-------------|------|---------|:--------:| | [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | | [branch\_name](#input\_branch\_name) | The branch name to deploy | `string` | `"branch"` | no | -| [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"branch"` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | | [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes | diff --git a/infrastructure/terraform/components/branch/locals_tfscaffold.tf b/infrastructure/terraform/components/branch/locals_tfscaffold.tf index b7cf32178..fc12e598c 100644 --- a/infrastructure/terraform/components/branch/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/branch/locals_tfscaffold.tf @@ -1,4 +1,6 @@ locals { + component = "tmbranch" + terraform_state_bucket = format( "%s-tfscaffold-%s-%s", var.project, @@ -11,7 +13,7 @@ locals { "%s-%s-%s", var.project, var.environment, - var.component, + local.component, ), "_", "", @@ -25,7 +27,7 @@ locals { var.aws_account_id, var.region, var.environment, - var.component, + local.component, ), "_", "", @@ -36,7 +38,7 @@ locals { { Project = var.project Environment = var.environment - Component = var.component + Component = local.component Group = var.group Name = local.csi }, diff --git a/infrastructure/terraform/components/branch/module_amplify_branch.tf b/infrastructure/terraform/components/branch/module_amplify_branch.tf index f9badd863..623c5a084 100644 --- a/infrastructure/terraform/components/branch/module_amplify_branch.tf +++ b/infrastructure/terraform/components/branch/module_amplify_branch.tf @@ -6,7 +6,7 @@ module "amplify_branch" { description = "Amplify branch for ${local.normalised_branch_name}" aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region diff --git a/infrastructure/terraform/components/branch/variables.tf b/infrastructure/terraform/components/branch/variables.tf index a95e73f81..2cc092f97 100644 --- a/infrastructure/terraform/components/branch/variables.tf +++ b/infrastructure/terraform/components/branch/variables.tf @@ -35,11 +35,6 @@ variable "group" { # a default within its declaration in this file, because the variables # purpose is as an identifier unique to this component, rather # then to the environment from where all other variables come. -variable "component" { - type = string - description = "The variable encapsulating the name of this component" - default = "branch" -} variable "default_tags" { type = map(string) diff --git a/infrastructure/terraform/components/sandbox/README.md b/infrastructure/terraform/components/sandbox/README.md index 1090ccb7b..6277998fe 100644 --- a/infrastructure/terraform/components/sandbox/README.md +++ b/infrastructure/terraform/components/sandbox/README.md @@ -13,7 +13,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | -| [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"sbx"` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | | [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes | @@ -29,6 +28,7 @@ | [backend\_api](#module\_backend\_api) | ../../modules/backend-api | n/a | | [cognito\_triggers](#module\_cognito\_triggers) | ../../modules/cognito-triggers | n/a | | [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v2.0.19 | +| [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | ## Outputs | Name | Description | diff --git a/infrastructure/terraform/components/sandbox/aws_cognito_user_pool_client_sandbox.tf b/infrastructure/terraform/components/sandbox/cognito_user_pool_client_sandbox.tf similarity index 100% rename from infrastructure/terraform/components/sandbox/aws_cognito_user_pool_client_sandbox.tf rename to infrastructure/terraform/components/sandbox/cognito_user_pool_client_sandbox.tf diff --git a/infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf b/infrastructure/terraform/components/sandbox/cognito_user_pool_sandbox.tf similarity index 100% rename from infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf rename to infrastructure/terraform/components/sandbox/cognito_user_pool_sandbox.tf diff --git a/infrastructure/terraform/components/sandbox/data_acct_kms_key.tf b/infrastructure/terraform/components/sandbox/data_acct_kms_key.tf deleted file mode 100644 index 53cd9a752..000000000 --- a/infrastructure/terraform/components/sandbox/data_acct_kms_key.