diff --git a/terraspace/app/modules/eks-auth-sync/awsauth.tf b/terraspace/app/modules/eks-auth-sync/awsauth.tf
index 70c02b13..6069ad8a 100644
--- a/terraspace/app/modules/eks-auth-sync/awsauth.tf
+++ b/terraspace/app/modules/eks-auth-sync/awsauth.tf
@@ -1,3 +1,5 @@
+#Auth Sync operator needs to be able to read tags from all users.
+#tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_policy" "eks_auth_sync_policy" {
name = var.eks_auth_sync_policy_name
description = "Policy that enables reading of user/role tags"
diff --git a/terraspace/app/modules/lambda-from-sns/log.tf b/terraspace/app/modules/lambda-from-sns/log.tf
index fdd0e7cd..75e224d7 100644
--- a/terraspace/app/modules/lambda-from-sns/log.tf
+++ b/terraspace/app/modules/lambda-from-sns/log.tf
@@ -18,7 +18,7 @@ resource "aws_iam_policy" "lambda_logging" {
"logs:CreateLogStream",
"logs:PutLogEvents"
],
- "Resource": "arn:aws:logs:*:*:*",
+ "Resource": "${aws_cloudwatch_log_group.lambda_function_log_group.arn}:*",
"Effect": "Allow"
}
]
diff --git a/terraspace/app/modules/lambda-from-sqs/log.tf b/terraspace/app/modules/lambda-from-sqs/log.tf
index 6432f7eb..23d03562 100644
--- a/terraspace/app/modules/lambda-from-sqs/log.tf
+++ b/terraspace/app/modules/lambda-from-sqs/log.tf
@@ -18,7 +18,7 @@ resource "aws_iam_policy" "lambda_logging" {
"logs:CreateLogStream",
"logs:PutLogEvents"
],
- "Resource": "arn:aws:logs:*:*:*",
+ "Resource": "${aws_cloudwatch_log_group.log_group.arn}:*",
"Effect": "Allow"
}
]
diff --git a/terraspace/app/stacks/bucket-mirror/main.tf b/terraspace/app/stacks/bucket-mirror/main.tf
index 07e0d2e2..ad369156 100644
--- a/terraspace/app/stacks/bucket-mirror/main.tf
+++ b/terraspace/app/stacks/bucket-mirror/main.tf
@@ -71,4 +71,9 @@ resource "aws_instance" "bucket_mirror_runner" {
volume_tags = {
Name = "bucket-mirror"
}
+
+ metadata_options {
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
}
diff --git a/terraspace/app/stacks/bucket-mirror/variables.tf b/terraspace/app/stacks/bucket-mirror/variables.tf
index 0de96bef..e60af879 100644
--- a/terraspace/app/stacks/bucket-mirror/variables.tf
+++ b/terraspace/app/stacks/bucket-mirror/variables.tf
@@ -40,7 +40,7 @@ variable "s3_prefix" {
}
variable "s3_suffix" {
- type = string
+ type = string
description = "Only read objects with this suffix"
}
diff --git a/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md b/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md
index a0c43470..6e46e5b7 100644
--- a/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md
+++ b/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md
@@ -30,6 +30,7 @@ Version:
The following resources are used by this module:
- [aws_ecr_repository.ecr_repo_bucket_to_indexer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) (resource)
+- [terraform_remote_state.event](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) (data source)
- [terraform_remote_state.indexing](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) (data source)
## Required Inputs
@@ -42,6 +43,12 @@ Description: Name for ECR repo. We use this repo to store bucket-to-indexer lamb
Type: `string`
+### [event\_stack\_region](#input\_event\_stack\_region)
+
+Description: Region which output event components are deployed to
+
+Type: `string`
+
### [indexing\_stack\_region](#input\_indexing\_stack\_region)
Description: Region which indexer is deployed to
