Merge pull request #30 from Worklytics/rc-v0.4.48

update to v0.4.48
Worklytics · Feb 28, 2024 · 440fa1f · 440fa1f
2 parents ef249d1 + 9b3b9ef
commit 440fa1f
Show file tree

Hide file tree

Showing 5 changed files with 183 additions and 8 deletions.
diff --git a/google-workspace.tf b/google-workspace.tf
@@ -7,7 +7,7 @@ provider "google" {
 
 
 module "worklytics_connectors_google_workspace" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.4.48"
 
   providers = {
     google = google.google_workspace

diff --git a/kms-cmek.tf b/kms-cmek.tf
@@ -0,0 +1,118 @@
+
+# uncomment to use encryption for S3 buckets and have it work properly for Cloud Watch Logs
+
+# this file sets up necessary stuff for S3 custom encryption (as opposed to AWS default) with a
+# architecture style that is more 'proper' Terraform - eg, composition of resources.
+
+#resource "aws_kms_key" "example_key" {
+#  description = "key for encrypting S3 buckets"
+#}
+#
+#
+#
+#locals {
+#  key_arn = aws_kms_key.example_key.arn # alternatively, use ar.project_aws_kms_key_arn
+#
+#  # TODO: can eliminate this if test tool doesn't assume role when uploading to bucket
+#  testing_policy_statements = var.provision_testing_infra ? [
+#    {
+#      "Sid": "Allow Test Users to Use Key",
+#      "Effect": "Allow",
+#      "Principal": { # tests
+#        "AWS": "arn:aws:iam::${var.aws_account_id}:role/${module.psoxy.caller_role_name}"
+#      },
+#      "Action": "kms:*",
+#      "Resource": local.key_arn
+#    }
+#  ] : []
+#
+#  # S3 bucket policy statements for bulk writer instances
+#  # explicitly allow each instance's exec role to use the key to encrypt, as it needs to write to
+#  # the output buckets
+#  bulk_writer_policy_statements = [
+#    for instance in module.psoxy.bulk_connector_instances : {
+#      "Effect" : "Allow",
+#      "Principal" : {
+#         "AWS" : instance.instance_role_arn
+#      },
+#      "Action" : [
+#        "kms:Encrypt",
+#        "kms:GenerateDataKey",
+#      ],
+#      "Resource" : local.key_arn
+#    }
+#  ]
+#  # for bulk case, proxy caller role must be able to READ from the sanitized buckets, requiring
+#  # decrypt permission for the key
+#  proxy_caller_policy_statements = [
+#    for instance in module.psoxy.bulk_connector_instances : {
+#      "Effect" : "Allow",
+#      "Principal" : {
+#        "AWS" : module.psoxy.caller_role_arn
+#      },
+#      "Action" : [
+#        "kms:Decrypt",
+#      ],
+#      "Resource" : aws_kms_key.example_key.arn
+#    }
+#  ]
+#}
+#
+#resource "aws_kms_key_policy" "proxy" {
+#  key_id = local.key_arn
+#  policy = jsonencode(
+#    {
+#      "Version" : "2012-10-17",
+#      "Id" : "proxy-key-policy",
+#      "Statement" : concat(
+#        [
+#          # to allow Terraform to manage the key
+#          {
+#            "Sid": "Allow IAM Users to Manage Key",
+#            "Effect": "Allow",
+#            "Principal": {
+#              "AWS": "arn:aws:iam::${var.aws_account_id}:root"
+#            },
+#            "Action": "kms:*",
+#            "Resource": local.key_arn
+#          },
+#          # to use for Cloud Watch Logs
+#          {
+#            "Effect" : "Allow",
+#            "Principal" : {
+#              "Service" : "logs.${var.aws_region}.amazonaws.com"
+#            },
+#            "Action" : [
+#              "kms:Encrypt",
+#              "kms:Decrypt",
+#              "kms:ReEncrypt",
+#              "kms:GenerateDataKey",
+#              "kms:Describe"
+#            ],
+#            "Resource" : local.key_arn
+#          }
+#      ],
+#      local.bulk_writer_policy_statements,
+#      local.testing_policy_statements,
+#      local.proxy_caller_policy_statements
+#      )
+#    })
+#}
+#
+## concisely set S3 encryption for all buckets
+#resource "aws_s3_bucket_server_side_encryption_configuration" "bulk_buckets" {
+#  for_each = merge(
+#    { for k, v in module.psoxy.bulk_connector_instances: "${k}_input" => v.input_bucket } ,
+#    { for k, v in module.psoxy.bulk_connector_instances: "${k}_sanitized" => v.sanitized_bucket } ,
+#    module.psoxy.lookup_output_buckets,
+#  )
+#
+#  bucket = each.value
+#
+#  rule {
+#    apply_server_side_encryption_by_default {
+#      kms_master_key_id = aws_kms_key.example_key.id
+#      sse_algorithm     = "aws:kms"
+#    }
+#  }
+#}
diff --git a/main.tf b/main.tf
@@ -18,7 +18,7 @@ terraform {
 