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_kms_key" "sandbox" { - key_id = "alias/${var.project}-main-acct-sandbox" -} diff --git a/infrastructure/terraform/modules/acct-ses-testing/iam_role_ses_receipts.tf b/infrastructure/terraform/components/sandbox/iam_role_ses_receipts.tf similarity index 90% rename from infrastructure/terraform/modules/acct-ses-testing/iam_role_ses_receipts.tf rename to infrastructure/terraform/components/sandbox/iam_role_ses_receipts.tf index 1cedf68d7..acad74e43 100644 --- a/infrastructure/terraform/modules/acct-ses-testing/iam_role_ses_receipts.tf +++ b/infrastructure/terraform/components/sandbox/iam_role_ses_receipts.tf @@ -44,7 +44,7 @@ data "aws_iam_policy_document" "ses_receipts" { ] resources = [ - var.kms_key_arn + module.kms.key_arn, ] } @@ -57,7 +57,7 @@ data "aws_iam_policy_document" "ses_receipts" { ] resources = [ - "${module.s3bucket_ses.arn}/*", + "${local.acct.additional_s3_buckets["template-mgmt_ses-test-config"]["arn"]}/*" ] } } diff --git a/infrastructure/terraform/components/sandbox/locals.tf b/infrastructure/terraform/components/sandbox/locals.tf index 14dcd17f5..18cd2a35a 100644 --- a/infrastructure/terraform/components/sandbox/locals.tf +++ b/infrastructure/terraform/components/sandbox/locals.tf @@ -1,5 +1,9 @@ locals { - email_domain = "sandbox.${local.acct.dns_zone["name"]}" + root_domain_name = "${var.environment}.${local.acct.route53_zone_names["template-mgmt"]}" # e.g. [main|dev|abxy0].templates.[dev|nonprod|prod].nhsnotify.national.nhs.uk + root_domain_id = local.acct.route53_zone_ids["template-mgmt"] + root_domain_nameservers = local.acct.route53_zone_nameservers["template-mgmt"] + email_domain = "sandbox.${local.root_domain_name}" + sandbox_letter_supplier_mock_proof_requested_sender = "proof-requested-sender-${var.environment}@${local.email_domain}" sandbox_letter_supplier_mock_template_submitted_sender = "template-submitted-sender-${var.environment}@${local.email_domain}" sandbox_letter_supplier_mock_recipient = "supplier-recipient-${var.environment}@${local.email_domain}" diff --git a/infrastructure/terraform/components/sandbox/locals_tfscaffold.tf b/infrastructure/terraform/components/sandbox/locals_tfscaffold.tf index 300f391c5..8b6ed9657 100644 --- a/infrastructure/terraform/components/sandbox/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/sandbox/locals_tfscaffold.tf @@ -1,4 +1,6 @@ locals { + component = "tmsbx" + terraform_state_bucket = format( "%s-tfscaffold-%s-%s", var.project, @@ -11,7 +13,7 @@ locals { "%s-%s-%s", var.project, var.environment, - var.component, + local.component, ), "_", "", @@ -22,7 +24,7 @@ locals { { Project = var.project Environment = var.environment - Component = var.component + Component = local.component Group = var.group Name = local.csi }, diff --git a/infrastructure/terraform/components/sandbox/module_backend_api.tf b/infrastructure/terraform/components/sandbox/module_backend_api.tf index 0bd158911..68051b32e 100644 --- a/infrastructure/terraform/components/sandbox/module_backend_api.tf +++ b/infrastructure/terraform/components/sandbox/module_backend_api.tf @@ -1,16 +1,17 @@ module "backend_api" { source = "../../modules/backend-api" - project = var.project - environment = var.environment - component = var.component - aws_account_id = var.aws_account_id - region = var.region - group = var.group - csi = local.csi + project = var.project + environment = var.environment + component = local.component + aws_account_id = var.aws_account_id + region = var.region + group = var.group + log_retention_in_days = var.log_retention_in_days - parent_acct_environment = var.parent_acct_environment - function_s3_bucket = local.acct.s3_buckets["artefacts"]["id"] + kms_key_arn = module.kms.key_arn + function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts"]["id"] + vpc_id = local.acct.vpc_ids["template-mgmt"] cognito_config = { USER_POOL_ID = aws_cognito_user_pool.sandbox.id @@ -25,15 +26,12 @@ module "backend_api" { } } - kms_key_arn = data.aws_kms_key.sandbox.arn - - sns_topic_arn = module.eventpub.sns_topic.arn - - send_to_firehose = false - + send_to_firehose = false enable_event_stream = true email_domain = local.email_domain template_submitted_sender_email_address = local.sandbox_letter_supplier_mock_template_submitted_sender proof_requested_sender_email_address = local.sandbox_letter_supplier_mock_proof_requested_sender + sns_topic_arn = module.eventpub.sns_topic.arn + ssm_parameter_sftp_mock_config_name = local.acct.additional_ssm_parameters["template-mgmt_sftp-mock-config"]["name"] } diff --git a/infrastructure/terraform/components/sandbox/module_cognito_triggers.tf b/infrastructure/terraform/components/sandbox/module_cognito_triggers.tf index 5d5a32d46..db502e4a3 100644 --- a/infrastructure/terraform/components/sandbox/module_cognito_triggers.tf +++ b/infrastructure/terraform/components/sandbox/module_cognito_triggers.tf @@ -2,14 +2,15 @@ module "cognito_triggers" { source = "../../modules/cognito-triggers" aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region group = var.group - function_s3_bucket = local.acct.s3_buckets["artefacts"]["id"] - kms_key_arn = data.aws_kms_key.sandbox.arn + + function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts"]["id"] + kms_key_arn = module.kms.key_arn log_retention_in_days = var.log_retention_in_days user_pool_id = aws_cognito_user_pool.sandbox.id } diff --git a/infrastructure/terraform/components/sandbox/module_eventpub.tf b/infrastructure/terraform/components/sandbox/module_eventpub.tf index a758a29aa..770847b58 100644 --- a/infrastructure/terraform/components/sandbox/module_eventpub.tf +++ b/infrastructure/terraform/components/sandbox/module_eventpub.tf @@ -5,14 +5,14 @@ module "eventpub" { name = "eventpub" aws_account_id = var.aws_account_id - component = var.component + component = local.component environment = var.environment project = var.project region = var.region group = var.group log_retention_in_days = var.log_retention_in_days - kms_key_arn = data.aws_kms_key.sandbox.arn + kms_key_arn = module.kms.key_arn enable_event_cache = true enable_sns_delivery_logging = false diff --git a/infrastructure/terraform/components/sandbox/module_kms.tf b/infrastructure/terraform/components/sandbox/module_kms.tf new file mode 100644 index 000000000..67d57c8e0 --- /dev/null +++ b/infrastructure/terraform/components/sandbox/module_kms.tf @@ -0,0 +1,58 @@ +module "kms" { + source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip" + providers = { + aws = aws + aws.us-east-1 = aws.us-east-1 + } + + aws_account_id = var.aws_account_id + component = local.component + environment = var.environment + project = var.project + region = var.region + + name = "main" + deletion_window = var.kms_deletion_window + alias = "alias/${local.csi}" + key_policy_documents = [data.aws_iam_policy_document.kms.json] + iam_delegation = true +} + +data "aws_iam_policy_document" "kms" { + # '*' resource scope is permitted in access policies as as the resource is itself + # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html + + statement { + sid = "AllowCloudWatchEncrypt" + effect = "Allow" + + principals { + type = "Service" + + identifiers = [ + "logs.