diff --git a/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf b/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf
index 23551ceb..3140f382 100644
--- a/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf
+++ b/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf
@@ -1,5 +1,5 @@
variable "sns_topic" {
- type = string
+ type = string
description = "Name of SNS topic which lambda should subscribe to"
}
diff --git a/terraspace/app/stacks/dns-certificate/dns-certificate.md b/terraspace/app/stacks/dns-certificate/dns-certificate.md
new file mode 100644
index 00000000..c4755d7e
--- /dev/null
+++ b/terraspace/app/stacks/dns-certificate/dns-certificate.md
@@ -0,0 +1,77 @@
+
+## Requirements
+
+The following requirements are needed by this module:
+
+- [terraform](#requirement\_terraform) (>= 1.0.0)
+
+- [aws](#requirement\_aws) (~> 3.38)
+
+- [cloudflare](#requirement\_cloudflare) (~> 3.0)
+
+- [http](#requirement\_http) (~> 3.0)
+
+- [tls](#requirement\_tls) (4.0.1)
+
+## Providers
+
+The following providers are used by this module:
+
+- [aws](#provider\_aws) (~> 3.38)
+
+- [cloudflare](#provider\_cloudflare) (~> 3.0)
+
+- [http](#provider\_http) (~> 3.0)
+
+- [tls](#provider\_tls) (4.0.1)
+
+## Modules
+
+No modules.
+
+## Resources
+
+The following resources are used by this module:
+
+- [aws_acm_certificate.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) (resource)
+- [cloudflare_origin_ca_certificate.cert](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/origin_ca_certificate) (resource)
+- [tls_cert_request.cert_request](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/cert_request) (resource)
+- [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/private_key) (resource)
+- [http_http.cloudflare_certificate_chain](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) (data source)
+
+## Required Inputs
+
+The following input variables are required:
+
+### [bitswap\_peer\_record\_name](#input\_bitswap\_peer\_record\_name)
+
+Description: Bitswap Peer record name
+
+Type: `string`
+
+### [cf\_domain\_name](#input\_cf\_domain\_name)
+
+Description: DNS Zone name
+
+Type: `string`
+
+## Optional Inputs
+
+No optional inputs.
+
+## Outputs
+
+The following outputs are exported:
+
+### [aws\_certificate\_arn](#output\_aws\_certificate\_arn)
+
+Description: ACM Certificate
+
+### [bitswap\_peer\_record\_name](#output\_bitswap\_peer\_record\_name)
+
+Description: Bitswap Peer record name
+
+### [cf\_domain\_name](#output\_cf\_domain\_name)
+
+Description: DNS Zone name
+
\ No newline at end of file
diff --git a/terraspace/app/stacks/dns-certificate/outputs.tf b/terraspace/app/stacks/dns-certificate/outputs.tf
index aa07b795..fafe327f 100644
--- a/terraspace/app/stacks/dns-certificate/outputs.tf
+++ b/terraspace/app/stacks/dns-certificate/outputs.tf
@@ -1,15 +1,15 @@
output "bitswap_peer_record_name" {
- value = var.bitswap_peer_record_name
+ value = var.bitswap_peer_record_name
description = "Bitswap Peer record name"
}
output "cf_domain_name" {
- value = var.cf_domain_name
+ value = var.cf_domain_name
description = "DNS Zone name"
}
output "aws_certificate_arn" {
- value = aws_acm_certificate.cert.arn
- sensitive = true
+ value = aws_acm_certificate.cert.arn
+ sensitive = true
description = "ACM Certificate"
-}
+}
diff --git a/terraspace/app/stacks/dns-certificate/providers.tf b/terraspace/app/stacks/dns-certificate/providers.tf
