diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index 645ce8ea385..a6ffd0b3092 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -6,29 +6,16 @@ data "aws_ssoadmin_instances" "main" { provider = aws.sso-readonly } -data "aws_identitystore_group" "observability_platform_admins" { - for_each = toset(["observability-platform", "operations-engineering", "azure-aws-sso-modernisation-platform"]) - +data "aws_identitystore_groups" "all" { provider = aws.sso-readonly identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - - filter { - attribute_path = "DisplayName" - attribute_value = each.value - } } -data "aws_identitystore_group" "all_identity_centre_teams" { - for_each = { for team in local.all_identity_centre_teams : team => team } - - provider = aws.sso-readonly - - identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - - filter { - attribute_path = "DisplayName" - attribute_value = each.value +locals { + identitystore_group_ids_by_name = { + for group in data.aws_identitystore_groups.all.groups : + group.display_name => group.group_id } } diff --git a/terraform/environments/observability-platform/iam-policies.tf b/terraform/environments/observability-platform/iam-policies.tf index e93b8f35213..f0f54911271 100644 --- a/terraform/environments/observability-platform/iam-policies.tf +++ b/terraform/environments/observability-platform/iam-policies.tf @@ -17,7 +17,7 @@ module "amazon_managed_grafana_remote_cloudwatch_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.52.2" + version = "6.6.1" name_prefix = "amazon-managed-grafana-remote-cloudwatch" diff --git a/terraform/environments/observability-platform/lambda-functions.tf b/terraform/environments/observability-platform/lambda-functions.tf index 16ffd05d8de..3e34e0e28db 100644 --- a/terraform/environments/observability-platform/lambda-functions.tf +++ b/terraform/environments/observability-platform/lambda-functions.tf @@ -6,7 +6,7 @@ module "grafana_api_key_rotator" { #checkov:skip=CKV_AWS_258:Function is not invoked by URL source = "terraform-aws-modules/lambda/aws" - version = "7.20.1" + version = "8.8.0" publish = true create_package = false @@ -53,7 +53,7 @@ module "grafana_api_key_rotator" { module "securityhub_metric_ingester" { source = "terraform-aws-modules/lambda/aws" - version = "7.20.1" + version = "8.8.0" function_name = "securityhub-metric-ingester" description = "Publishes enriched Security Hub metrics for Grafana" diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 21c6aae7a33..ff87255ddd8 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -5,7 +5,7 @@ module "managed_grafana" { #checkov:skip=CKV2_AWS_5:AMG doesn't run in a VPC, so it doesn't need a security group source = "terraform-aws-modules/managed-service-grafana/aws" - version = "2.2.0" + version = "2.3.1" name = local.application_name @@ -31,10 +31,13 @@ module "managed_grafana" { role_associations = { "ADMIN" = { - "group_ids" = [for group in data.aws_identitystore_group.observability_platform_admins : group.id] + "group_ids" = [ + for group_name in ["observability-platform", "operations-engineering", "azure-aws-sso-modernisation-platform"] : + local.identitystore_group_ids_by_name[group_name] + ] } "EDITOR" = { - "group_ids" = [for team in data.aws_identitystore_group.all_identity_centre_teams : team.id] + "group_ids" = [for team in local.all_identity_centre_teams : local.identitystore_group_ids_by_name[team]] } } diff --git a/terraform/environments/observability-platform/managed-prometheus.tf b/terraform/environments/observability-platform/managed-prometheus.tf index e2c69d8db22..5c712bf5978 100644 --- a/terraform/environments/observability-platform/managed-prometheus.tf +++ b/terraform/environments/observability-platform/managed-prometheus.tf @@ -4,7 +4,7 @@ module "managed_prometheus" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/managed-service-prometheus/aws" - version = "2.2.3" + version = "4.3.1" workspace_alias = local.application_name diff --git a/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf index 516d493291f..50a1c28b571 100644 --- a/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/athena-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/athena-source/providers.tf index 516d493291f..50a1c28b571 100644 --- a/terraform/environments/observability-platform/modules/grafana/athena-source/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/athena-source/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf index 516d493291f..50a1c28b571 100644 --- a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf b/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf index 2fe887e59b7..a1c88bce456 100644 --- a/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0, != 5.86.0" + version = "~> 6.0" } grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf b/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf index 2fe887e59b7..a1c88bce456 100644 --- a/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0, != 5.86.0" + version = "~> 6.0" } grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/team/data.tf b/terraform/environments/observability-platform/modules/grafana/team/data.tf index c6161d07ee7..824020e92b1 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/data.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/data.tf @@ -1,10 +1,12 @@ data "aws_ssoadmin_instances" "main" {} -data "aws_identitystore_group" "this" { +data "aws_identitystore_groups" "all" { identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] +} - filter { - attribute_path = "DisplayName" - attribute_value = var.identity_centre_team - } +locals { + identitystore_group_id = one([ + for group in data.aws_identitystore_groups.all.groups : + group.group_id if group.display_name == var.identity_centre_team + ]) } diff --git a/terraform/environments/observability-platform/modules/grafana/team/main.tf b/terraform/environments/observability-platform/modules/grafana/team/main.tf index 9aa4f77e2a9..4cf3c14ce87 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/main.tf @@ -1,7 +1,7 @@ resource "grafana_team" "this" { name = var.name team_sync { - groups = [data.aws_identitystore_group.this.id] + groups = [local.identitystore_group_id] } } diff --git