${var.region}.amazonaws.com" + ] + } + + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + + resources = [ + "*", + ] + + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:logs:arn" + + values = [ + "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*", + ] + } + } +} diff --git a/infrastructure/terraform/components/sandbox/outputs.tf b/infrastructure/terraform/components/sandbox/outputs.tf index 345d37d10..48f2af762 100644 --- a/infrastructure/terraform/components/sandbox/outputs.tf +++ b/infrastructure/terraform/components/sandbox/outputs.tf @@ -54,12 +54,12 @@ output "deployment" { project = var.project environment = var.environment group = var.group - component = var.component + component = local.component } } output "test_email_bucket_name" { - value = local.acct["ses_testing_config"].bucket_name + value = local.acct.additional_s3_buckets["template-mgmt_ses-test-config"]["name"] } output "test_email_bucket_prefix" { diff --git a/infrastructure/terraform/modules/acct-ses-testing/route53_record_ses_mx_inbound.tf b/infrastructure/terraform/components/sandbox/route53_record_ses_mx_inbound.tf similarity index 67% rename from infrastructure/terraform/modules/acct-ses-testing/route53_record_ses_mx_inbound.tf rename to infrastructure/terraform/components/sandbox/route53_record_ses_mx_inbound.tf index 2c77b3300..1d40a93f4 100644 --- a/infrastructure/terraform/modules/acct-ses-testing/route53_record_ses_mx_inbound.tf +++ b/infrastructure/terraform/components/sandbox/route53_record_ses_mx_inbound.tf @@ -1,6 +1,6 @@ resource "aws_route53_record" "ses_mx_inbound" { - zone_id = var.zone_id - name = var.root_domain_name + zone_id = local.root_domain_id + name = local.root_domain_name type = "MX" ttl = "600" records = ["10 inbound-smtp.eu-west-2.amazonaws.com"] diff --git a/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf b/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf index e3c2f30a8..80892111f 100644 --- a/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf +++ b/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf @@ -1,6 +1,6 @@ resource "aws_ses_receipt_rule" "proof_requested" { name = "${local.csi}-store-email-proof-requested" - rule_set_name = local.acct["ses_testing_config"].rule_set_name + rule_set_name = local.acct.ses_active_receipt_rule_set_name recipients = [local.sandbox_letter_supplier_mock_recipient] enabled = true @@ -9,8 +9,8 @@ resource "aws_ses_receipt_rule" "proof_requested" { s3_action { position = 1 - bucket_name = local.acct["ses_testing_config"].bucket_name + bucket_name = local.acct.additional_s3_buckets["template-mgmt_ses-test-config"]["name"] object_key_prefix = "emails-${var.environment}/" - iam_role_arn = local.acct["ses_testing_config"].iam_role_arn + iam_role_arn = aws_iam_role.ses_receipts.arn } } diff --git a/infrastructure/terraform/components/sandbox/sns_topic_events.tf b/infrastructure/terraform/components/sandbox/sns_topic_events.tf index fe8449859..6ac80d55e 100644 --- a/infrastructure/terraform/components/sandbox/sns_topic_events.tf +++ b/infrastructure/terraform/components/sandbox/sns_topic_events.tf @@ -3,5 +3,5 @@ resource "aws_sns_topic" "events" { name = "${local.csi}-events-sns" - kms_master_key_id = data.aws_kms_key.sandbox.arn + kms_master_key_id = module.kms.key_id } diff --git a/infrastructure/terraform/components/sandbox/variables.tf b/infrastructure/terraform/components/sandbox/variables.tf index 2dc212bef..7f68d67ae 100644 --- a/infrastructure/terraform/components/sandbox/variables.tf +++ b/infrastructure/terraform/components/sandbox/variables.tf @@ -35,11 +35,6 @@ variable "group" { # a default within its declaration in this file, because the variables # purpose is as an identifier unique to this component, rather # then to the environment from where all other variables come. -variable "component" { - type = string - description = "The variable encapsulating the name of this component" - default = "sbx" -} variable "default_tags" { type = map(string) diff --git a/infrastructure/terraform/components/sandbox/versions.tf b/infrastructure/terraform/components/sandbox/versions.tf index 224cb0a13..2aea77f2e 100644 --- a/infrastructure/terraform/components/sandbox/versions.tf +++ b/infrastructure/terraform/components/sandbox/versions.tf @@ -8,3 +8,16 @@ terraform { required_version = ">= 1.10.1" } + +provider "aws" { + alias = "us-east-1" + region = "us-east-1" + + default_tags { + tags = local.default_tags + } + + allowed_account_ids = [ + var.aws_account_id, + ] +} diff --git a/infrastructure/terraform/modules/acct-ses-testing/README.md b/infrastructure/terraform/modules/acct-ses-testing/README.md deleted file mode 100644 index 5f4779031..