index d8730514..babc0730 100644
--- a/terraspace/app/stacks/dns-certificate/providers.tf
+++ b/terraspace/app/stacks/dns-certificate/providers.tf
@@ -1,2 +1,2 @@
provider "tls" {}
-provider cloudflare {}
+provider "cloudflare" {}
diff --git a/terraspace/app/stacks/dns-certificate/variables.tf b/terraspace/app/stacks/dns-certificate/variables.tf
index b4bc188a..18c672b5 100644
--- a/terraspace/app/stacks/dns-certificate/variables.tf
+++ b/terraspace/app/stacks/dns-certificate/variables.tf
@@ -1,9 +1,9 @@
variable "cf_domain_name" {
- type = string
+ type = string
description = "DNS Zone name"
}
variable "bitswap_peer_record_name" {
- type = string
+ type = string
description = "Bitswap Peer record name"
}
diff --git a/terraspace/app/stacks/dns/dns.md b/terraspace/app/stacks/dns/dns.md
index 0c3b0a2a..40bdab27 100644
--- a/terraspace/app/stacks/dns/dns.md
+++ b/terraspace/app/stacks/dns/dns.md
@@ -9,8 +9,6 @@ The following requirements are needed by this module:
- [cloudflare](#requirement\_cloudflare) (~> 3.0)
-- [tls](#requirement\_tls) (4.0.1)
-
## Providers
The following providers are used by this module:
@@ -19,10 +17,6 @@ The following providers are used by this module:
- [cloudflare](#provider\_cloudflare) (~> 3.0)
-- [http](#provider\_http)
-
-- [tls](#provider\_tls) (4.0.1)
-
## Modules
No modules.
@@ -31,17 +25,12 @@ No modules.
The following resources are used by this module:
-- [aws_acm_certificate.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) (resource)
- [aws_route53_record.peer_bitswap_load_balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) (resource)
- [aws_route53_record.peer_bitswap_load_balancer_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) (resource)
- [aws_route53_zone.hosted_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) (resource)
-- [cloudflare_origin_ca_certificate.cert](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/origin_ca_certificate) (resource)
- [cloudflare_record.bitswap_peer](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/record) (resource)
-- [tls_cert_request.cert_request](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/cert_request) (resource)
-- [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/private_key) (resource)
- [aws_route53_zone.hosted_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) (data source)
- [cloudflare_zone.dns](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/zone) (data source)
-- [http_http.cloudflare_certificate_chain](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) (data source)
## Required Inputs
@@ -53,30 +42,23 @@ Description: The name of the hosted zone to either create or lookup
Type: `string`
-### [bitswap\_load\_balancer\_dns](#input\_bitswap\_load\_balancer\_dns)
+### [bitswap\_load\_balancer\_hosted\_zone](#input\_bitswap\_load\_balancer\_hosted\_zone)
-Description: Bitswap LoadBalancer DNS. This load balancer is created and managed by Kubernetes
+Description: Bitswap LoadBalancer Hosted Zone. This load balancer is created and managed by Kubernetes
Type: `string`
-### [bitswap\_load\_balancer\_hosted\_zone](#input\_bitswap\_load\_balancer\_hosted\_zone)
+### [bitswap\_peer\_record\_name](#input\_bitswap\_peer\_record\_name)
-Description: Bitswap LoadBalancer Hosted Zone. This load balancer is created and managed by Kubernetes