a/terraform/environments/observability-platform/modules/grafana/team/providers.tf b/terraform/environments/observability-platform/modules/grafana/team/providers.tf index 2fe887e59b7..a1c88bce456 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/providers.tf @@ -2,11 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0, != 5.86.0" + version = "~> 6.0" } grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf index 516d493291f..50a1c28b571 100644 --- a/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf index 59a87a98f87..a9e6edfe02d 100644 --- a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf +++ b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0" + version = "~> 6.0" configuration_aliases = [aws.sso] } } diff --git a/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf index f0ae1897bfb..42118ac9e44 100644 --- a/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf +++ b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf @@ -32,12 +32,23 @@ module "iam_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.52.2" + source = "terraform-aws-modules/iam/aws//modules/iam-role" + version = "6.6.1" + + name = "${var.name}-prometheus" + use_name_prefix = false + + trust_policy_permissions = { + AllowAssumeRole = { + actions = ["sts:AssumeRole"] + principals = [{ + type = "AWS" + identifiers = ["arn:aws:iam::${var.account_id}:root"] + }] + } + } - create_role = true - role_name = "${var.name}-prometheus" - trusted_role_arns = ["arn:aws:iam::${var.account_id}:root"] - custom_role_policy_arns = [module.iam_policy.arn] - role_requires_mfa = false + policies = { + prometheus = module.iam_policy.arn + } } diff --git a/terraform/environments/observability-platform/modules/prometheus/iam-role/providers.tf b/terraform/environments/observability-platform/modules/prometheus/iam-role/providers.tf index e76e658ad3c..1d83236edec 100644 --- a/terraform/environments/observability-platform/modules/prometheus/iam-role/providers.tf +++ b/terraform/environments/observability-platform/modules/prometheus/iam-role/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0, != 5.86.0" + version = "~> 6.0" } } required_version = "~> 1.0" diff --git a/terraform/environments/observability-platform/observability-platform.tf b/terraform/environments/observability-platform/observability-platform.tf index cdaa6d6d5cc..02354cbec13 100644 --- a/terraform/environments/observability-platform/observability-platform.tf +++ b/terraform/environments/observability-platform/observability-platform.tf @@ -3,7 +3,7 @@ module "observability_platform_tenant" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "ministryofjustice/observability-platform-tenant/aws" - version = "1.2.0" + version = "2.0.0" observability_platform_account_id = data.aws_caller_identity.current.account_id enable_xray = true diff --git a/terraform/environments/observability-platform/platform_data.tf b/terraform/environments/observability-platform/platform_data.tf index 9844360a8cd..5084a060870 100644 --- a/terraform/environments/observability-platform/platform_data.tf +++ b/terraform/environments/observability-platform/platform_data.tf @@ -43,63 +43,63 @@ data "aws_subnets" "shared-public" { data "aws_subnet" "data_subnets_a" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}a" } } data "aws_subnet" "data_subnets_b" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}b" } } data "aws_subnet" "data_subnets_c" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}c" } } data "aws_subnet" "private_subnets_a" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}a" } } data "aws_subnet" "private_subnets_b" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}b" } } data "aws_subnet" "private_subnets_c" { vpc_id = data.aws_vpc.shared.id tags = { - "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c" + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}c" } } data "aws_subnet" "public_subnets_a" { vpc_id = data.aws_vpc.shared.id tags = { - Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a" + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}a" } } data "aws_subnet" "public_subnets_b" { vpc_id = data.aws_vpc.shared.id tags = { - Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b" + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}b" } } data "aws_subnet" "public_subnets_c" { vpc_id = data.aws_vpc.shared.id tags = { - Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c" + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}c" } } diff --git a/terraform/environments/observability-platform/platform_providers.tf b/terraform/environments/observability-platform/platform_providers.tf index 22204e19456..deb2fb5da73 100644 --- a/terraform/environments/observability-platform/platform_providers.tf +++ b/terraform/environments/observability-platform/platform_providers.tf @@ -8,8 +8,11 @@ provider "aws" { # AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified) provider "aws" { region = "eu-west-2" - assume_role { - role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess" + dynamic "assume_role" { + for_each = can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? [1] : [] + content { + role_arn = can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess" + } } default_tags { tags = local.tags } } @@ -48,8 +51,11 @@ provider "aws" { provider "aws" { alias = "us-east-1" region = "us-east-1" - assume_role { - role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccessUSEast" + dynamic "assume_role" { + for_each = can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? [1] : [] + content { + role_arn = can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccessUSEast" + } } default_tags { tags = local.tags } } diff --git a/terraform/environments/observability-platform/versions.tf b/terraform/environments/observability-platform/versions.tf index 0dde38326bf..f0c28768f88 100644 --- a/terraform/environments/observability-platform/versions.tf +++ b/terraform/environments/observability-platform/versions.tf @@ -1,12 +1,12 @@ terraform { required_providers { aws = { - version = "~> 5.8, != 5.86.0" + version = "~> 6.0" source = "hashicorp/aws" } grafana = { source = "grafana/grafana" - version = "~> 3.0" + version = "~> 4.0" } http = { version = "~> 3.0"