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/README.md +++ /dev/null @@ -1,35 +0,0 @@ - - - - -## Requirements - -No requirements. -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | -| [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes | -| [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | -| [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes | -| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key ARN | `string` | n/a | yes | -| [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | -| [region](#input\_region) | The AWS Region | `string` | n/a | yes | -| [root\_domain\_name](#input\_root\_domain\_name) | Root domain name | `string` | n/a | yes | -| [zone\_id](#input\_zone\_id) | Route53 zone ID | `string` | n/a | yes | -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [s3bucket\_ses](#module\_s3bucket\_ses) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | -## Outputs - -| Name | Description | -|------|-------------| -| [bucket\_name](#output\_bucket\_name) | n/a | -| [iam\_role\_arn](#output\_iam\_role\_arn) | n/a | -| [rule\_set\_name](#output\_rule\_set\_name) | n/a | - - - diff --git a/infrastructure/terraform/modules/acct-ses-testing/locals.tf b/infrastructure/terraform/modules/acct-ses-testing/locals.tf deleted file mode 100644 index fe6729908..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/locals.tf +++ /dev/null @@ -1,12 +0,0 @@ -locals { - csi = replace( - format( - "%s-%s-%s", - var.project, - var.environment, - var.component, - ), - "_", - "", - ) -} diff --git a/infrastructure/terraform/modules/acct-ses-testing/module_s3bucket_ses.tf b/infrastructure/terraform/modules/acct-ses-testing/module_s3bucket_ses.tf deleted file mode 100644 index 6ecf99a04..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/module_s3bucket_ses.tf +++ /dev/null @@ -1,13 +0,0 @@ -module "s3bucket_ses" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip" - - name = "ses" - - aws_account_id = var.aws_account_id - region = var.region - project = var.project - environment = var.environment - component = var.component - - kms_key_arn = var.kms_key_arn -} diff --git a/infrastructure/terraform/modules/acct-ses-testing/outputs.tf b/infrastructure/terraform/modules/acct-ses-testing/outputs.tf deleted file mode 100644 index 5d30d32f0..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/outputs.tf +++ /dev/null @@ -1,11 +0,0 @@ -output "iam_role_arn" { - value = aws_iam_role.ses_receipts.arn -} - -output "bucket_name" { - value = module.s3bucket_ses.id -} - -output "rule_set_name" { - value = aws_ses_receipt_rule_set.main.rule_set_name -} diff --git a/infrastructure/terraform/modules/acct-ses-testing/ses_receipt_rule_set.tf b/infrastructure/terraform/modules/acct-ses-testing/ses_receipt_rule_set.tf deleted file mode 100644 index ffad0613d..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/ses_receipt_rule_set.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_ses_receipt_rule_set" "main" { - rule_set_name = local.csi -} - -resource "aws_ses_active_receipt_rule_set" "main" { - rule_set_name = aws_ses_receipt_rule_set.main.rule_set_name -} diff --git a/infrastructure/terraform/modules/acct-ses-testing/variables.tf b/infrastructure/terraform/modules/acct-ses-testing/variables.tf deleted file mode 100644 index fc9c36487..000000000 --- a/infrastructure/terraform/modules/acct-ses-testing/variables.tf +++ /dev/null @@ -1,44 +0,0 @@ -variable "project" { - type = string - description = "The name of the tfscaffold project" -} - -variable "environment" { - type = string - description = "The name of the tfscaffold environment" -} - -variable "aws_account_id" { - type = string - description = "The AWS