+Description: Bitswap Peer record name
Type: `string`
-### [bitswap\_peer\_record](#input\_bitswap\_peer\_record)
+### [bitswap\_peer\_record\_value](#input\_bitswap\_peer\_record\_value)
-Description: Bitswap Peer record information
+Description: Bitswap Peer record value. This load balancer is created and managed by Kubernetes
-Type:
-
-```hcl
-object({
- name = string
- value = string
- })
-```
+Type: `string`
### [cf\_domain\_name](#input\_cf\_domain\_name)
diff --git a/terraspace/app/stacks/dns/main.tf b/terraspace/app/stacks/dns/main.tf
index 8bf4da99..92a5ba63 100644
--- a/terraspace/app/stacks/dns/main.tf
+++ b/terraspace/app/stacks/dns/main.tf
@@ -23,6 +23,6 @@ resource "cloudflare_record" "bitswap_peer" {
name = var.bitswap_peer_record_name
value = var.bitswap_peer_record_value
type = "CNAME"
- proxied = true
+ proxied = true
ttl = 1
}
diff --git a/terraspace/app/stacks/dns/outputs.tf b/terraspace/app/stacks/dns/outputs.tf
index 0eb71571..cb98eae7 100644
--- a/terraspace/app/stacks/dns/outputs.tf
+++ b/terraspace/app/stacks/dns/outputs.tf
@@ -1,4 +1,4 @@
output "bitswap_loadbalancer_domain" {
- value = "${cloudflare_record.bitswap_peer.hostname}"
+ value = cloudflare_record.bitswap_peer.hostname
description = "Domain name for bitswap peer"
}
diff --git a/terraspace/app/stacks/dns/providers.tf b/terraspace/app/stacks/dns/providers.tf
index 7396cdab..b249c840 100644
--- a/terraspace/app/stacks/dns/providers.tf
+++ b/terraspace/app/stacks/dns/providers.tf
@@ -1 +1 @@
-provider cloudflare {}
+provider "cloudflare" {}
diff --git a/terraspace/app/stacks/dns/variables.tf b/terraspace/app/stacks/dns/variables.tf
index c7f7cd2f..40dbb868 100644
--- a/terraspace/app/stacks/dns/variables.tf
+++ b/terraspace/app/stacks/dns/variables.tf
@@ -21,16 +21,16 @@ variable "bitswap_load_balancer_hosted_zone" {
}
variable "cf_domain_name" {
- type = string
+ type = string
description = "DNS Zone name"
}
variable "bitswap_peer_record_name" {
- type = string
+ type = string
description = "Bitswap Peer record name"
}
variable "bitswap_peer_record_value" {
- type = string
+ type = string
description = "Bitswap Peer record value. This load balancer is created and managed by Kubernetes"
}
diff --git a/terraspace/app/stacks/event/auth.tf b/terraspace/app/stacks/event/auth.tf
index 6472a6a1..ec79cf4d 100644
--- a/terraspace/app/stacks/event/auth.tf
+++ b/terraspace/app/stacks/event/auth.tf
@@ -44,7 +44,7 @@ EOF
resource "aws_sqs_queue_policy" "event_delivery_queue_policy" {
queue_url = aws_sqs_queue.event_delivery_queue.id
- policy = < [event\_target\_credentials\_secret](#input\_event\_target\_credentials\_secret)
+
+Description: Secret which contains credentials for events target
+
+Type:
+
+```hcl
+object({
+ name = string,
+ description = string,
+ })
+```
+
### [node\_env](#input\_node\_env)
Description: NODE\_ENV environment variable value for event delivery lambda
Type: `string`
+### [read\_event\_target\_credentials\_param\_policy\_name](#input\_read\_event\_target\_credentials\_param\_policy\_name)
+
+Description: Name for policy which allows reading credentials for event target
+
+Type: `string`
+
+### [secrets\_key](#input\_secrets\_key)
+
+Description: KMS key for this stack
+
+Type:
+
+```hcl
+object({
+ name = string,
+ description = string,
+ })
+```
+