 # general cases
 module "worklytics_connectors" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.4.48"
 
   enabled_connectors               = var.enabled_connectors
   jira_cloud_id                    = var.jira_cloud_id
@@ -95,7 +95,7 @@ locals {
 }
 
 module "psoxy" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.4.48"
 
   environment_name                = var.environment_name
   aws_account_id                  = var.aws_account_id
@@ -143,7 +143,7 @@ locals {
 module "connection_in_worklytics" {
   for_each = local.all_instances
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.4.48"
 
   psoxy_instance_id  = each.key
   worklytics_host    = var.worklytics_host

diff --git a/msft-365.tf b/msft-365.tf
@@ -1,7 +1,7 @@
 # BEGIN MSFT
 
 module "worklytics_connectors_msft_365" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.4.48"
 
 
   enabled_connectors                  = var.enabled_connectors
@@ -44,7 +44,7 @@ data "aws_region" "current" {
 module "cognito_identity_pool" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.4.48"
 
   developer_provider_name = local.developer_provider_name
   name                    = "${local.env_qualifier}-azure-ad-federation"
@@ -53,7 +53,7 @@ module "cognito_identity_pool" {
 module "cognito_identity" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.4.48"
 
   aws_region       = data.aws_region.current.id
   aws_role         = var.aws_assume_role_arn
@@ -74,7 +74,7 @@ resource "aws_iam_role_policy_attachment" "cognito_lambda_policy" {
 module "msft_connection_auth_federation" {
   for_each = module.worklytics_connectors_msft_365.enabled_api_connectors
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.4.47"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.4.48"
 
   application_object_id = each.value.connector.id
   display_name          = "${local.env_qualifier}AccessFromAWS"

diff --git a/vpc.tf b/vpc.tf
@@ -0,0 +1,57 @@
+##
+### locals that function like variables, but without tedium of declaring them in a separate file
+#locals {
+#
+#  cidr_block = "10.0.0.0/16"
+#
+#  # must pick one that supports arm64 lambdas (which apparently is not all of them)
+#  availability_zone = "us-east-1a"
+#}
+#
+#
+### actual logic
+#resource "aws_vpc" "main" {
+#  cidr_block = local.cidr_block
+#
+#  tags = {
+#    environment_name = var.environment_name
+#  }
+#}
+#
+#resource "aws_subnet" "main" {
+#  vpc_id            = aws_vpc.main.id
+#  cidr_block        = local.cidr_block
+#  availability_zone = local.availability_zone
+#
+#  tags = {
+#    environment_name = var.environment_name
+#  }
+#}
+#
+#
+#resource "aws_security_group" "main" {
+#  name        = "${var.environment_name}"
+#  description = "Security group for ${var.environment_name} deployment of Psoxy"
+#  vpc_id      = aws_vpc.main.id
+#
+#  # allow HTTPS inbound from any source
+#  ingress {
+#    description = "HTTPS"
+#    from_port   = 443
+#    to_port     = 443
+#    protocol    = "tcp"
+#    cidr_blocks = [
+#      local.cidr_block
+#    ]
+#  }
+#
+#  # Allow HTTPS outbound to any destination
+#  egress {
+#    from_port = 443
+#    to_port   = 443
+#    protocol  = "tcp"
+#    cidr_blocks = [
+#      "0.0.0.0/0" # any destination
+#    ]
+#  }
+#}