Account ID (numeric)" -} - -variable "region" { - type = string - description = "The AWS Region" -} - -variable "group" { - type = string - description = "The group variables are being inherited from (often synonmous with account short-name)" -} - -variable "component" { - type = string - description = "The variable encapsulating the name of this component" -} - -variable "zone_id" { - type = string - description = "Route53 zone ID" -} - -variable "root_domain_name" { - type = string - description = "Root domain name" -} - -variable "kms_key_arn" { - type = string - description = "KMS key ARN" -} diff --git a/infrastructure/terraform/modules/backend-api/README.md b/infrastructure/terraform/modules/backend-api/README.md index f1c7506d3..cf1d95b24 100644 --- a/infrastructure/terraform/modules/backend-api/README.md +++ b/infrastructure/terraform/modules/backend-api/README.md @@ -13,7 +13,6 @@ No requirements. | [cloudfront\_distribution\_arn](#input\_cloudfront\_distribution\_arn) | ARN of the cloudfront distribution to serve files from | `string` | `null` | no | | [cognito\_config](#input\_cognito\_config) | Cognito config | 
object({
    USER_POOL_ID : string,
    USER_POOL_CLIENT_ID : string
  })
| n/a | yes | | [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes | -| [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes | | [email\_domain](#input\_email\_domain) | Email domain | `string` | n/a | yes | | [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no | | [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to EventBridge | `bool` | `true` | no | @@ -25,14 +24,14 @@ No requirements. | [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | | [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no | -| [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"api"` | no | -| [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used | `string` | n/a | yes | | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [proof\_requested\_sender\_email\_address](#input\_proof\_requested\_sender\_email\_address) | Proof requested sender email address | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [send\_to\_firehose](#input\_send\_to\_firehose) | Flag indicating whether logs should be sent to firehose | `bool` | n/a | yes | | [sns\_topic\_arn](#input\_sns\_topic\_arn) | SNS topic ARN | `string` | `null` | no | +| [ssm\_parameter\_sftp\_mock\_config\_name](#input\_ssm\_parameter\_sftp\_mock\_config\_name) | SSM Parameter name for the SFTP mock config | `string` | `null` | no | | [template\_submitted\_sender\_email\_address](#input\_template\_submitted\_sender\_email\_address) | Template submitted sender email address | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | The VPC ID to deploy the backend API into | `string` | n/a | yes | ## Modules | Name | Source | Version | diff --git a/infrastructure/terraform/modules/backend-api/aws_security_group_account_vpc_sg_allow_sftp_egress.tf b/infrastructure/terraform/modules/backend-api/aws_security_group_account_vpc_sg_allow_sftp_egress.tf new file mode 100644 index 000000000..f23496a4c --- /dev/null +++ b/infrastructure/terraform/modules/backend-api/aws_security_group_account_vpc_sg_allow_sftp_egress.tf @@ -0,0 +1,15 @@ +resource "aws_security_group" "account_vpc_sg_allow_sftp_egress" { + name = "${data.aws_vpc.account_vpc.tags["Project"]}-${data.aws_vpc.account_vpc.tags["Environment"]}-acct-sftp-egress" + description = "Security group to allow SFTP egress" + vpc_id = data.aws_vpc.account_vpc.id +} + +resource "aws_security_group_rule" "allow_sftp_egress" { + type = "egress" + description = "Allow outbound SFTP" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.account_vpc_sg_allow_sftp_egress.id +} diff --git a/infrastructure/terraform/modules/backend-api/data_ssm_parameter_sftp_mock_config_acct.tf b/infrastructure/terraform/modules/backend-api/data_ssm_parameter_sftp_mock_config_acct.tf index 6c0959e90..82c0e9948 100644 --- a/infrastructure/terraform/modules/backend-api/data_ssm_parameter_sftp_mock_config_acct.tf +++ b/infrastructure/terraform/modules/backend-api/data_ssm_parameter_sftp_mock_config_acct.tf @@ -1,4 +1,4 @@ data "aws_ssm_parameter" "sftp_mock_config_acct" { count = local.use_sftp_letter_supplier_mock ? 