### [sns\_event\_topic\_name](#input\_sns\_event\_topic\_name)
Description: Name for event SNS topic. This topic is supposed to receive events from Elastic IPFS components
@@ -95,12 +131,6 @@ Description: Name for policy which allows receiving messages from event delivery
Type: `string`
-### [sqs\_event\_delivery\_queue\_policy\_send\_name](#input\_sqs\_event\_delivery\_queue\_policy\_send\_name)
-
-Description: Name for policy which allows sending messages to event delivery sqs queue
-
-Type: `string`
-
## Optional Inputs
The following input variables are optional (have default values):
@@ -113,10 +143,22 @@ Type: `string`
Default: `"latest"`
+### [event\_target](#input\_event\_target)
+
+Description: EVENT\_TARGET environment variable value for event delivery lambda
+
+Type: `string`
+
+Default: `null`
+
## Outputs
The following outputs are exported:
+### [sns\_event\_topic\_arn](#output\_sns\_event\_topic\_arn)
+
+Description: SNS event topic
+
### [sns\_event\_topic\_policy\_send](#output\_sns\_event\_topic\_policy\_send)
Description: Policy for sending messages to SNS event topic
diff --git a/terraspace/app/stacks/event/main.tf b/terraspace/app/stacks/event/main.tf
index c36127fe..9ac6475d 100644
--- a/terraspace/app/stacks/event/main.tf
+++ b/terraspace/app/stacks/event/main.tf
@@ -43,7 +43,7 @@ module "event_delivery_lambda_from_sqs" {
batch_size = var.batch_size
maximum_batching_window_in_seconds = 30
}
- sqs_trigger_function_response_types = ["ReportBatchItemFailures"]
+ sqs_trigger_function_response_types = ["ReportBatchItemFailures"]
lambda = {
name = var.event_delivery_lambda.name
diff --git a/terraspace/app/stacks/event/outputs.tf b/terraspace/app/stacks/event/outputs.tf
index 55092972..6ba53d9f 100644
--- a/terraspace/app/stacks/event/outputs.tf
+++ b/terraspace/app/stacks/event/outputs.tf
@@ -7,6 +7,6 @@ output "sns_event_topic_policy_send" {
}
output "sns_event_topic_arn" {
- value = aws_sns_topic.event_topic.arn
+ value = aws_sns_topic.event_topic.arn
description = "SNS event topic"
}
diff --git a/terraspace/app/stacks/event/secrets.tf b/terraspace/app/stacks/event/secrets.tf
index a0f42e13..e14b57f1 100644
--- a/terraspace/app/stacks/event/secrets.tf
+++ b/terraspace/app/stacks/event/secrets.tf
@@ -1,5 +1,6 @@
resource "aws_kms_key" "event_stack" {
- description = var.secrets_key.description
+ description = var.secrets_key.description
+ enable_key_rotation = true
}
resource "aws_kms_alias" "event_stack" {
diff --git a/terraspace/app/stacks/indexing/indexing.md b/terraspace/app/stacks/indexing/indexing.md
index 88ca9c4b..ae2c1303 100644
--- a/terraspace/app/stacks/indexing/indexing.md
+++ b/terraspace/app/stacks/indexing/indexing.md
@@ -85,6 +85,12 @@ Description: Name for ECR repo. We use this repo to store indexer lambda docker
Type: `string`
+### [event\_stack\_sns\_events\_topic\_arn](#input\_event\_stack\_sns\_events\_topic\_arn)
+
+Description: SNS event topic
+
+Type: `string`
+
### [event\_stack\_sns\_topic\_policy\_send](#input\_event\_stack\_sns\_topic\_policy\_send)
Description: This policy is managed by the event stack. Lambda requires policy for sending events through pub/sub messaging
diff --git a/terraspace/app/stacks/indexing/locals.tf b/terraspace/app/stacks/indexing/locals.tf
index 0bea63d0..b874164f 100644
--- a/terraspace/app/stacks/indexing/locals.tf
+++ b/terraspace/app/stacks/indexing/locals.tf
@@ -1,17 +1,17 @@
locals {
environment_variables = {