1 : 0 - name = "/nhs-notify-${var.parent_acct_environment}-acct/sftp-mock-config" + name = var.ssm_parameter_sftp_mock_config_name } diff --git a/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf b/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf index db854c97d..86d7e57f2 100644 --- a/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf +++ b/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf @@ -1,7 +1,5 @@ data "aws_vpc" "account_vpc" { - tags = { - Component = "acct" - } + id = var.vpc_id } data "aws_subnets" "account_vpc_private_subnets" { @@ -14,11 +12,3 @@ data "aws_subnets" "account_vpc_private_subnets" { Subnet = "Private" } } - -data "aws_security_group" "account_vpc_sg_allow_sftp_egress" { - vpc_id = data.aws_vpc.account_vpc.id - - tags = { - Name = "${data.aws_vpc.account_vpc.tags["Project"]}-${data.aws_vpc.account_vpc.tags["Environment"]}-acct-sftp-egress" - } -} diff --git a/infrastructure/terraform/modules/backend-api/locals.tf b/infrastructure/terraform/modules/backend-api/locals.tf index 9b1a8ce12..5cd6a23b3 100644 --- a/infrastructure/terraform/modules/backend-api/locals.tf +++ b/infrastructure/terraform/modules/backend-api/locals.tf @@ -1,5 +1,17 @@ locals { - csi = "${var.csi}-${var.module}" + module = "backend" + + csi = replace( + format( + "%s-%s-%s-%s", + var.project, + var.environment, + var.component, + local.module + ), + "_", + "", + ) lambdas_dir = "../../../../lambdas" @@ -7,7 +19,7 @@ locals { pdfjs_layer_zip = abspath("${local.lambdas_source_code_dir}/layers/pdfjs/dist/layer/pdfjs-layer.zip") pdfjs_layer_lockfile = abspath("${local.lambdas_source_code_dir}/layers/pdfjs/package-lock.json") - client_ssm_path_prefix = "/${var.csi}/clients" + client_ssm_path_prefix = "/${local.csi}/clients" client_ssm_path_pattern = "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter${local.client_ssm_path_prefix}/*" openapi_spec = templatefile("${path.module}/spec.tmpl.json", { diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf b/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf index 9830a9a4d..43285138b 100644 --- a/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf +++ b/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf @@ -39,7 +39,7 @@ module "lambda_sftp_poll" { vpc_config = { subnet_ids = data.aws_subnets.account_vpc_private_subnets.ids - security_group_ids = [data.aws_security_group.account_vpc_sg_allow_sftp_egress.id] + security_group_ids = [aws_security_group.account_vpc_sg_allow_sftp_egress.id] } send_to_firehose = var.send_to_firehose diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf index 71d661056..6f69af14e 100644 --- a/infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf +++ b/infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf @@ -43,7 +43,7 @@ module "lambda_sftp_request_proof" { vpc_config = { subnet_ids = data.aws_subnets.account_vpc_private_subnets.ids - security_group_ids = [data.aws_security_group.account_vpc_sg_allow_sftp_egress.id] + security_group_ids = [aws_security_group.account_vpc_sg_allow_sftp_egress.id] } send_to_firehose = var.send_to_firehose diff --git a/infrastructure/terraform/modules/backend-api/variables.tf b/infrastructure/terraform/modules/backend-api/variables.tf index 4a45bca64..303b3b78c 100644 --- a/infrastructure/terraform/modules/backend-api/variables.tf +++ b/infrastructure/terraform/modules/backend-api/variables.tf @@ -32,31 +32,21 @@ variable "group" { description = "The group variables are being inherited from (often synonmous with account short-name)" } -## -# tfscaffold variables specific to this component -## - -variable "module" { - type = string - description = "The variable encapsulating the name of this module" - default = "api" -} - ## # Variables specific to this component ## -variable "csi" { - type = string - description = "CSI from the parent component" -} - variable "log_retention_in_days" { type = number description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite" default = 0 } +variable "vpc_id" { + type = string + description = "The VPC ID to deploy the backend API into" +} + variable "cognito_config" { type = object({ USER_POOL_ID : string, @@ -91,9 +81,10 @@ variable "letter_suppliers" { description = "Letter suppliers enabled in the environment" } -variable "parent_acct_environment" { +variable "ssm_parameter_sftp_mock_config_name" { type = string - description = "Name of the environment responsible for the acct resources used" + description = "SSM Parameter name for the SFTP mock config" + default = null } variable "cloudfront_distribution_arn" { diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index afdae2983..82b60fe83 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -5,6 +5,7 @@ repos: - id: trailing-whitespace exclude: | (?x)^( + frontend/src/__tests__/.*\.tsx\.snap | frontend/src/__tests__/utils/markdownit/fixtures/index\.ts )$ - id: detect-aws-credentials @@ -17,10 +18,12 @@ repos: - id: mixed-line-ending - id: pretty-format-json exclude: | - (?x)^( - package-lock.json| - packages/event-schemas/schemas/[^/]+/[^/]+\.json - )$ + (?x)^( + .*/spec.tmpl.json | + .*/package(-lock)?\.json$ | + package(-lock)?\.json$ | + packages/event-schemas/schemas/[^/]+/[^/]+\.json$ | + )$ args: ['--autofix'] # - id: ... - repo: local diff --git a/scripts/init.mk b/scripts/init.mk index e12255c34..c42cf2bf7 100644 --- a/scripts/init.mk +++ b/scripts/init.mk @@ -46,8 +46,8 @@ _install-dependency: # Install asdf dependency - mandatory: name=[listed in the asdf install ${name} $(or ${version},) _install-dependencies: # Install all the dependencies listed in .tool-versions - for plugin in $$(grep ^[a-z] .tool-versions | sed 's/[[:space:]].*//'); do - make _install-dependency name="$${plugin}" + for plugin in $$(grep '^[a-z]' .tool-versions | cut -f1 -d' '); do \ + echo "Installing $${plugin}..."; \ done clean:: # Remove all generated and temporary files (common) @Operations diff --git a/scripts/tests/unit.sh b/scripts/tests/unit.sh index 3d602598e..fd4e953af 100755 --- a/scripts/tests/unit.sh +++ b/scripts/tests/unit.sh @@ -21,4 +21,3 @@ WORKSPACE="${WORKSPACE:-}" # run tests npm run test:unit --workspace="$WORKSPACE" - diff --git a/tests/accessibility/tsconfig.json b/tests/accessibility/tsconfig.json index 579220f09..b99454516 100644 --- a/tests/accessibility/tsconfig.json +++ b/tests/accessibility/tsconfig.json @@ -1,3 +1,3 @@ { - "extends": "@tsconfig/node20/tsconfig.json", + "extends": "@tsconfig/node20/tsconfig.json" } diff --git a/tests/test-team/.eslintrc.json b/tests/test-team/.eslintrc.json index e05045f98..a02fe473c 100644 --- a/tests/test-team/.eslintrc.json +++ b/tests/test-team/.eslintrc.json @@ -8,11 +8,13 @@ "import/no-extraneous-dependencies": [ "error", { - "devDependencies": ["**"] + "devDependencies": [ + "**" + ] } ], "playwright/expect-expect": "off", - "playwright/no-conditional-in-test": "off", - "playwright/no-conditional-expect": "off" + "playwright/no-conditional-expect": "off", + "playwright/no-conditional-in-test": "off" } } diff --git a/tests/test-team/tsconfig.json b/tests/test-team/tsconfig.json index 94bac77fd..f69b3794a 100644 --- a/tests/test-team/tsconfig.json +++ b/tests/test-team/tsconfig.json @@ -8,5 +8,5 @@ }, "resolveJsonModule": true }, - "extends": "@tsconfig/node20/tsconfig.json", + "extends": "@tsconfig/node20/tsconfig.json" } diff --git a/utils/test-helper-utils/tsconfig.json b/utils/test-helper-utils/tsconfig.json index 579220f09..b99454516 100644 --- a/utils/test-helper-utils/tsconfig.json +++ b/utils/test-helper-utils/tsconfig.json @@ -1,3 +1,3 @@ { - "extends": "@tsconfig/node20/tsconfig.json", + "extends": "@tsconfig/node20/tsconfig.json" }