- "CONCURRENCY" = var.concurrency
- "SKIP_PUBLISHING" = "false"
- "NODE_ENV" = var.node_env
- "SQS_PUBLISHING_QUEUE_URL" = var.shared_stack_sqs_multihashes_topic_url
- "SNS_EVENTS_TOPIC" = var.event_stack_sns_events_topic_arn
- "DYNAMO_BLOCKS_TABLE" = var.dynamodb_blocks_table
- "DYNAMO_CARS_TABLE" = var.dynamodb_cars_table
- "DYNAMO_LINK_TABLE" = var.dynamodb_link_table
- "DYNAMO_MAX_RETRIES" = var.dynamodb_max_retries
- "DYNAMO_RETRY_DELAY" = var.dynamodb_retry_delay
- "S3_MAX_RETRIES" = var.s3_max_retries
- "S3_RETRY_DELAY" = var.s3_retry_delay
+ "CONCURRENCY" = var.concurrency
+ "SKIP_PUBLISHING" = "false"
+ "NODE_ENV" = var.node_env
+ "SQS_PUBLISHING_QUEUE_URL" = var.shared_stack_sqs_multihashes_topic_url
+ "SNS_EVENTS_TOPIC" = var.event_stack_sns_events_topic_arn
+ "DYNAMO_BLOCKS_TABLE" = var.dynamodb_blocks_table
+ "DYNAMO_CARS_TABLE" = var.dynamodb_cars_table
+ "DYNAMO_LINK_TABLE" = var.dynamodb_link_table
+ "DYNAMO_MAX_RETRIES" = var.dynamodb_max_retries
+ "DYNAMO_RETRY_DELAY" = var.dynamodb_retry_delay
+ "S3_MAX_RETRIES" = var.s3_max_retries
+ "S3_RETRY_DELAY" = var.s3_retry_delay
}
indexer_image_url = "${aws_ecr_repository.ecr_repo_indexer_lambda.repository_url}:${var.indexing_lambda_image_version}"
diff --git a/terraspace/app/stacks/peer-kubernetes-components/peer-kubernetes-components.md b/terraspace/app/stacks/peer-kubernetes-components/peer-kubernetes-components.md
index 0b255ea0..42f8a13c 100644
--- a/terraspace/app/stacks/peer-kubernetes-components/peer-kubernetes-components.md
+++ b/terraspace/app/stacks/peer-kubernetes-components/peer-kubernetes-components.md
@@ -55,6 +55,12 @@ The following resources are used by this module:
The following input variables are required:
+### [aws\_certificate\_arn](#input\_aws\_certificate\_arn)
+
+Description: ACM Certificate which is hooked with Load Balancer SSL port
+
+Type: `string`
+
### [bitswap\_peer\_deployment\_branch](#input\_bitswap\_peer\_deployment\_branch)
Description: Branch which argocd should be looking at for syncing bitswap peer
diff --git a/terraspace/app/stacks/peer-kubernetes-components/variables.tf b/terraspace/app/stacks/peer-kubernetes-components/variables.tf
index 347be997..9e342119 100644
--- a/terraspace/app/stacks/peer-kubernetes-components/variables.tf
+++ b/terraspace/app/stacks/peer-kubernetes-components/variables.tf
@@ -73,5 +73,5 @@ variable "cluster_autoscaler_policy_name" {
variable "aws_certificate_arn" {
type = string
description = "ACM Certificate which is hooked with Load Balancer SSL port"
- sensitive = true
+ sensitive = true
}
diff --git a/terraspace/app/stacks/peer/locals.tf b/terraspace/app/stacks/peer/locals.tf
index 747d01aa..e10b3749 100644
--- a/terraspace/app/stacks/peer/locals.tf
+++ b/terraspace/app/stacks/peer/locals.tf
@@ -358,6 +358,6 @@ locals {
cidr_blocks = ["0.0.0.0/0"]
}
}
- }
+ }
}
diff --git a/terraspace/app/stacks/peer/peer.md b/terraspace/app/stacks/peer/peer.md
index aa6124e9..9841d924 100644
--- a/terraspace/app/stacks/peer/peer.md
+++ b/terraspace/app/stacks/peer/peer.md
@@ -112,17 +112,9 @@ object({
The following input variables are optional (have default values):
-### [enable\_http\_egress\_sg\_rules](#input\_enable\_http\_egress\_sg\_rules)
+### [enable\_troubleshooting\_sg\_rules](#input\_enable\_troubleshooting\_sg\_rules)
-Description: Defines if egress security group rules should be defined to allow unsecure HTTP requests to the internet
-
-Type: `bool`
-
-Default: `false`
-
-### [enable\_tracerouting\_sg\_rules](#input\_enable\_tracerouting\_sg\_rules)
-
-Description: Defines if egress security group rules should be defined to allow tracerouting to the internet
+Description: Defines if egress security group rules should be defined to allow troubleshooting to the internet
Type: `bool`
diff --git a/terraspace/app/stacks/publishing/main.tf b/terraspace/app/stacks/publishing/main.tf
index 0d54f8e6..cf8c6630 100644
--- a/terraspace/app/stacks/publishing/main.tf
+++ b/terraspace/app/stacks/publishing/main.tf
@@ -29,8 +29,8 @@ resource "aws_sqs_queue" "ads_topic_dlq" {
visibility_timeout_seconds = 300
}
-# This bucket must be public due to integration with storetheindex
-#tfsec:ignore:aws-s3-ignore-public-acls #tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy
+# This bucket must be public due to integration with storetheindex. Also, there isn't interest in auditing access to it.
+#tfsec:ignore:aws-s3-ignore-public-acls #tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-specify-public-access-block tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "ipfs_peer_ads" {
bucket = var.provider_ads_bucket_name
}
@@ -38,7 +38,14 @@ resource "aws_s3_bucket" "ipfs_peer_ads" {
#tfsec:ignore:aws-s3-no-public-access-with-acl
resource "aws_s3_bucket_acl" "ipfs_peer_ads_public_readl_acl" {
bucket = aws_s3_bucket.ipfs_peer_ads.id
- acl = "public-read" # Must be public read so PL IPFS components are capable of reading
+ acl = "public-read"
+}
+
+resource "aws_s3_bucket_versioning" "ipfs_peer_ads" {
+ bucket = aws_s3_bucket.ipfs_peer_ads.id
+ versioning_configuration {
+ status = "Enabled"
+ }
}
module "content_lambda_from_sqs" {
diff --git a/terraspace/app/stacks/publishing/publishing.md b/terraspace/app/stacks/publishing/publishing.md
index 2d9604f4..81b70b47 100644
--- a/terraspace/app/stacks/publishing/publishing.md
+++ b/terraspace/app/stacks/publishing/publishing.md
@@ -42,6 +42,7 @@ The following resources are used by this module:
- [aws_s3_bucket.ipfs_peer_ads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) (resource)
- [aws_s3_bucket_acl.ipfs_peer_ads_public_readl_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) (resource)
- [aws_s3_bucket_policy.allow_public_access_to_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) (resource)
+- [aws_s3_bucket_versioning.ipfs_peer_ads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) (resource)
- [aws_sqs_queue.ads_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) (resource)
- [aws_sqs_queue.ads_topic_dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) (resource)
- [aws_iam_policy_document.s3_advertisment_files_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) (data source)
@@ -69,6 +70,12 @@ Description: Name for advertisment sqs queue. This queue is supposed to have eve
Type: `string`
+### [bitswap\_peer\_multiaddr](#input\_bitswap\_peer\_multiaddr)
+
+Description: Bitswap peer multiaddr. This is used as value for the BITSWAP\_PEER\_MULTIADDR environment variable. This value is notified to storetheindex
+
+Type: `string`
+
### [content\_lambda](#input\_content\_lambda)
Description: Publishing (content) lambda namming
@@ -82,18 +89,31 @@ object({
})
```
-### [dns\_stack\_bitswap\_loadbalancer\_domain](#input\_dns\_stack\_bitswap\_loadbalancer\_domain)
+### [ecr\_repository\_name](#input\_ecr\_repository\_name)
-Description: Bitswap peer DNS. This is used for composing the multiaddress value for the BITSWAP\_PEER\_MULTIADDR environment variable. This value is notified to storetheindex
+Description: Name for ECR repo. We use this repo to store publishing lambda docker image
Type: `string`
-### [ecr\_repository\_name](#input\_ecr\_repository\_name)
+### [event\_stack\_sns\_events\_topic\_arn](#input\_event\_stack\_sns\_events\_topic\_arn)
-Description: Name for ECR repo. We use this repo to store publishing lambda docker image
+Description: SNS event topic
Type: `string`
+### [event\_stack\_sns\_topic\_policy\_send](#input\_event\_stack\_sns\_topic\_policy\_send)
+
+Description: This policy is managed by the event stack. Lambda requires policy for sending events through pub/sub messaging
+
+Type:
+
+```hcl
+object({
+ name = string
+ arn = string
+ })
+```
+
### [indexer\_node\_url](#input\_indexer\_node\_url)
Description: storetheindex HTTP API URL
diff --git a/terraspace/app/stacks/publishing/variables.tf b/terraspace/app/stacks/publishing/variables.tf
index 2c4c3693..c31ddab2 100644
--- a/terraspace/app/stacks/publishing/variables.tf
+++ b/terraspace/app/stacks/publishing/variables.tf
@@ -47,7 +47,7 @@ variable "ecr_repository_name" {
}
variable "bitswap_peer_multiaddr" {
- type = string
+ type = string
description = "Bitswap peer multiaddr. This is used as value for the BITSWAP_PEER_MULTIADDR environment variable. This value is notified to storetheindex"
}
diff --git a/terraspace/app/stacks/shared/main.tf b/terraspace/app/stacks/shared/main.tf
index fe32a095..4b4b39a2 100644
--- a/terraspace/app/stacks/shared/main.tf
+++ b/terraspace/app/stacks/shared/main.tf
@@ -8,6 +8,9 @@ terraform {
required_version = ">= 1.0.0"
}
+
+#There isn't interest in auditing access to this bucket
+#tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "ipfs_peer_bitswap_config" {
bucket = var.config_bucket_name
}
@@ -17,6 +20,14 @@ resource "aws_s3_bucket_acl" "ipfs_peer_bitswap_config_private_acl" {
acl = "private"
}
+resource "aws_s3_bucket_public_access_block" "ipfs_peer_bitswap_config" {
+ bucket = aws_s3_bucket.ipfs_peer_bitswap_config.id
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+}
+
resource "aws_s3_bucket_versioning" "ipfs_peer_bitswap_config_versioning" {
bucket = aws_s3_bucket.ipfs_peer_bitswap_config.id
versioning_configuration {
diff --git a/terraspace/tfsec.yml b/terraspace/tfsec.yml
index cad56476..16ecf1d3 100644
--- a/terraspace/tfsec.yml
+++ b/terraspace/tfsec.yml
@@ -1,4 +1,3 @@
-# Encryption at rest rules are currently excluded (https://filecoinproject.slack.com/archives/C02BZPRS9HP/p1662043881772469)
exclude:
- aws-ec2-enable-at-rest-encryption
- aws-sns-enable-topic-encryption
@@ -9,3 +8,8 @@ exclude:
- aws-dynamodb-table-customer-key
- aws-cloudwatch-log-group-customer-key
- aws-ecr-repository-customer-key
+- aws-ecr-enforce-immutable-repository
+
+# Exclude Reasons:
+# Encryption at rest with CMK: We won't enable that at this moment. Details: https://filecoinproject.slack.com/archives/C02BZPRS9HP/p1662043881772469
+# Image immutability: There isn't a way of finding out the newest image tag from aws_ecr_repository neither to create an exception for "latest" tag (https://github.com/aws/containers-roadmap/issues/878)